edd422b2cd80a2f9eb6f6f4dfd882f473657b8b8f49beba19723a12793d7a030

Analysis

max time kernel
120s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6faa5d0a750c9d452ea15096f191560N.exe
Size

122KB
MD5

e6faa5d0a750c9d452ea15096f191560
SHA1

d4c5479c62c3875b01416fd7e74a837bc25594c6
SHA256

edd422b2cd80a2f9eb6f6f4dfd882f473657b8b8f49beba19723a12793d7a030
SHA512

8c9d70d011006910feb8f930bf720ae600cb640783b77360bcc2d5a783db6a6c7b95d1ba41d26877433e5ddd7d514fe5d262ad6e1e29a319358e025152dfa7eb
SSDEEP

1536:lvm1Fu8AjYaFwjRUdW7fmyY7aZYJVmy0KQbj6vbjuKoauGi4k:6u8ANCUdgfmD7zey0KUj6TjR9i4k

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
2732	backup.exe
2700	backup.exe
2604	data.exe
2632	backup.exe
1632	backup.exe
1580	backup.exe
1276	backup.exe
1440	backup.exe
1132	backup.exe
2896	backup.exe
568	backup.exe
1728	backup.exe
1588	backup.exe
2224	backup.exe
1952	backup.exe
112	backup.exe
2204	backup.exe
1772	backup.exe
1104	update.exe
712	backup.exe
3068	data.exe
1320	backup.exe
2440	System Restore.exe
1608	backup.exe
2852	backup.exe
2836	backup.exe
2580	backup.exe
2212	backup.exe
1584	backup.exe
2340	backup.exe
2976	data.exe
2868	backup.exe
1692	backup.exe
1392	backup.exe
2416	backup.exe
796	backup.exe
2104	backup.exe
2684	backup.exe
2140	backup.exe
2192	backup.exe
2088	backup.exe
1732	backup.exe
1876	backup.exe
1552	backup.exe
2024	backup.exe
2460	backup.exe
720	backup.exe
1760	backup.exe
2380	backup.exe
2728	backup.exe
2832	backup.exe
2392	backup.exe
2648	backup.exe
2576	System Restore.exe
2744	backup.exe
900	backup.exe
1112	backup.exe
2340	backup.exe
1808	backup.exe
2664	backup.exe
2916	backup.exe
1692	backup.exe
2128	backup.exe
2132	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1524	e6faa5d0a750c9d452ea15096f191560N.exe
1524	e6faa5d0a750c9d452ea15096f191560N.exe
1524	e6faa5d0a750c9d452ea15096f191560N.exe
1524	e6faa5d0a750c9d452ea15096f191560N.exe
1524	e6faa5d0a750c9d452ea15096f191560N.exe
1524	e6faa5d0a750c9d452ea15096f191560N.exe
1524	e6faa5d0a750c9d452ea15096f191560N.exe
1524	e6faa5d0a750c9d452ea15096f191560N.exe
1524	e6faa5d0a750c9d452ea15096f191560N.exe
1524	e6faa5d0a750c9d452ea15096f191560N.exe
1524	e6faa5d0a750c9d452ea15096f191560N.exe
1524	e6faa5d0a750c9d452ea15096f191560N.exe
1524	e6faa5d0a750c9d452ea15096f191560N.exe
1524	e6faa5d0a750c9d452ea15096f191560N.exe
1276	backup.exe
1276	backup.exe
1524	e6faa5d0a750c9d452ea15096f191560N.exe
1524	e6faa5d0a750c9d452ea15096f191560N.exe
1132	backup.exe
1132	backup.exe
1524	e6faa5d0a750c9d452ea15096f191560N.exe
1524	e6faa5d0a750c9d452ea15096f191560N.exe
1524	e6faa5d0a750c9d452ea15096f191560N.exe
1524	e6faa5d0a750c9d452ea15096f191560N.exe
1588	backup.exe
1588	backup.exe
2224	backup.exe
2224	backup.exe
1588	backup.exe
1588	backup.exe
112	backup.exe
112	backup.exe
2204	backup.exe
2204	backup.exe
112	backup.exe
1104	update.exe
1104	update.exe
1104	update.exe
1104	update.exe
1104	update.exe
712	backup.exe
712	backup.exe
712	backup.exe
712	backup.exe
712	backup.exe
3068	data.exe
3068	data.exe
3068	data.exe
712	backup.exe
712	backup.exe
1320	backup.exe
1320	backup.exe
1320	backup.exe
1320	backup.exe
1320	backup.exe
2440	System Restore.exe
2440	System Restore.exe
2440	System Restore.exe
1320	backup.exe
1320	backup.exe
1608	backup.exe
1608	backup.exe
1608	backup.exe
1320	backup.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\backup.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\backup.exe	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\backup.exe	Process not Found
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\backup.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\backup.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\backup.exe	Process not Found
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\update.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\backup.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\backup.exe	Process not Found
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\lib\amd64\backup.exe	update.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\backup.exe	Process not Found
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d9\backup.exe	Process not Found
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\backup.exe	Process not Found
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\data.exe	Process not Found
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\backup.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\backup.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\backup.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\backup.exe	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\backup.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\backup.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\backup.exe	Process not Found
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\backup.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\backup.exe	Process not Found
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\backup.exe	Process not Found
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe	data.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\backup.exe	Process not Found
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\data.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe	backup.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Globalization\backup.exe	backup.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\1040\backup.exe	Process not Found
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_MSIL\ipdmctrl\11.0.0.0__71e9bce111e9429c\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Security.#\d660f850b373b57c4e22a7100feeb1a4\backup.exe	Process not Found
File opened for modification	C:\Windows\inf\PNRPSvc\040C\backup.exe	Process not Found
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Internal.Tasks.Dataflow\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\napcrypt\backup.exe	Process not Found
File opened for modification	C:\Windows\IME\en-US\backup.exe	Process not Found
File opened for modification	C:\Windows\PLA\Reports\backup.exe	Process not Found
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\backup.exe	Process not Found
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\es\backup.exe	Process not Found
File opened for modification	C:\Windows\inf\ASP.NET_4.0.30319\0009\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Mcx2Dvcs\backup.exe	Process not Found
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\1033\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\naphlpr\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\c9bdcf9e45459b60e542e8f270de0c52\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe	Process not Found
File opened for modification	C:\Windows\DigitalLocker\backup.exe	backup.exe
File opened for modification	C:\Windows\inf\ASP.NET\0006\backup.exe	Process not Found
File opened for modification	C:\Windows\Resources\Themes\Aero\Shell\NormalColor\es-ES\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\32088676b4c08d192aae910cac1dade4\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Windows.D#\b5e6aa065d13e30c27219186f8e02689\backup.exe	Process not Found
File opened for modification	C:\Windows\inf\MSDTC\040C\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\MMCFxCommon\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Managemen#\630257a0b042768c2e3104a36559c1a9\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe	Process not Found
File opened for modification	C:\Windows\Help\Windows\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Conversion.v3.5\3.5.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\Resources\Themes\Aero\Shell\NormalColor\ja-JP\backup.exe	Process not Found
File opened for modification	C:\Windows\DigitalLocker\it-IT\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\data.exe	Process not Found
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\a9f43923aab0d83b93cbf10ac1dfd0b5\System Restore.exe	Process not Found
File opened for modification	C:\Windows\inf\MSDTC Bridge 3.0.0.0\0C0A\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Security.#\33f2c8336e497fc65c9d414c2a7061d8\backup.exe	Process not Found
File opened for modification	C:\Windows\Globalization\ELS\backup.exe	Process not Found
File opened for modification	C:\Windows\inf\ASP.NET\001D\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\4c0fa9d495ac562afcb136f3e9a87cb9\System Restore.exe	Process not Found
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine.resources\backup.exe	Process not Found
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\ISymWrapper\v4.0_4.0.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\3082\backup.exe	Process not Found
File opened for modification	C:\Windows\inf\BITS\0000\data.exe	Process not Found
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Windows.D#\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_32\PresentationCore\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\inf\ASP.NET_4.0.30319\000C\backup.exe	Process not Found
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Internal.Tasks.Dataflow\v4.0_4.0.0.0__b77a5c561934e089\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\inf\BITS\0410\backup.exe	Process not Found
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\backup.exe	Process not Found
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\backup.exe	Process not Found
File opened for modification	C:\Windows\Resources\Themes\Aero\es-ES\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\9859a6e0562f64eacfb8ad76f260a2d6\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\backup.exe	Process not Found
File opened for modification	C:\Windows\PolicyDefinitions\en-US\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\backup.exe	Process not Found
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\backup.exe	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2796	backup.exe
2804	backup.exe
1688	backup.exe
2840	backup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1524	e6faa5d0a750c9d452ea15096f191560N.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1524	e6faa5d0a750c9d452ea15096f191560N.exe
2732	backup.exe
2700	backup.exe
2604	data.exe
2632	backup.exe
1632	backup.exe
1580	backup.exe
1276	backup.exe
1440	backup.exe
1132	backup.exe
2896	backup.exe
568	backup.exe
1728	backup.exe
1588	backup.exe
2224	backup.exe
1952	backup.exe
112	backup.exe
2204	backup.exe
1772	backup.exe
1104	update.exe
712	backup.exe
3068	data.exe
1320	backup.exe
2440	System Restore.exe
1608	backup.exe
2852	backup.exe
2836	backup.exe
2580	backup.exe
2212	backup.exe
1584	backup.exe
2340	backup.exe
2976	data.exe
2868	backup.exe
1692	backup.exe
1392	backup.exe
2416	backup.exe
796	backup.exe
2104	backup.exe
2684	backup.exe
2140	backup.exe
2192	backup.exe
2088	backup.exe
1732	backup.exe
1876	backup.exe
1552	backup.exe
2024	backup.exe
2460	backup.exe
720	backup.exe
1760	backup.exe
2380	backup.exe
2728	backup.exe
2832	backup.exe
2392	backup.exe
2648	backup.exe
2576	System Restore.exe
2744	backup.exe
900	backup.exe
1112	backup.exe
2340	backup.exe
1808	backup.exe
2664	backup.exe
2916	backup.exe
1692	backup.exe
2128	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 2732	1524	e6faa5d0a750c9d452ea15096f191560N.exe	30
PID 1524 wrote to memory of 2732	1524	e6faa5d0a750c9d452ea15096f191560N.exe	30
PID 1524 wrote to memory of 2732	1524	e6faa5d0a750c9d452ea15096f191560N.exe	30
PID 1524 wrote to memory of 2732	1524	e6faa5d0a750c9d452ea15096f191560N.exe	30
PID 1524 wrote to memory of 2700	1524	e6faa5d0a750c9d452ea15096f191560N.exe	31
PID 1524 wrote to memory of 2700	1524	e6faa5d0a750c9d452ea15096f191560N.exe	31
PID 1524 wrote to memory of 2700	1524	e6faa5d0a750c9d452ea15096f191560N.exe	31
PID 1524 wrote to memory of 2700	1524	e6faa5d0a750c9d452ea15096f191560N.exe	31
PID 1524 wrote to memory of 2604	1524	e6faa5d0a750c9d452ea15096f191560N.exe	32
PID 1524 wrote to memory of 2604	1524	e6faa5d0a750c9d452ea15096f191560N.exe	32
PID 1524 wrote to memory of 2604	1524	e6faa5d0a750c9d452ea15096f191560N.exe	32
PID 1524 wrote to memory of 2604	1524	e6faa5d0a750c9d452ea15096f191560N.exe	32
PID 1524 wrote to memory of 2632	1524	e6faa5d0a750c9d452ea15096f191560N.exe	33
PID 1524 wrote to memory of 2632	1524	e6faa5d0a750c9d452ea15096f191560N.exe	33
PID 1524 wrote to memory of 2632	1524	e6faa5d0a750c9d452ea15096f191560N.exe	33
PID 1524 wrote to memory of 2632	1524	e6faa5d0a750c9d452ea15096f191560N.exe	33
PID 1524 wrote to memory of 1632	1524	e6faa5d0a750c9d452ea15096f191560N.exe	34
PID 1524 wrote to memory of 1632	1524	e6faa5d0a750c9d452ea15096f191560N.exe	34
PID 1524 wrote to memory of 1632	1524	e6faa5d0a750c9d452ea15096f191560N.exe	34
PID 1524 wrote to memory of 1632	1524	e6faa5d0a750c9d452ea15096f191560N.exe	34
PID 1524 wrote to memory of 1580	1524	e6faa5d0a750c9d452ea15096f191560N.exe	35
PID 1524 wrote to memory of 1580	1524	e6faa5d0a750c9d452ea15096f191560N.exe	35
PID 1524 wrote to memory of 1580	1524	e6faa5d0a750c9d452ea15096f191560N.exe	35
PID 1524 wrote to memory of 1580	1524	e6faa5d0a750c9d452ea15096f191560N.exe	35
PID 1524 wrote to memory of 1276	1524	e6faa5d0a750c9d452ea15096f191560N.exe	36
PID 1524 wrote to memory of 1276	1524	e6faa5d0a750c9d452ea15096f191560N.exe	36
PID 1524 wrote to memory of 1276	1524	e6faa5d0a750c9d452ea15096f191560N.exe	36
PID 1524 wrote to memory of 1276	1524	e6faa5d0a750c9d452ea15096f191560N.exe	36
PID 1276 wrote to memory of 1440	1276	backup.exe	37
PID 1276 wrote to memory of 1440	1276	backup.exe	37
PID 1276 wrote to memory of 1440	1276	backup.exe	37
PID 1276 wrote to memory of 1440	1276	backup.exe	37
PID 1524 wrote to memory of 1132	1524	e6faa5d0a750c9d452ea15096f191560N.exe	38
PID 1524 wrote to memory of 1132	1524	e6faa5d0a750c9d452ea15096f191560N.exe	38
PID 1524 wrote to memory of 1132	1524	e6faa5d0a750c9d452ea15096f191560N.exe	38
PID 1524 wrote to memory of 1132	1524	e6faa5d0a750c9d452ea15096f191560N.exe	38
PID 1132 wrote to memory of 2896	1132	backup.exe	39
PID 1132 wrote to memory of 2896	1132	backup.exe	39
PID 1132 wrote to memory of 2896	1132	backup.exe	39
PID 1132 wrote to memory of 2896	1132	backup.exe	39
PID 1524 wrote to memory of 568	1524	e6faa5d0a750c9d452ea15096f191560N.exe	40
PID 1524 wrote to memory of 568	1524	e6faa5d0a750c9d452ea15096f191560N.exe	40
PID 1524 wrote to memory of 568	1524	e6faa5d0a750c9d452ea15096f191560N.exe	40
PID 1524 wrote to memory of 568	1524	e6faa5d0a750c9d452ea15096f191560N.exe	40
PID 1524 wrote to memory of 1728	1524	e6faa5d0a750c9d452ea15096f191560N.exe	41
PID 1524 wrote to memory of 1728	1524	e6faa5d0a750c9d452ea15096f191560N.exe	41
PID 1524 wrote to memory of 1728	1524	e6faa5d0a750c9d452ea15096f191560N.exe	41
PID 1524 wrote to memory of 1728	1524	e6faa5d0a750c9d452ea15096f191560N.exe	41
PID 2732 wrote to memory of 1588	2732	backup.exe	42
PID 2732 wrote to memory of 1588	2732	backup.exe	42
PID 2732 wrote to memory of 1588	2732	backup.exe	42
PID 2732 wrote to memory of 1588	2732	backup.exe	42
PID 1588 wrote to memory of 2224	1588	backup.exe	43
PID 1588 wrote to memory of 2224	1588	backup.exe	43
PID 1588 wrote to memory of 2224	1588	backup.exe	43
PID 1588 wrote to memory of 2224	1588	backup.exe	43
PID 2224 wrote to memory of 1952	2224	backup.exe	44
PID 2224 wrote to memory of 1952	2224	backup.exe	44
PID 2224 wrote to memory of 1952	2224	backup.exe	44
PID 2224 wrote to memory of 1952	2224	backup.exe	44
PID 1588 wrote to memory of 112	1588	backup.exe	45
PID 1588 wrote to memory of 112	1588	backup.exe	45
PID 1588 wrote to memory of 112	1588	backup.exe	45
PID 1588 wrote to memory of 112	1588	backup.exe	45

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found

C:\Users\Admin\AppData\Local\Temp\e6faa5d0a750c9d452ea15096f191560N.exe
"C:\Users\Admin\AppData\Local\Temp\e6faa5d0a750c9d452ea15096f191560N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Local\Temp\1442190504\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1442190504\backup.exe C:\Users\Admin\AppData\Local\Temp\1442190504\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1952
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:112
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2204
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1772
    - - C:\Program Files\Common Files\update.exe
        
        "C:\Program Files\Common Files\update.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1104
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:712
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\data.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2440
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2212
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1392
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:796
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:720
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2392
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1808
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2664
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        
        PID:2196
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        
        PID:2120
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        
        PID:2480
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:1156
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:1664
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:1748
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:2204
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:2500
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:2112
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:2460
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:1948
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2444
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1708
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:2780
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:2772
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:3052
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:2844
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:2608
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:3048
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:1584
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:2556
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:2340
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:2636
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\update.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:2868
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:1132
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        
        PID:2156
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        
        PID:1960
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:796
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:2104
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:540
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        
        PID:2192
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:1464
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:3008
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:1720
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        
        PID:1804
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        
        PID:2300
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:332
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:2492
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:340
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:2724
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        System policy modification
        
        PID:2380
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:2824
        
        C:\Program Files\Common Files\System\de-DE\System Restore.exe
        
        "C:\Program Files\Common Files\System\de-DE\System Restore.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:2772
        
        C:\Program Files\Common Files\System\en-US\update.exe
        
        "C:\Program Files\Common Files\System\en-US\update.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:2836
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:2620
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1628
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:2124
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2780
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:2376
        
        C:\Program Files\Common Files\System\msadc\de-DE\data.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\data.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:2904
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:864
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:2752
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:2156
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:1036
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:2268
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:2152
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\System Restore.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\System Restore.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:1408
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:2996
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:2192
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\data.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\data.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:2432
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:2148
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:1748
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        
        PID:1268
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:1020
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:960
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:720
      - C:\Program Files\DVD Maker\fr-FR\data.exe
        
        "C:\Program Files\DVD Maker\fr-FR\data.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:2172
      - C:\Program Files\DVD Maker\it-IT\update.exe
        
        "C:\Program Files\DVD Maker\it-IT\update.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:2440
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:2680
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1604
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        
        PID:2736
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:2300
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        System policy modification
        
        PID:2600
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:3040
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:2844
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:2884
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:324
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:2388
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:1492
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:2980
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1808
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:2876
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:2616
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:2924
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        
        PID:2068
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        
        PID:2816
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
        8⤵
        
        PID:592
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
        8⤵
        
        PID:2368
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
        8⤵
        
        PID:2264
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
        8⤵
        
        PID:2364
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
        8⤵
        
        PID:1644
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:716
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1952
        
        C:\Program Files\Google\Chrome\Application\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\System Restore.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:1616
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        
        PID:2332
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        9⤵
        
        PID:1932
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        9⤵
        
        PID:2236
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        9⤵
        
        PID:2944
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
        9⤵
        
        PID:2052
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
        9⤵
        System policy modification
        
        PID:1776
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
        9⤵
        
        PID:320
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\System Restore.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
        9⤵
        
        PID:1636
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\
        10⤵
        
        PID:2948
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:2028
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1576
    - - C:\Program Files\Internet Explorer\System Restore.exe
        
        "C:\Program Files\Internet Explorer\System Restore.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2380
      - C:\Program Files\Internet Explorer\de-DE\update.exe
        
        "C:\Program Files\Internet Explorer\de-DE\update.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2824
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:2800
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:2588
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:2836
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:2652
      - C:\Program Files\Internet Explorer\it-IT\System Restore.exe
        
        "C:\Program Files\Internet Explorer\it-IT\System Restore.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:2744
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:2908
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:2880
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1648
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:1440
        
        C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
        7⤵
        
        PID:2932
        
        C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
        7⤵
        
        PID:2240
        
        C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\bin\
        8⤵
        
        PID:2896
        
        C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\lib\
        8⤵
        
        PID:2084
        
        C:\Program Files\Java\jdk1.7.0_80\include\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\
        7⤵
        
        PID:568
        
        C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\
        8⤵
        
        PID:2156
        
        C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\
        9⤵
        
        PID:2292
        
        C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\
        7⤵
        
        PID:2368
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\
        8⤵
        
        PID:2164
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\
        9⤵
        
        PID:2256
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\
        9⤵
        
        PID:920
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\
        9⤵
        
        PID:1604
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\
        8⤵
        
        PID:2120
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\
        9⤵
        
        PID:1764
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\
        9⤵
        
        PID:1736
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\
        9⤵
        
        PID:2432
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\
        9⤵
        
        PID:3008
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\
        9⤵
        
        PID:2944
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\
        9⤵
        
        PID:2860
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\update.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\
        9⤵
        
        PID:856
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\
        10⤵
        
        PID:332
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\
        9⤵
        
        PID:604
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\
        9⤵
        
        PID:1948
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\
        9⤵
        
        PID:2460
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\
        9⤵
        Drops file in Program Files directory
        
        PID:2956
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\
        10⤵
        System policy modification
        
        PID:600
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\
        10⤵
        
        PID:2036
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\
        11⤵
        
        PID:2720
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\
        11⤵
        
        PID:2772
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\
        11⤵
        
        PID:2592
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\data.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\
        11⤵
        
        PID:1528
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\
        10⤵
        
        PID:2620
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\
        10⤵
        
        PID:272
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\
        10⤵
        
        PID:1580
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\
        10⤵
        
        PID:1496
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1276
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\
        10⤵
        
        PID:2676
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\
        10⤵
        
        PID:1536
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\
        10⤵
        
        PID:2188
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\
        10⤵
        
        PID:2644
        
        C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\
        7⤵
        
        PID:2068
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\
        8⤵
        Drops file in Program Files directory
        
        PID:1960
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\
        9⤵
        
        PID:2260
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
        10⤵
        
        PID:2752
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\
        10⤵
        
        PID:2208
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\
        9⤵
        
        PID:2116
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\
        9⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1620
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\
        10⤵
        
        PID:1268
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\
        10⤵
        
        PID:2264
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\
        10⤵
        
        PID:536
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\
        10⤵
        
        PID:1764
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\
        10⤵
        
        PID:1736
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\
        10⤵
        
        PID:2432
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\
        10⤵
        
        PID:1724
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\
        10⤵
        
        PID:2944
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\
        10⤵
        
        PID:1460
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\
        10⤵
        
        PID:1744
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\
        11⤵
        
        PID:2324
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\
        10⤵
        
        PID:2716
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\
        11⤵
        
        PID:2444
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\
        10⤵
        
        PID:2724
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\
        10⤵
        
        PID:2700
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\
        11⤵
        
        PID:2720
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\
        10⤵
        Drops file in Program Files directory
        
        PID:2632
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\
        11⤵
        
        PID:2592
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\
        10⤵
        
        PID:1528
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\
        11⤵
        
        PID:3044
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\
        10⤵
        
        PID:2608
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\
        11⤵
        
        PID:2388
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\
        10⤵
        
        PID:2872
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\
        11⤵
        
        PID:2536
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2400
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\
        11⤵
        
        PID:668
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\
        10⤵
        
        PID:2548
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\
        11⤵
        
        PID:2280
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\
        10⤵
        
        PID:2956
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\
        11⤵
        
        PID:792
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\
        10⤵
        
        PID:2184
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\
        11⤵
        
        PID:2200
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\
        10⤵
        
        PID:2420
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\
        11⤵
        
        PID:1364
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\
        9⤵
        
        PID:1624
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\
        10⤵
        
        PID:2012
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\
        11⤵
        
        PID:2164
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\
        12⤵
        
        PID:2952
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\
        10⤵
        
        PID:1368
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\
        11⤵
        
        PID:2148
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\
        12⤵
        
        PID:1556
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\
        9⤵
        
        PID:1104
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\
        10⤵
        
        PID:1688
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\
        11⤵
        
        PID:2336
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\
        12⤵
        
        PID:332
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\
        13⤵
        
        PID:608
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\
        13⤵
        
        PID:1600
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\
        13⤵
        
        PID:1596
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\
        11⤵
        
        PID:1576
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\
        11⤵
        
        PID:2612
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\
        10⤵
        
        PID:2712
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\
        11⤵
        
        PID:2708
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\
        11⤵
        
        PID:3056
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\
        11⤵
        
        PID:1676
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\
        11⤵
        
        PID:2004
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\
        10⤵
        Drops file in Program Files directory
        
        PID:3048
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\
        11⤵
        
        PID:1060
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\
        10⤵
        
        PID:2988
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\
        11⤵
        
        PID:2968
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\
        12⤵
        
        PID:1496
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\
        11⤵
        
        PID:2664
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\
        11⤵
        
        PID:2892
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\
        8⤵
        
        PID:692
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\
        9⤵
        
        PID:2924
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\
        9⤵
        
        PID:1692
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\
        10⤵
        
        PID:2000
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\
        11⤵
        
        PID:1012
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\
        11⤵
        
        PID:2184
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\
        10⤵
        
        PID:2260
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\
        11⤵
        
        PID:1644
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\
        10⤵
        
        PID:1708
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\
        11⤵
        
        PID:2040
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\
        10⤵
        
        PID:2992
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\
        11⤵
        
        PID:2432
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\
        12⤵
        
        PID:2656
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\
        11⤵
        
        PID:820
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\
        10⤵
        
        PID:1600
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\
        9⤵
        
        PID:2476
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\
        10⤵
        Drops file in Program Files directory
        
        PID:2396
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\
        11⤵
        
        PID:2800
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\
        10⤵
        
        PID:2036
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\
        11⤵
        
        PID:2620
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\
        13⤵
        
        PID:2676
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\
        12⤵
        
        PID:2988
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\
        13⤵
        
        PID:588
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\
        11⤵
        
        PID:2488
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\
        10⤵
        Drops file in Program Files directory
        
        PID:1652
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\
        10⤵
        
        PID:536
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\
        9⤵
        
        PID:2304
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\
        10⤵
        
        PID:304
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\
        11⤵
        
        PID:1828
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\
        10⤵
        
        PID:2796
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\
        11⤵
        
        PID:2492
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\
        10⤵
        Drops file in Program Files directory
        
        PID:600
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\
        11⤵
        
        PID:2624
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\
        10⤵
        
        PID:2572
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:2524
        
        C:\Program Files\Java\jre7\bin\backup.exe
        
        "C:\Program Files\Java\jre7\bin\backup.exe" C:\Program Files\Java\jre7\bin\
        7⤵
        
        PID:2340
        
        C:\Program Files\Java\jre7\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre7\bin\dtplugin\backup.exe" C:\Program Files\Java\jre7\bin\dtplugin\
        8⤵
        
        PID:1496
        
        C:\Program Files\Java\jre7\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\backup.exe" C:\Program Files\Java\jre7\bin\plugin2\
        8⤵
        
        PID:1132
        
        C:\Program Files\Java\jre7\bin\server\backup.exe
        
        "C:\Program Files\Java\jre7\bin\server\backup.exe" C:\Program Files\Java\jre7\bin\server\
        8⤵
        
        PID:2616
        
        C:\Program Files\Java\jre7\lib\update.exe
        
        "C:\Program Files\Java\jre7\lib\update.exe" C:\Program Files\Java\jre7\lib\
        7⤵
        Drops file in Program Files directory
        
        PID:2372
        
        C:\Program Files\Java\jre7\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre7\lib\amd64\backup.exe" C:\Program Files\Java\jre7\lib\amd64\
        8⤵
        
        PID:1036
        
        C:\Program Files\Java\jre7\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre7\lib\applet\backup.exe" C:\Program Files\Java\jre7\lib\applet\
        8⤵
        
        PID:1052
        
        C:\Program Files\Java\jre7\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre7\lib\cmm\backup.exe" C:\Program Files\Java\jre7\lib\cmm\
        8⤵
        
        PID:2156
        
        C:\Program Files\Java\jre7\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jre7\lib\deploy\backup.exe" C:\Program Files\Java\jre7\lib\deploy\
        8⤵
        
        PID:1884
        
        C:\Program Files\Java\jre7\lib\ext\backup.exe
        
        "C:\Program Files\Java\jre7\lib\ext\backup.exe" C:\Program Files\Java\jre7\lib\ext\
        8⤵
        System policy modification
        
        PID:1984
        
        C:\Program Files\Java\jre7\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jre7\lib\fonts\backup.exe" C:\Program Files\Java\jre7\lib\fonts\
        8⤵
        
        PID:1156
        
        C:\Program Files\Java\jre7\lib\images\backup.exe
        
        "C:\Program Files\Java\jre7\lib\images\backup.exe" C:\Program Files\Java\jre7\lib\images\
        8⤵
        
        PID:2328
        
        C:\Program Files\Java\jre7\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jre7\lib\images\cursors\backup.exe" C:\Program Files\Java\jre7\lib\images\cursors\
        9⤵
        
        PID:2716
        
        C:\Program Files\Java\jre7\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jre7\lib\jfr\backup.exe" C:\Program Files\Java\jre7\lib\jfr\
        8⤵
        
        PID:1524
        
        C:\Program Files\Java\jre7\lib\management\backup.exe
        
        "C:\Program Files\Java\jre7\lib\management\backup.exe" C:\Program Files\Java\jre7\lib\management\
        8⤵
        System policy modification
        
        PID:2708
        
        C:\Program Files\Java\jre7\lib\security\backup.exe
        
        "C:\Program Files\Java\jre7\lib\security\backup.exe" C:\Program Files\Java\jre7\lib\security\
        8⤵
        
        PID:2592
        
        C:\Program Files\Java\jre7\lib\zi\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\backup.exe" C:\Program Files\Java\jre7\lib\zi\
        8⤵
        
        PID:2572
        
        C:\Program Files\Java\jre7\lib\zi\Africa\System Restore.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Africa\System Restore.exe" C:\Program Files\Java\jre7\lib\zi\Africa\
        9⤵
        
        PID:2404
        
        C:\Program Files\Java\jre7\lib\zi\America\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\
        9⤵
        
        PID:1716
        
        C:\Program Files\Java\jre7\lib\zi\America\Argentina\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\Argentina\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Argentina\
        10⤵
        
        PID:2564
        
        C:\Program Files\Java\jre7\lib\zi\America\Indiana\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\Indiana\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Indiana\
        10⤵
        
        PID:2452
        
        C:\Program Files\Java\jre7\lib\zi\America\Kentucky\data.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\Kentucky\data.exe" C:\Program Files\Java\jre7\lib\zi\America\Kentucky\
        10⤵
        System policy modification
        
        PID:588
        
        C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\
        10⤵
        
        PID:2548
        
        C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe" C:\Program Files\Java\jre7\lib\zi\Antarctica\
        9⤵
        
        PID:2196
        
        C:\Program Files\Java\jre7\lib\zi\Asia\data.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Asia\data.exe" C:\Program Files\Java\jre7\lib\zi\Asia\
        9⤵
        
        PID:1672
        
        C:\Program Files\Java\jre7\lib\zi\Atlantic\update.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Atlantic\update.exe" C:\Program Files\Java\jre7\lib\zi\Atlantic\
        9⤵
        
        PID:2680
        
        C:\Program Files\Java\jre7\lib\zi\Australia\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Australia\backup.exe" C:\Program Files\Java\jre7\lib\zi\Australia\
        9⤵
        
        PID:1932
        
        C:\Program Files\Java\jre7\lib\zi\Etc\data.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Etc\data.exe" C:\Program Files\Java\jre7\lib\zi\Etc\
        9⤵
        
        PID:540
        
        C:\Program Files\Java\jre7\lib\zi\Europe\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Europe\backup.exe" C:\Program Files\Java\jre7\lib\zi\Europe\
        9⤵
        
        PID:2660
        
        C:\Program Files\Java\jre7\lib\zi\Indian\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Indian\backup.exe" C:\Program Files\Java\jre7\lib\zi\Indian\
        9⤵
        
        PID:576
        
        C:\Program Files\Java\jre7\lib\zi\Pacific\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Pacific\backup.exe" C:\Program Files\Java\jre7\lib\zi\Pacific\
        9⤵
        
        PID:1872
        
        C:\Program Files\Java\jre7\lib\zi\SystemV\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\SystemV\backup.exe" C:\Program Files\Java\jre7\lib\zi\SystemV\
        9⤵
        
        PID:2832
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1596
      - C:\Program Files\Microsoft Games\Chess\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
        6⤵
        Drops file in Program Files directory
        
        PID:2592
        
        C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\
        7⤵
        
        PID:2840
        
        C:\Program Files\Microsoft Games\Chess\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\en-US\backup.exe" C:\Program Files\Microsoft Games\Chess\en-US\
        7⤵
        
        PID:896
        
        C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe" C:\Program Files\Microsoft Games\Chess\es-ES\
        7⤵
        
        PID:2976
        
        C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\
        7⤵
        
        PID:2936
        
        C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe" C:\Program Files\Microsoft Games\Chess\it-IT\
        7⤵
        
        PID:2144
        
        C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Chess\ja-JP\
        7⤵
        System policy modification
        
        PID:588
      - C:\Program Files\Microsoft Games\FreeCell\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
        6⤵
        
        PID:2956
        
        C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe" C:\Program Files\Microsoft Games\FreeCell\de-DE\
        7⤵
        
        PID:2104
        
        C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe" C:\Program Files\Microsoft Games\FreeCell\en-US\
        7⤵
        
        PID:712
        
        C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe" C:\Program Files\Microsoft Games\FreeCell\es-ES\
        7⤵
        
        PID:1652
        
        C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe" C:\Program Files\Microsoft Games\FreeCell\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2100
        
        C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe" C:\Program Files\Microsoft Games\FreeCell\it-IT\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Program Files\Microsoft Games\FreeCell\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\ja-JP\backup.exe" C:\Program Files\Microsoft Games\FreeCell\ja-JP\
        7⤵
        
        PID:1048
      - C:\Program Files\Microsoft Games\Hearts\System Restore.exe
        
        "C:\Program Files\Microsoft Games\Hearts\System Restore.exe" C:\Program Files\Microsoft Games\Hearts\
        6⤵
        System policy modification
        
        PID:332
        
        C:\Program Files\Microsoft Games\Hearts\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\de-DE\backup.exe" C:\Program Files\Microsoft Games\Hearts\de-DE\
        7⤵
        
        PID:1692
        
        C:\Program Files\Microsoft Games\Hearts\en-US\data.exe
        
        "C:\Program Files\Microsoft Games\Hearts\en-US\data.exe" C:\Program Files\Microsoft Games\Hearts\en-US\
        7⤵
        
        PID:2300
        
        C:\Program Files\Microsoft Games\Hearts\es-ES\System Restore.exe
        
        "C:\Program Files\Microsoft Games\Hearts\es-ES\System Restore.exe" C:\Program Files\Microsoft Games\Hearts\es-ES\
        7⤵
        
        PID:2624
        
        C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Hearts\fr-FR\
        7⤵
        
        PID:2396
        
        C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe" C:\Program Files\Microsoft Games\Hearts\it-IT\
        7⤵
        
        PID:600
        
        C:\Program Files\Microsoft Games\Hearts\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Hearts\ja-JP\
        7⤵
        
        PID:1628
      - C:\Program Files\Microsoft Games\Mahjong\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\backup.exe" C:\Program Files\Microsoft Games\Mahjong\
        6⤵
        
        PID:1736
        
        C:\Program Files\Microsoft Games\Mahjong\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\de-DE\backup.exe" C:\Program Files\Microsoft Games\Mahjong\de-DE\
        7⤵
        
        PID:2880
        
        C:\Program Files\Microsoft Games\Mahjong\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\en-US\backup.exe" C:\Program Files\Microsoft Games\Mahjong\en-US\
        7⤵
        
        PID:792
        
        C:\Program Files\Microsoft Games\Mahjong\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\es-ES\backup.exe" C:\Program Files\Microsoft Games\Mahjong\es-ES\
        7⤵
        
        PID:2620
        
        C:\Program Files\Microsoft Games\Mahjong\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Mahjong\fr-FR\
        7⤵
        
        PID:2348
        
        C:\Program Files\Microsoft Games\Mahjong\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\it-IT\backup.exe" C:\Program Files\Microsoft Games\Mahjong\it-IT\
        7⤵
        
        PID:2196
        
        C:\Program Files\Microsoft Games\Mahjong\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Mahjong\ja-JP\
        7⤵
        
        PID:2024
      - C:\Program Files\Microsoft Games\Minesweeper\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\
        6⤵
        
        PID:2260
        
        C:\Program Files\Microsoft Games\Minesweeper\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\de-DE\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\de-DE\
        7⤵
        
        PID:1932
        
        C:\Program Files\Microsoft Games\Minesweeper\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\en-US\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\en-US\
        7⤵
        
        PID:1460
        
        C:\Program Files\Microsoft Games\Minesweeper\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\es-ES\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\es-ES\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Program Files\Microsoft Games\Minesweeper\fr-FR\update.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\fr-FR\update.exe" C:\Program Files\Microsoft Games\Minesweeper\fr-FR\
        7⤵
        
        PID:2112
        
        C:\Program Files\Microsoft Games\Minesweeper\it-IT\data.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\it-IT\data.exe" C:\Program Files\Microsoft Games\Minesweeper\it-IT\
        7⤵
        
        PID:340
        
        C:\Program Files\Microsoft Games\Minesweeper\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\ja-JP\
        7⤵
        
        PID:716
      - C:\Program Files\Microsoft Games\More Games\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\backup.exe" C:\Program Files\Microsoft Games\More Games\
        6⤵
        
        PID:3052
        
        C:\Program Files\Microsoft Games\More Games\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\de-DE\backup.exe" C:\Program Files\Microsoft Games\More Games\de-DE\
        7⤵
        
        PID:324
        
        C:\Program Files\Microsoft Games\More Games\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\en-US\backup.exe" C:\Program Files\Microsoft Games\More Games\en-US\
        7⤵
        
        PID:900
        
        C:\Program Files\Microsoft Games\More Games\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\es-ES\backup.exe" C:\Program Files\Microsoft Games\More Games\es-ES\
        7⤵
        
        PID:2760
        
        C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe" C:\Program Files\Microsoft Games\More Games\fr-FR\
        7⤵
        
        PID:2576
        
        C:\Program Files\Microsoft Games\More Games\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\it-IT\backup.exe" C:\Program Files\Microsoft Games\More Games\it-IT\
        7⤵
        
        PID:2904
        
        C:\Program Files\Microsoft Games\More Games\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\ja-JP\backup.exe" C:\Program Files\Microsoft Games\More Games\ja-JP\
        7⤵
        
        PID:2416
      - C:\Program Files\Microsoft Games\Multiplayer\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\
        6⤵
        
        PID:1528
        
        C:\Program Files\Microsoft Games\Multiplayer\Backgammon\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\
        7⤵
        
        PID:2252
        
        C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\
        8⤵
        
        PID:2140
        
        C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\data.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\data.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\
        8⤵
        
        PID:1372
        
        C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\
        8⤵
        
        PID:1820
        
        C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\System Restore.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\System Restore.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\
        8⤵
        System policy modification
        
        PID:2844
        
        C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\
        8⤵
        
        PID:1368
        
        C:\Program Files\Microsoft Games\Multiplayer\Checkers\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Checkers\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\
        7⤵
        
        PID:2784
        
        C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\
        8⤵
        
        PID:904
        
        C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\
        8⤵
        
        PID:2028
        
        C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\
        8⤵
        
        PID:2524
        
        C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\
        8⤵
        
        PID:2596
        
        C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\
        8⤵
        
        PID:2836
        
        C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1968
        
        C:\Program Files\Microsoft Games\Multiplayer\Spades\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2536
        
        C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\
        8⤵
        
        PID:2188
        
        C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\
        8⤵
        System policy modification
        
        PID:2292
        
        C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\
        8⤵
        
        PID:2644
        
        C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\
        8⤵
        
        PID:280
        
        C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\
        8⤵
        
        PID:2952
        
        C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\
        8⤵
        
        PID:2476
      - C:\Program Files\Microsoft Games\Purble Place\backup.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\backup.exe" C:\Program Files\Microsoft Games\Purble Place\
        6⤵
        Drops file in Program Files directory
        
        PID:2556
        
        C:\Program Files\Microsoft Games\Purble Place\de-DE\data.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\de-DE\data.exe" C:\Program Files\Microsoft Games\Purble Place\de-DE\
        7⤵
        
        PID:2052
        
        C:\Program Files\Microsoft Games\Purble Place\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\en-US\backup.exe" C:\Program Files\Microsoft Games\Purble Place\en-US\
        7⤵
        
        PID:1556
        
        C:\Program Files\Microsoft Games\Purble Place\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\es-ES\backup.exe" C:\Program Files\Microsoft Games\Purble Place\es-ES\
        7⤵
        
        PID:1608
        
        C:\Program Files\Microsoft Games\Purble Place\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Purble Place\fr-FR\
        7⤵
        
        PID:2896
        
        C:\Program Files\Microsoft Games\Purble Place\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\it-IT\backup.exe" C:\Program Files\Microsoft Games\Purble Place\it-IT\
        7⤵
        
        PID:2328
        
        C:\Program Files\Microsoft Games\Purble Place\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Purble Place\ja-JP\
        7⤵
        
        PID:2688
      - C:\Program Files\Microsoft Games\Solitaire\backup.exe
        
        "C:\Program Files\Microsoft Games\Solitaire\backup.exe" C:\Program Files\Microsoft Games\Solitaire\
        6⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Program Files\Microsoft Games\Solitaire\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Solitaire\de-DE\backup.exe" C:\Program Files\Microsoft Games\Solitaire\de-DE\
        7⤵
        
        PID:1584
        
        C:\Program Files\Microsoft Games\Solitaire\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Solitaire\en-US\backup.exe" C:\Program Files\Microsoft Games\Solitaire\en-US\
        7⤵
        
        PID:2960
        
        C:\Program Files\Microsoft Games\Solitaire\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Solitaire\es-ES\backup.exe" C:\Program Files\Microsoft Games\Solitaire\es-ES\
        7⤵
        System policy modification
        
        PID:2124
        
        C:\Program Files\Microsoft Games\Solitaire\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Solitaire\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Solitaire\fr-FR\
        7⤵
        
        PID:2888
        
        C:\Program Files\Microsoft Games\Solitaire\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Solitaire\it-IT\backup.exe" C:\Program Files\Microsoft Games\Solitaire\it-IT\
        7⤵
        
        PID:2932
        
        C:\Program Files\Microsoft Games\Solitaire\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Solitaire\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Solitaire\ja-JP\
        7⤵
        
        PID:2188
      - C:\Program Files\Microsoft Games\SpiderSolitaire\backup.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\
        6⤵
        
        PID:2368
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\
        7⤵
        
        PID:2348
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\
        7⤵
        
        PID:1544
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\
        7⤵
        
        PID:2200
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\
        7⤵
        
        PID:1876
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\
        7⤵
        
        PID:2968
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\
        7⤵
        
        PID:2656
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2000
      - C:\Program Files\Microsoft Office\Office14\System Restore.exe
        
        "C:\Program Files\Microsoft Office\Office14\System Restore.exe" C:\Program Files\Microsoft Office\Office14\
        6⤵
        
        PID:2112
        
        C:\Program Files\Microsoft Office\Office14\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\backup.exe" C:\Program Files\Microsoft Office\Office14\1033\
        7⤵
        
        PID:2792
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1928
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:1676
        
        C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        7⤵
        
        PID:1616
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        7⤵
        
        PID:2744
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:2784
        
        C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
        7⤵
        
        PID:2124
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:2676
      - C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
        6⤵
        
        PID:2400
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\data.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\data.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
        7⤵
        
        PID:2240
      - C:\Program Files\Mozilla Firefox\uninstall\backup.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
        6⤵
        
        PID:2364
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1732
      - C:\Program Files\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
        6⤵
        
        PID:2216
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        
        PID:1792
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:572
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        8⤵
        System policy modification
        
        PID:1656
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1596
      - C:\Program Files\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
        6⤵
        
        PID:2172
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
        7⤵
        
        PID:1608
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
        8⤵
        
        PID:604
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\
        9⤵
        
        PID:2848
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\
        9⤵
        
        PID:3036
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\
        9⤵
        
        PID:1628
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\
        9⤵
        System policy modification
        
        PID:272
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\
        9⤵
        
        PID:2888
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
        9⤵
        
        PID:1496
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\
        8⤵
        Drops file in Program Files directory
        
        PID:2824
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\
        9⤵
        
        PID:2036
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\
        9⤵
        
        PID:1660
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\
        9⤵
        
        PID:1712
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\
        9⤵
        
        PID:1720
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\
        9⤵
        
        PID:2672
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\
        9⤵
        
        PID:2764
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:1048
      - C:\Program Files\VideoLAN\VLC\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\
        6⤵
        
        PID:2288
        
        C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe" C:\Program Files\VideoLAN\VLC\hrtfs\
        7⤵
        
        PID:1040
        
        C:\Program Files\VideoLAN\VLC\locale\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\backup.exe" C:\Program Files\VideoLAN\VLC\locale\
        7⤵
        Drops file in Program Files directory
        
        PID:2860
        
        C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\
        8⤵
        
        PID:3044
        
        C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\
        9⤵
        
        PID:2848
        
        C:\Program Files\VideoLAN\VLC\locale\af\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\
        8⤵
        
        PID:2960
        
        C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\
        9⤵
        
        PID:2744
        
        C:\Program Files\VideoLAN\VLC\locale\am\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\
        8⤵
        
        PID:2760
        
        C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Program Files\VideoLAN\VLC\locale\am_ET\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am_ET\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am_ET\
        8⤵
        
        PID:2416
        
        C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\
        9⤵
        
        PID:1648
        
        C:\Program Files\VideoLAN\VLC\locale\an\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\an\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\
        8⤵
        
        PID:2488
        
        C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\
        9⤵
        
        PID:1552
        
        C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\
        8⤵
        
        PID:2088
        
        C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\
        9⤵
        
        PID:1820
        
        C:\Program Files\VideoLAN\VLC\locale\as_IN\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\as_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\
        8⤵
        
        PID:628
        
        C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\
        9⤵
        
        PID:2816
        
        C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\
        8⤵
        
        PID:1596
        
        C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Program Files\VideoLAN\VLC\locale\be\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\be\backup.exe" C:\Program Files\VideoLAN\VLC\locale\be\
        8⤵
        
        PID:1524
        
        C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\
        9⤵
        
        PID:856
        
        C:\Program Files\VideoLAN\VLC\locale\bg\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bg\
        8⤵
        
        PID:2260
        
        C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\
        9⤵
        
        PID:1616
        
        C:\Program Files\VideoLAN\VLC\locale\bn\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bn\update.exe" C:\Program Files\VideoLAN\VLC\locale\bn\
        8⤵
        
        PID:1284
        
        C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\
        9⤵
        
        PID:304
        
        C:\Program Files\VideoLAN\VLC\locale\bn_IN\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bn_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn_IN\
        8⤵
        
        PID:2236
        
        C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\
        9⤵
        
        PID:1100
        
        C:\Program Files\VideoLAN\VLC\locale\br\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\br\backup.exe" C:\Program Files\VideoLAN\VLC\locale\br\
        8⤵
        Drops file in Program Files directory
        
        PID:2812
        
        C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\
        9⤵
        
        PID:2676
        
        C:\Program Files\VideoLAN\VLC\locale\brx\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\brx\backup.exe" C:\Program Files\VideoLAN\VLC\locale\brx\
        8⤵
        
        PID:1036
        
        C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\
        9⤵
        
        PID:2104
        
        C:\Program Files\VideoLAN\VLC\locale\bs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bs\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bs\
        8⤵
        
        PID:536
        
        C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\
        9⤵
        
        PID:2056
        
        C:\Program Files\VideoLAN\VLC\locale\ca\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ca\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca\
        8⤵
        
        PID:2052
        
        C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\
        9⤵
        
        PID:1564
        
        C:\Program Files\VideoLAN\VLC\locale\ca@valencia\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ca@valencia\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca@valencia\
        8⤵
        
        PID:2604
        
        C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\
        9⤵
        
        PID:1576
        
        C:\Program Files\VideoLAN\VLC\locale\cgg\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cgg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cgg\
        8⤵
        
        PID:1948
        
        C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\
        9⤵
        
        PID:320
        
        C:\Program Files\VideoLAN\VLC\locale\co\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\co\backup.exe" C:\Program Files\VideoLAN\VLC\locale\co\
        8⤵
        
        PID:1744
        
        C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\
        9⤵
        
        PID:2784
        
        C:\Program Files\VideoLAN\VLC\locale\cs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cs\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cs\
        8⤵
        
        PID:2340
        
        C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\
        9⤵
        
        PID:2316
        
        C:\Program Files\VideoLAN\VLC\locale\cy\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cy\
        8⤵
        
        PID:2488
        
        C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\
        9⤵
        
        PID:1772
        
        C:\Program Files\VideoLAN\VLC\locale\da\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\da\backup.exe" C:\Program Files\VideoLAN\VLC\locale\da\
        8⤵
        
        PID:2080
        
        C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\
        9⤵
        
        PID:1828
        
        C:\Program Files\VideoLAN\VLC\locale\de\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\de\update.exe" C:\Program Files\VideoLAN\VLC\locale\de\
        8⤵
        
        PID:2688
        
        C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\
        9⤵
        
        PID:2020
        
        C:\Program Files\VideoLAN\VLC\locale\el\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\el\backup.exe" C:\Program Files\VideoLAN\VLC\locale\el\
        8⤵
        
        PID:2012
        
        C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\
        9⤵
        
        PID:1284
        
        C:\Program Files\VideoLAN\VLC\locale\en_GB\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\en_GB\backup.exe" C:\Program Files\VideoLAN\VLC\locale\en_GB\
        8⤵
        
        PID:2236
        
        C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\
        9⤵
        
        PID:2084
        
        C:\Program Files\VideoLAN\VLC\locale\eo\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\eo\backup.exe" C:\Program Files\VideoLAN\VLC\locale\eo\
        8⤵
        
        PID:1320
        
        C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\
        9⤵
        
        PID:1660
        
        C:\Program Files\VideoLAN\VLC\locale\es\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\es\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es\
        8⤵
        
        PID:1624
        
        C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\
        9⤵
        
        PID:2660
        
        C:\Program Files\VideoLAN\VLC\locale\es_MX\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\es_MX\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es_MX\
        8⤵
        
        PID:2996
        
        C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\
        9⤵
        
        PID:2132
        
        C:\Program Files\VideoLAN\VLC\locale\et\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\et\backup.exe" C:\Program Files\VideoLAN\VLC\locale\et\
        8⤵
        
        PID:2628
        
        C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\
        9⤵
        
        PID:3036
        
        C:\Program Files\VideoLAN\VLC\locale\eu\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\eu\update.exe" C:\Program Files\VideoLAN\VLC\locale\eu\
        8⤵
        
        PID:272
        
        C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\
        9⤵
        
        PID:1728
        
        C:\Program Files\VideoLAN\VLC\locale\fa\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fa\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fa\
        8⤵
        
        PID:2084
        
        C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\
        9⤵
        
        PID:2592
        
        C:\Program Files\VideoLAN\VLC\locale\ff\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ff\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ff\
        8⤵
        
        PID:1528
        
        C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\
        9⤵
        
        PID:588
        
        C:\Program Files\VideoLAN\VLC\locale\fi\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fi\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fi\
        8⤵
        
        PID:2224
        
        C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\
        9⤵
        
        PID:1572
        
        C:\Program Files\VideoLAN\VLC\locale\fr\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fr\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fr\
        8⤵
        
        PID:2300
        
        C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\
        9⤵
        
        PID:2704
        
        C:\Program Files\VideoLAN\VLC\locale\fur\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fur\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fur\
        8⤵
        
        PID:2360
        
        C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\
        9⤵
        
        PID:2584
        
        C:\Program Files\VideoLAN\VLC\locale\fy\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fy\
        8⤵
        
        PID:2348
        
        C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\
        9⤵
        
        PID:1672
        
        C:\Program Files\VideoLAN\VLC\locale\ga\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ga\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ga\
        8⤵
        
        PID:2060
        
        C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\
        9⤵
        
        PID:2332
        
        C:\Program Files\VideoLAN\VLC\locale\gd\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\gd\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gd\
        8⤵
        
        PID:2792
        
        C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\
        9⤵
        
        PID:2884
        
        C:\Program Files\VideoLAN\VLC\locale\gl\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\gl\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\gl\
        8⤵
        
        PID:1340
        
        C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\
        9⤵
        
        PID:3004
        
        C:\Program Files\VideoLAN\VLC\locale\gu\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\gu\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gu\
        8⤵
        
        PID:796
        
        C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\
        9⤵
        
        PID:792
        
        C:\Program Files\VideoLAN\VLC\locale\he\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\he\backup.exe" C:\Program Files\VideoLAN\VLC\locale\he\
        8⤵
        
        PID:2364
        
        C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\
        9⤵
        
        PID:1952
        
        C:\Program Files\VideoLAN\VLC\locale\hi\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hi\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hi\
        8⤵
        
        PID:1244
        
        C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\
        9⤵
        
        PID:540
        
        C:\Program Files\VideoLAN\VLC\locale\hr\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hr\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hr\
        8⤵
        
        PID:536
        
        C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\
        9⤵
        
        PID:2208
        
        C:\Program Files\VideoLAN\VLC\locale\hu\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hu\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hu\
        8⤵
        
        PID:3068
        
        C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\
        9⤵
        
        PID:600
        
        C:\Program Files\VideoLAN\VLC\locale\hy\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hy\
        8⤵
        
        PID:304
        
        C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\
        9⤵
        
        PID:2704
        
        C:\Program Files\VideoLAN\VLC\locale\id\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\id\backup.exe" C:\Program Files\VideoLAN\VLC\locale\id\
        8⤵
        
        PID:2788
        
        C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\
        9⤵
        
        PID:1728
        
        C:\Program Files\VideoLAN\VLC\locale\ie\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ie\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ie\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2340
        
        C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\
        9⤵
        
        PID:2844
        
        C:\Program Files\VideoLAN\VLC\locale\is\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\is\backup.exe" C:\Program Files\VideoLAN\VLC\locale\is\
        8⤵
        
        PID:2888
        
        C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\
        9⤵
        
        PID:2352
        
        C:\Program Files\VideoLAN\VLC\locale\it\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\it\backup.exe" C:\Program Files\VideoLAN\VLC\locale\it\
        8⤵
        
        PID:1524
        
        C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\
        9⤵
        
        PID:2056
        
        C:\Program Files\VideoLAN\VLC\locale\ja\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ja\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\ja\
        8⤵
        
        PID:2000
        
        C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\
        9⤵
        
        PID:1272
        
        C:\Program Files\VideoLAN\VLC\locale\ka\data.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ka\data.exe" C:\Program Files\VideoLAN\VLC\locale\ka\
        8⤵
        
        PID:2744
        
        C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\
        9⤵
        
        PID:1580
        
        C:\Program Files\VideoLAN\VLC\locale\kab\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\kab\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kab\
        8⤵
        
        PID:3012
        
        C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\
        9⤵
        
        PID:2280
        
        C:\Program Files\VideoLAN\VLC\locale\kk\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\kk\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kk\
        8⤵
        
        PID:2088
        
        C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\
        9⤵
        
        PID:2200
        
        C:\Program Files\VideoLAN\VLC\locale\km\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\km\backup.exe" C:\Program Files\VideoLAN\VLC\locale\km\
        8⤵
        Drops file in Program Files directory
        
        PID:2644
        
        C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\
        9⤵
        
        PID:1672
        
        C:\Program Files\VideoLAN\VLC\locale\kn\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\kn\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kn\
        8⤵
        
        PID:2888
        
        C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\
        9⤵
        
        PID:2660
        
        C:\Program Files\VideoLAN\VLC\locale\ko\data.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ko\data.exe" C:\Program Files\VideoLAN\VLC\locale\ko\
        8⤵
        
        PID:2024
        
        C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\
        9⤵
        
        PID:2880
        
        C:\Program Files\VideoLAN\VLC\locale\ks_IN\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ks_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ks_IN\
        8⤵
        
        PID:1580
        
        C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\
        9⤵
        
        PID:2564
        
        C:\Program Files\VideoLAN\VLC\locale\ku_IQ\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ku_IQ\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ku_IQ\
        8⤵
        
        PID:1372
        
        C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\
        9⤵
        
        PID:2600
        
        C:\Program Files\VideoLAN\VLC\locale\ky\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ky\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ky\
        8⤵
        
        PID:3008
        
        C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\
        9⤵
        
        PID:2820
        
        C:\Program Files\VideoLAN\VLC\locale\lg\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lg\
        8⤵
        System policy modification
        
        PID:2800
        
        C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\
        9⤵
        
        PID:1564
        
        C:\Program Files\VideoLAN\VLC\locale\lo\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lo\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lo\
        8⤵
        
        PID:1784
        
        C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\
        9⤵
        
        PID:2372
        
        C:\Program Files\VideoLAN\VLC\locale\lt\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lt\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lt\
        8⤵
        
        PID:2688
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      PID:2264
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:2456
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        
        PID:1736
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:2204
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        
        PID:896
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:2492
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1596
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:3004
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:2600
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:1296
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:2124
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:2560
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:2536
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:2400
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Drops file in Program Files directory
        
        PID:2120
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Drops file in Program Files directory
        
        PID:2816
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:2196
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:1644
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:1604
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:1876
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:1368
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:2656
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:856
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        
        PID:2460
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:2288
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:2596
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2580
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1628
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Drops file in Program Files directory
        
        PID:2960
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:1536
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:668
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2924
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:2556
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        
        PID:2252
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:1272
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
        10⤵
        
        PID:2420
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1556
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:960
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:1392
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:2028
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2796
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2804
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1688
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2840
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1060
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:1492
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:2664
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:668
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:2368
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:1012
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:628
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        
        PID:2260
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        
        PID:1640
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1540
      - C:\Program Files (x86)\Common Files\Adobe AIR\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\update.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:2604
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        
        PID:2204
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:2808
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        Drops file in Program Files directory
        
        PID:2724
        
        C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
        7⤵
        
        PID:2648
        
        C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
        7⤵
        
        PID:2836
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
        7⤵
        
        PID:2928
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\
        8⤵
        
        PID:2388
        
        C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\
        7⤵
        
        PID:2940
        
        C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\
        7⤵
        
        PID:2904
        
        C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\
        7⤵
        
        PID:1132
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\
        7⤵
        
        PID:1928
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\
        8⤵
        
        PID:2652
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\
        8⤵
        
        PID:2480
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\
        8⤵
        
        PID:536
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\
        8⤵
        
        PID:2156
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\
        8⤵
        
        PID:468
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\
        8⤵
        
        PID:608
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\
        8⤵
        
        PID:2604
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\
        8⤵
        
        PID:2328
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\
        8⤵
        
        PID:2392
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\
        8⤵
        
        PID:2524
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\
        7⤵
        
        PID:2844
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\
        8⤵
        
        PID:304
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\
        8⤵
        
        PID:2888
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\
        8⤵
        
        PID:2220
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\
        8⤵
        
        PID:1804
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\
        8⤵
        
        PID:1536
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:2616
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1364
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        
        PID:2056
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\
        7⤵
        
        PID:2148
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\
        7⤵
        
        PID:2916
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:3008
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\
        7⤵
        Drops file in Program Files directory
        
        PID:1700
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        
        PID:1020
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        
        PID:1872
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        
        PID:3004
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        
        PID:2884
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1284
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:692
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\
        7⤵
        
        PID:2780
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\
        8⤵
        
        PID:2888
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\
        8⤵
        
        PID:2676
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\
        8⤵
        Drops file in Program Files directory
        
        PID:592
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\
        9⤵
        
        PID:3060
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\
        9⤵
        
        PID:2600
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\
        9⤵
        
        PID:2588
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\
        9⤵
        
        PID:1764
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\
        9⤵
        
        PID:2024
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\
        9⤵
        
        PID:2052
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\
        9⤵
        
        PID:540
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\
        9⤵
        
        PID:2172
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\
        9⤵
        
        PID:608
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\
        9⤵
        
        PID:2460
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\
        9⤵
        
        PID:2688
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\
        9⤵
        
        PID:2856
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\
        9⤵
        
        PID:3040
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\
        9⤵
        
        PID:304
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\
        9⤵
        
        PID:2360
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\
        9⤵
        
        PID:2760
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\
        9⤵
        
        PID:1492
        
        C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1728
        
        C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\
        7⤵
        
        PID:2256
        
        C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\
        8⤵
        
        PID:2548
        
        C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\PROOF\
        7⤵
        
        PID:1712
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\
        7⤵
        
        PID:984
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\
        8⤵
        
        PID:2988
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\
        8⤵
        
        PID:2072
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\
        9⤵
        
        PID:1604
        
        C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\
        7⤵
        System policy modification
        
        PID:1368
        
        C:\Program Files (x86)\Common Files\microsoft shared\Stationery\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:2332
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:2824
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\
        8⤵
        
        PID:2804
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:320
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\
        8⤵
        
        PID:2796
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\
        8⤵
        
        PID:332
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\
        8⤵
        
        PID:2236
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\
        8⤵
        
        PID:2984
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\
        7⤵
        Drops file in Program Files directory
        
        PID:2692
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\
        8⤵
        
        PID:1464
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\
        8⤵
        
        PID:1320
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\
        8⤵
        
        PID:280
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\
        8⤵
        
        PID:536
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\
        8⤵
        
        PID:2672
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\
        8⤵
        
        PID:2100
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\
        8⤵
        
        PID:820
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\
        8⤵
        
        PID:2820
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\
        8⤵
        
        PID:1608
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\
        8⤵
        
        PID:2972
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\
        8⤵
        
        PID:2612
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\
        8⤵
        
        PID:2556
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\
        8⤵
        
        PID:2840
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\
        8⤵
        
        PID:2756
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\
        8⤵
        
        PID:2636
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\
        8⤵
        
        PID:1100
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\
        8⤵
        
        PID:1960
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\
        8⤵
        
        PID:2340
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\
        8⤵
        
        PID:2872
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\
        8⤵
        
        PID:2600
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\
        8⤵
        
        PID:1012
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\
        8⤵
        
        PID:628
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\
        8⤵
        
        PID:2192
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\
        8⤵
        
        PID:2244
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\
        8⤵
        
        PID:3008
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\
        8⤵
        
        PID:2996
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\
        8⤵
        
        PID:2164
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\
        8⤵
        
        PID:1692
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\
        8⤵
        
        PID:716
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\
        8⤵
        
        PID:2628
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\
        8⤵
        
        PID:2796
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\
        8⤵
        
        PID:2012
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\
        8⤵
        
        PID:3048
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\
        8⤵
        
        PID:2220
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\
        8⤵
        
        PID:592
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\
        8⤵
        
        PID:2676
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\
        8⤵
        
        PID:2696
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\
        8⤵
        
        PID:2240
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\
        8⤵
        
        PID:1640
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\
        8⤵
        
        PID:1408
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\
        8⤵
        
        PID:2420
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\
        8⤵
        
        PID:1944
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\
        8⤵
        
        PID:1604
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\
        8⤵
        
        PID:1736
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\
        8⤵
        
        PID:608
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\
        7⤵
        
        PID:3004
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\
        8⤵
        
        PID:2008
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\
        8⤵
        
        PID:2268
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\
        8⤵
        
        PID:324
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\
        8⤵
        
        PID:304
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\
        8⤵
        
        PID:332
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\
        8⤵
        
        PID:2160
        
        C:\Program Files (x86)\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\
        7⤵
        Drops file in Program Files directory
        
        PID:2976
        
        C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\
        8⤵
        
        PID:604
        
        C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        
        PID:568
        
        C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\
        8⤵
        
        PID:2116
        
        C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\
        8⤵
        
        PID:1640
        
        C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\
        8⤵
        
        PID:1696
        
        C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\
        8⤵
        
        PID:1932
        
        C:\Program Files (x86)\Common Files\microsoft shared\VBA\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VBA\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\
        7⤵
        
        PID:2040
        
        C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\
        8⤵
        
        PID:2368
        
        C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\
        8⤵
        
        PID:2204
        
        C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\
        9⤵
        
        PID:652
        
        C:\Program Files (x86)\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VC\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VC\
        7⤵
        
        PID:2748
        
        C:\Program Files (x86)\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:1688
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\
        7⤵
        
        PID:2212
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\
        8⤵
        
        PID:3044
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\
        9⤵
        
        PID:1676
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\
        8⤵
        
        PID:2948
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\
        9⤵
        
        PID:2280
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\
        8⤵
        
        PID:1496
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\
        9⤵
        
        PID:2924
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\
        9⤵
        
        PID:964
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\
        9⤵
        
        PID:1664
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\
        9⤵
        
        PID:2196
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\
        7⤵
        
        PID:2060
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        
        PID:468
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        
        PID:984
        
        C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\
        7⤵
        
        PID:1872
        
        C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\
        8⤵
        
        PID:1792
        
        C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\
        7⤵
        
        PID:856
        
        C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\
        8⤵
        
        PID:1780
        
        C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\
        9⤵
        
        PID:900
        
        C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\
        10⤵
        
        PID:2404
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2948
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        Drops file in Program Files directory
        
        PID:1464
        
        C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:2548
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        Drops file in Program Files directory
        
        PID:1724
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        
        PID:2944
        
        C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1564
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        
        PID:1736
        
        C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
        8⤵
        
        PID:2460
        
        C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1952
        
        C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
        8⤵
        
        PID:2972
        
        C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1808
        
        C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        
        PID:668
        
        C:\Program Files (x86)\Common Files\System\en-US\update.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\update.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:2184
        
        C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
        7⤵
        
        PID:1664
        
        C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
        7⤵
        
        PID:1696
        
        C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        7⤵
        
        PID:1600
        
        C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\
        7⤵
        
        PID:1364
        
        C:\Program Files (x86)\Common Files\System\msadc\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\
        7⤵
        
        PID:2204
        
        C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:2080
        
        C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\en-US\
        8⤵
        
        PID:2804
        
        C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:1540
        
        C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:2220
        
        C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:2908
        
        C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:2188
        
        C:\Program Files (x86)\Common Files\System\MSMAPI\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\MSMAPI\backup.exe" C:\Program Files (x86)\Common Files\System\MSMAPI\
        7⤵
        
        PID:2184
        
        C:\Program Files (x86)\Common Files\System\MSMAPI\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\MSMAPI\1033\backup.exe" C:\Program Files (x86)\Common Files\System\MSMAPI\1033\
        8⤵
        
        PID:1320
        
        C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\
        7⤵
        
        PID:1280
        
        C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:1296
        
        C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:2068
        
        C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:2020
        
        C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:1628
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\update.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\update.exe" C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:856
        
        C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\data.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\data.exe" C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:1764
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:2056
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:1720
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:2800
        
        C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
        7⤵
        
        PID:2920
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:1952
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:1780
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\
        9⤵
        
        PID:2364
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:2204
        
        C:\Program Files (x86)\Google\Update\Install\{9DFE08CC-30AD-4427-BBD2-AE53EED44C59}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{9DFE08CC-30AD-4427-BBD2-AE53EED44C59}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{9DFE08CC-30AD-4427-BBD2-AE53EED44C59}\
        8⤵
        
        PID:2988
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:2104
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:2476
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1720
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:2460
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:2848
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:1848
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:2576
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:2764
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:604
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1272
      - C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
        6⤵
        
        PID:2024
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\
        7⤵
        
        PID:2092
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\System Restore.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\
        8⤵
        
        PID:1984
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\
        8⤵
        
        PID:2348
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\
        9⤵
        
        PID:2432
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2080
      - C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\
        6⤵
        
        PID:1392
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\System Restore.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\
        7⤵
        
        PID:2380
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\
        7⤵
        
        PID:2124
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\
        8⤵
        
        PID:568
      - C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\
        6⤵
        
        PID:1784
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\
        7⤵
        
        PID:2244
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\
        7⤵
        
        PID:1724
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\
        7⤵
        
        PID:1624
      - C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\
        6⤵
        
        PID:2152
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\data.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\data.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\
        7⤵
        
        PID:1968
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\
        8⤵
        
        PID:2404
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\
        7⤵
        
        PID:2160
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\
        8⤵
        
        PID:1804
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\
        8⤵
        
        PID:964
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\
        8⤵
        
        PID:1728
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\
        8⤵
        
        PID:3028
      - C:\Program Files (x86)\Microsoft Office\Office14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\
        6⤵
        Drops file in Program Files directory
        
        PID:2620
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\
        7⤵
        Drops file in Program Files directory
        
        PID:2360
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\
        8⤵
        
        PID:1368
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\data.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\data.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\
        8⤵
        
        PID:652
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\
        8⤵
        
        PID:2796
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\
        9⤵
        
        PID:2180
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\
        10⤵
        
        PID:720
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\System Restore.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\
        10⤵
        
        PID:1100
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\
        10⤵
        
        PID:796
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\
        10⤵
        
        PID:1640
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\
        10⤵
        
        PID:2068
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\
        10⤵
        
        PID:2152
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\
        10⤵
        
        PID:2156
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\
        10⤵
        
        PID:2492
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\
        10⤵
        
        PID:2572
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\
        10⤵
        
        PID:2836
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\
        10⤵
        
        PID:2000
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:588
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:2820
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:2460
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:2748
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:2624
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1700
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:2636
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:592
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:904
      - C:\Users\Admin\Pictures\update.exe
        
        C:\Users\Admin\Pictures\update.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2812
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:2064
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2620
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:1672
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:2352
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2492
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:2852
      - C:\Users\Public\Music\update.exe
        
        C:\Users\Public\Music\update.exe C:\Users\Public\Music\
        6⤵
        
        PID:2040
        
        C:\Users\Public\Music\Sample Music\data.exe
        
        "C:\Users\Public\Music\Sample Music\data.exe" C:\Users\Public\Music\Sample Music\
        7⤵
        
        PID:2540
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:2372
        
        C:\Users\Public\Pictures\Sample Pictures\backup.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\backup.exe" C:\Users\Public\Pictures\Sample Pictures\
        7⤵
        
        PID:2388
      - C:\Users\Public\Recorded TV\System Restore.exe
        
        "C:\Users\Public\Recorded TV\System Restore.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:2868
        
        C:\Users\Public\Recorded TV\Sample Media\backup.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\backup.exe" C:\Users\Public\Recorded TV\Sample Media\
        7⤵
        
        PID:1008
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:2948
        
        C:\Users\Public\Videos\Sample Videos\backup.exe
        
        "C:\Users\Public\Videos\Sample Videos\backup.exe" C:\Users\Public\Videos\Sample Videos\
        7⤵
        
        PID:2340
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:2116
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:2432
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:2916
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:3008
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        
        PID:2852
      - C:\Windows\AppPatch\Custom\backup.exe
        
        C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
        6⤵
        
        PID:1260
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe C:\Windows\AppPatch\Custom\Custom64\
        7⤵
        
        PID:2748
      - C:\Windows\AppPatch\de-DE\backup.exe
        
        C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\
        6⤵
        
        PID:2756
      - C:\Windows\AppPatch\en-US\data.exe
        
        C:\Windows\AppPatch\en-US\data.exe C:\Windows\AppPatch\en-US\
        6⤵
        
        PID:332
      - C:\Windows\AppPatch\es-ES\backup.exe
        
        C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\
        6⤵
        
        PID:592
      - C:\Windows\AppPatch\fr-FR\backup.exe
        
        C:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\
        6⤵
        
        PID:2348
      - C:\Windows\AppPatch\it-IT\backup.exe
        
        C:\Windows\AppPatch\it-IT\backup.exe C:\Windows\AppPatch\it-IT\
        6⤵
        
        PID:1784
      - C:\Windows\AppPatch\ja-JP\backup.exe
        
        C:\Windows\AppPatch\ja-JP\backup.exe C:\Windows\AppPatch\ja-JP\
        6⤵
        
        PID:2620
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Drops file in Windows directory
        
        PID:2672
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        
        PID:2192
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        
        PID:2164
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:692
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        
        PID:1540
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\System Restore.exe
        
        "C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\System Restore.exe" C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2932
        
        C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\
        7⤵
        
        PID:2644
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\
        8⤵
        
        PID:300
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\
        8⤵
        
        PID:2352
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        
        PID:1768
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\data.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\data.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2368
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        7⤵
        
        PID:608
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1112
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\
        7⤵
        
        PID:864
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\data.exe
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\data.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1804
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\
        7⤵
        
        PID:928
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1012
        
        C:\Windows\assembly\GAC\stdole\backup.exe
        
        C:\Windows\assembly\GAC\stdole\backup.exe C:\Windows\assembly\GAC\stdole\
        7⤵
        
        PID:2684
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1932
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        Drops file in Windows directory
        
        PID:2104
        
        C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\backup.exe
        
        C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\backup.exe C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\
        7⤵
        
        PID:1604
        
        C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2692
        
        C:\Windows\assembly\GAC_32\BDATunePIA\update.exe
        
        C:\Windows\assembly\GAC_32\BDATunePIA\update.exe C:\Windows\assembly\GAC_32\BDATunePIA\
        7⤵
        
        PID:1992
        
        C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:1576
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
        7⤵
        
        PID:2268
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2852
        
        C:\Windows\assembly\GAC_32\ehexthost32\backup.exe
        
        C:\Windows\assembly\GAC_32\ehexthost32\backup.exe C:\Windows\assembly\GAC_32\ehexthost32\
        7⤵
        
        PID:2144
        
        C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:796
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\
        7⤵
        
        PID:1888
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\System Restore.exe
        
        "C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\System Restore.exe" C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1308
        
        C:\Windows\assembly\GAC_32\mcstoredb\backup.exe
        
        C:\Windows\assembly\GAC_32\mcstoredb\backup.exe C:\Windows\assembly\GAC_32\mcstoredb\
        7⤵
        
        PID:1952
        
        C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:1280
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\
        7⤵
        
        PID:2816
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2140
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\
        7⤵
        
        PID:2228
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\
        8⤵
        
        PID:2996
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\
        8⤵
        
        PID:720
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\
        8⤵
        
        PID:1848
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\update.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\update.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\
        8⤵
        
        PID:2932
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_ja_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_ja_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_ja_31bf3856ad364e35\
        8⤵
        
        PID:2652
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\
        7⤵
        
        PID:2608
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:1308
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\
        7⤵
        
        PID:1732
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:1040
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\
        7⤵
        
        PID:2536
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:716
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\
        7⤵
        
        PID:1712
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\14.0.0.0__71e9bce111e9429c\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\14.0.0.0__71e9bce111e9429c\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\14.0.0.0__71e9bce111e9429c\
        8⤵
        
        PID:2904
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\data.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\data.exe C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\
        7⤵
        
        PID:2260
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\14.0.0.0__71e9bce111e9429c\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\14.0.0.0__71e9bce111e9429c\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\14.0.0.0__71e9bce111e9429c\
        8⤵
        
        PID:1284
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\
        7⤵
        
        PID:2144
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\14.0.0.0__71e9bce111e9429c\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\14.0.0.0__71e9bce111e9429c\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\14.0.0.0__71e9bce111e9429c\
        8⤵
        
        PID:2628
        
        C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\
        7⤵
        
        PID:2364
        
        C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2268
        
        C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\backup.exe C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\
        7⤵
        
        PID:1408
        
        C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\14.0.0.0__71e9bce111e9429c\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\14.0.0.0__71e9bce111e9429c\backup.exe C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\14.0.0.0__71e9bce111e9429c\
        8⤵
        
        PID:2120
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\
        7⤵
        
        PID:2552
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2816
        
        C:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\backup.exe C:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\
        7⤵
        
        PID:2996
        
        C:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\8.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\8.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\8.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2888
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\Low\data.exe
  C:\Users\Admin\AppData\Local\Temp\Low\data.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1632
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1580
- C:\Users\Admin\AppData\Local\Temp\scoped_dir2148_1753267138\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir2148_1753267138\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2148_1753267138\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Users\Admin\AppData\Local\Temp\scoped_dir2148_1753267138\CRX_INSTALL\backup.exe
    C:\Users\Admin\AppData\Local\Temp\scoped_dir2148_1753267138\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2148_1753267138\CRX_INSTALL\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1440
- C:\Users\Admin\AppData\Local\Temp\scoped_dir2148_387055753\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir2148_387055753\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2148_387055753\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Users\Admin\AppData\Local\Temp\scoped_dir2148_387055753\CRX_INSTALL\backup.exe
    C:\Users\Admin\AppData\Local\Temp\scoped_dir2148_387055753\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2148_387055753\CRX_INSTALL\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2896
- C:\Users\Admin\AppData\Local\Temp\VBE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\VBE\backup.exe C:\Users\Admin\AppData\Local\Temp\VBE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:568
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\backup.exe

Filesize
122KB

MD5
6223c5d32a69d85341df4d38e117aeb9

SHA1
049ddddc4d7045d597832d859c22cb4de8c0efc3

SHA256
dd1ba36474163aa02e0f3f222a48dd7ea978e341b75687eeaaa0e5aeff61306d

SHA512
2c58ad0a5144076bcdc42773c6e66f2324b46b3b8528adc611705f3538c76ab9cd6afc3c5ea3081e7f7b3e213d35dbdc2c4770fbe09e6e250346d27f9ffcd0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
122KB

MD5
3bf77ed21858a5d18e775ae3a397f020

SHA1
1a8f4d20ebfc594dfef1a93b9e9f3bb651e2dee2

SHA256
e6717e2ad77d1c0c98c0964c0c057e01eab74be8e6e0d2fcb7fec305e49651a7

SHA512
c056fb0ec9350029e2ed8c7235b62cdcbf24a2fa34e60783b7540d2a949d71facc574b72ddf2843381d9444ee99ab8d78b7407c713189f70603496831afb4a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
41KB

MD5
da9addf9e87e8ed9ed53a4e823b921e6

SHA1
eba490a5adb74148162178069859816fe77d48d2

SHA256
fa9363f686ba3894103fa5ecfac5dc5ab8b37c54121dbb1325a1eb7eeb5f6ecf

SHA512
b7ecb2c7b6d425de25194c082119e9f16dcf501254dd7ae58c05475beeabe950673c6ca75a4d80a6aaa5bce72765cc0989c5d815245e39efd812ce37071a3718

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
122KB

MD5
73efe979cdf385aa121a058653d377a0

SHA1
9cdb0d2eabd0a1cf008704481b156dc7403d8947

SHA256
b64b086b7d65067d849a706e8aeaee09d9637ebc0cb37662a9cd3abbf07039f8

SHA512
997207408ac41e7565030da53600a3bc3f7c3ea811067c0f629a9ae9332a75d728f772c1edb25695620dcb81caa9d989eae5d5a5a80973b81db2783b8ef9bddd

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
122KB

MD5
bf6a429ea78ffad3c32b70629fd4042f

SHA1
01b488d47a2de5d0c0dfa830eb6ad4014042163c

SHA256
3fcab4cb8213f7280f4fc511d8a754e9c8d7e7bdf2fde80c18babe2cd029aebc

SHA512
42363d17129534cfd0a4ab1966736af7ebedea8b258bde8a0a0e7cd6f28d4c9f4e3cf35ef2d862f77745fbdb1836e884415630800fe2e5cab840d8777cdd9530

Download Submit
\PerfLogs\backup.exe

Filesize
122KB

MD5
f193923dfb3282fbcb43cd0048ff5127

SHA1
4a0272e6381e980f6edc1104ac2a95ad51c163d2

SHA256
35488bc2d938fd7fdfc705afd7386f4f0000fd5512d94a95029e66b65f7f6c23

SHA512
e545a3a615bf93ebe21a88dec354adbae658b7c21fc8e68af4a9e13b24acb04dbe355d3568b2169d9a55317c9d323fe5d368d0a4c7432be8607c73430af65dec

Download Submit
\Users\Admin\AppData\Local\Temp\1442190504\backup.exe

Filesize
122KB

MD5
c3ed02423bb9a980d141162603311cf1

SHA1
f1344ce5fe2ca4f373a0c098099dfb3018e61360

SHA256
07572e742657c5d166f5ee81dfff2a246f5d721890495989795b304a44579cc5

SHA512
23ba599762cd9ca771513243026edabf43bcbddf624cd1407d9b0f9d426ce24b6a1880b328d8f28d928070d09cecc07262faa141cae4384967cf458defa3303e

Download Submit
\Users\Admin\AppData\Local\Temp\scoped_dir2148_1753267138\CRX_INSTALL\backup.exe

Filesize
122KB

MD5
6e04dad2e50f039f7f4344582e438664

SHA1
045877f9e523393c2c1c1f4b1cfc932e805a2844

SHA256
77710976824ccf2993dc2dcacb78b23f12899ee55c1d5623faec82aebf16eff1

SHA512
a48148dba3b96fd0d9ca8ab3f47a76b3fe7042dba04aa85ffdca1b2796a6420c97ab45a379e158eb4f496b8ec617cfcfa95aa7ca80b52b96c400e8195466596e

Download Submit
memory/112-269-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/112-240-0x00000000003C0000-0x00000000003E4000-memory.dmp

Filesize
144KB

Download
memory/112-241-0x00000000003C0000-0x00000000003E4000-memory.dmp

Filesize
144KB

Download
memory/568-152-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/712-308-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/712-281-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/712-324-0x0000000000AC0000-0x0000000000AE4000-memory.dmp

Filesize
144KB

Download
memory/712-289-0x0000000000AC0000-0x0000000000AE4000-memory.dmp

Filesize
144KB

Download
memory/712-303-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/712-314-0x0000000000AC0000-0x0000000000AE4000-memory.dmp

Filesize
144KB

Download
memory/712-301-0x0000000000AC0000-0x0000000000AE4000-memory.dmp

Filesize
144KB

Download
memory/712-306-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/712-307-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/712-280-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1104-290-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1104-297-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1104-299-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1104-279-0x00000000002F0000-0x0000000000314000-memory.dmp

Filesize
144KB

Download
memory/1104-270-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1104-271-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1132-138-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1276-111-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1320-339-0x00000000004C0000-0x00000000004E4000-memory.dmp

Filesize
144KB

Download
memory/1320-328-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1320-363-0x00000000004C0000-0x00000000004E4000-memory.dmp

Filesize
144KB

Download
memory/1320-402-0x00000000004C0000-0x00000000004E4000-memory.dmp

Filesize
144KB

Download
memory/1320-362-0x00000000004C0000-0x00000000004E4000-memory.dmp

Filesize
144KB

Download
memory/1320-377-0x00000000004C0000-0x00000000004E4000-memory.dmp

Filesize
144KB

Download
memory/1320-329-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1320-364-0x00000000004C0000-0x00000000004E4000-memory.dmp

Filesize
144KB

Download
memory/1320-376-0x00000000004C0000-0x00000000004E4000-memory.dmp

Filesize
144KB

Download
memory/1320-391-0x00000000004C0000-0x00000000004E4000-memory.dmp

Filesize
144KB

Download
memory/1320-390-0x00000000004C0000-0x00000000004E4000-memory.dmp

Filesize
144KB

Download
memory/1320-327-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1320-326-0x00000000004C0000-0x00000000004E4000-memory.dmp

Filesize
144KB

Download
memory/1320-404-0x00000000004C0000-0x00000000004E4000-memory.dmp

Filesize
144KB

Download
memory/1320-403-0x00000000004C0000-0x00000000004E4000-memory.dmp

Filesize
144KB

Download
memory/1440-110-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1524-147-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/1524-12-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/1524-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1524-217-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/1524-218-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/1524-51-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/1524-25-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/1524-58-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/1524-78-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/1524-77-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/1524-211-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/1524-91-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/1524-185-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/1524-11-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/1524-161-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/1524-160-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/1524-146-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/1524-103-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/1524-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1524-49-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/1524-130-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/1524-119-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/1580-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1584-392-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1584-397-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1584-393-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1588-242-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1588-219-0x0000000000300000-0x0000000000324000-memory.dmp

Filesize
144KB

Download
memory/1608-338-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1632-68-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1664-843-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1692-450-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1728-166-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1772-258-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1952-228-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2192-524-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2204-261-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2212-379-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2212-380-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2212-385-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2212-378-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2224-226-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2416-471-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2440-315-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2440-325-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2580-365-0x00000000002D0000-0x00000000002F4000-memory.dmp

Filesize
144KB

Download
memory/2580-367-0x00000000002D0000-0x00000000002F4000-memory.dmp

Filesize
144KB

Download
memory/2580-371-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2580-366-0x00000000002D0000-0x00000000002F4000-memory.dmp

Filesize
144KB

Download
memory/2604-98-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2632-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2700-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2700-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2732-239-0x0000000000310000-0x0000000000334000-memory.dmp

Filesize
144KB

Download
memory/2732-186-0x0000000000310000-0x0000000000334000-memory.dmp

Filesize
144KB

Download
memory/2732-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2732-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2836-352-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2836-355-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2852-340-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2852-342-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2852-351-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2852-341-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2896-136-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2976-427-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3068-302-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads