c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314c

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe
Size

88KB
MD5

acbf3418a65fb22fd081ee15fbb7ba30
SHA1

ae895adddc4641e96395eb6cd740e726aab92372
SHA256

c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314c
SHA512

1727e23da4f2a65681bf1a9ed4759d89f39b7a1493f0c0e192e0893e7caf15ce7a695635cc8fac2054a6b739bb17e1a509802b29fa9e4993b61be2c652348a61
SSDEEP

768:/pQNwC3BESe4Vqth+0V5vKmyLylze70wi3BEm7:BeT7BVwxfvEFwjR7

Score

10^/10

discovery evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2364	backup.exe
2672	backup.exe
2804	backup.exe
2836	backup.exe
2940	backup.exe
2636	backup.exe
2108	backup.exe
2556	backup.exe
2196	backup.exe
2888	backup.exe
616	backup.exe
2668	data.exe
2908	backup.exe
1520	backup.exe
2520	backup.exe
1820	backup.exe
3040	update.exe
776	backup.exe
1712	backup.exe
340	backup.exe
2316	backup.exe
1260	backup.exe
236	backup.exe
2084	backup.exe
1924	System Restore.exe
2272	backup.exe
1708	backup.exe
1824	backup.exe
2380	backup.exe
2672	backup.exe
2704	System Restore.exe
2816	backup.exe
2612	backup.exe
764	update.exe
2384	update.exe
948	backup.exe
2464	backup.exe
2244	backup.exe
2276	backup.exe
2104	backup.exe
588	backup.exe
2912	backup.exe
1744	data.exe
2908	backup.exe
2676	backup.exe
2532	backup.exe
2184	backup.exe
3028	backup.exe
772	System Restore.exe
2408	backup.exe
1328	backup.exe
1284	backup.exe
2024	backup.exe
316	backup.exe
828	data.exe
2088	backup.exe
1652	backup.exe
2000	backup.exe
2852	backup.exe
2788	backup.exe
1844	System Restore.exe
2880	backup.exe
2696	backup.exe
2648	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe
904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe
904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe
904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe
904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe
904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe
904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe
904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe
2836	backup.exe
2940	backup.exe
2940	backup.exe
2636	backup.exe
2636	backup.exe
2940	backup.exe
2940	backup.exe
2556	backup.exe
2556	backup.exe
2196	backup.exe
2196	backup.exe
2556	backup.exe
2556	backup.exe
616	backup.exe
616	backup.exe
2668	data.exe
2668	data.exe
2668	data.exe
2668	data.exe
1520	backup.exe
1520	backup.exe
1520	backup.exe
1520	backup.exe
1520	backup.exe
3040	update.exe
3040	update.exe
3040	update.exe
1520	backup.exe
1520	backup.exe
1520	backup.exe
1520	backup.exe
1520	backup.exe
1520	backup.exe
1520	backup.exe
1520	backup.exe
1520	backup.exe
1520	backup.exe
1520	backup.exe
1520	backup.exe
1520	backup.exe
1520	backup.exe
1520	backup.exe
1520	backup.exe
1520	backup.exe
1520	backup.exe
2272	backup.exe
2272	backup.exe
2836	backup.exe
2272	backup.exe
2272	backup.exe
2272	backup.exe
2272	backup.exe
1824	backup.exe
1824	backup.exe
2272	backup.exe
2272	backup.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/904-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x00030000000178b0-5.dat	upx
behavioral1/memory/2672-27-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/904-41-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2364-52-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000700000001867e-51.dat	upx
behavioral1/files/0x0005000000018eba-66.dat	upx
behavioral1/memory/2804-73-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2636-74-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2940-70-0x0000000000270000-0x000000000028C000-memory.dmp	upx
behavioral1/files/0x0005000000018ef7-79.dat	upx
behavioral1/memory/2836-87-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2108-97-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2636-98-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2940-110-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0005000000018f6e-118.dat	upx
behavioral1/memory/2888-128-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2196-131-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2556-144-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0005000000018f8e-158.dat	upx
behavioral1/memory/2556-177-0x0000000000260000-0x000000000027C000-memory.dmp	upx
behavioral1/memory/2908-169-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0005000000018f9e-192.dat	upx
behavioral1/memory/616-190-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2520-198-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2668-206-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1820-210-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1520-223-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0005000000018fba-228.dat	upx
behavioral1/memory/3040-231-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/776-240-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1712-250-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/340-258-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2316-266-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1260-275-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/236-290-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2084-293-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1924-302-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1708-325-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2380-337-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2272-342-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2672-350-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1824-355-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2704-360-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2816-369-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2612-377-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/764-380-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/948-394-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2384-405-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1824-407-0x00000000003D0000-0x00000000003EC000-memory.dmp	upx
behavioral1/memory/2464-408-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2276-426-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2272-424-0x00000000003E0000-0x00000000003FC000-memory.dmp	upx
behavioral1/memory/2244-429-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2104-437-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2272-438-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/588-456-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2912-450-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2500-1231-0x00000000774A0000-0x00000000775BF000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe	data.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\System Restore.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\update.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\data.exe	System Restore.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe	data.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\DigitalLocker\es-ES\backup.exe	update.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\Fonts\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\BDATunePIA\backup.exe	backup.exe
File opened for modification	C:\Windows\ehome\CreateDisc\style\backup.exe	System Restore.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\backup.exe	System Restore.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\update.exe	update.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\AspNetMMCExt\5857dbc9f0d3cb3364728ec72497ece9\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.Interop\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe	backup.exe
File opened for modification	C:\Windows\Downloaded Program Files\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\dfsvc\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\Mcx2Dvcs\6.1.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\diagnostics\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\cscompmgd\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\BDATunePIA\2823d3be9334fea94dce8001b247589b\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\backup.exe	backup.exe
File opened for modification	C:\Windows\ehome\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\backup.exe	backup.exe
File opened for modification	C:\Windows\Globalization\ELS\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\backup.exe	backup.exe
File opened for modification	C:\Windows\DigitalLocker\it-IT\backup.exe	update.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\b03641c39929ad202f0c3a9a64b93d86\backup.exe	backup.exe
File opened for modification	C:\Windows\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\dfsvc\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Windows\Cursors\backup.exe	backup.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\data.exe	System Restore.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Styles\NTSC\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\ehExtHost32\update.exe	backup.exe
File opened for modification	C:\Windows\ehome\es-ES\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehCIR\6.1.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\ehome\MCX\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\DigitalLocker\update.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\mcstoredb\6.1.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe	System Restore.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe	System Restore.exe
File opened for modification	C:\Windows\AppPatch\en-US\data.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_ja_31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\ehome\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Styles\PAL\Symphony\update.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\14.0.0.0__71e9bce111e9429c\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehexthost\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\BDATunePIA\13385391832b7c36af9306baeb570e57\data.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\d632b7434f821829827657e23ac98589\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\Mcx2Dvcs\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System Restore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	data.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	data.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2284	backup.exe
2256	backup.exe
940	backup.exe
2444	backup.exe
2744	backup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe
2364	backup.exe
2672	backup.exe
2804	backup.exe
2836	backup.exe
2940	backup.exe
2636	backup.exe
2108	backup.exe
2556	backup.exe
2196	backup.exe
2888	backup.exe
616	backup.exe
2668	data.exe
2908	backup.exe
1520	backup.exe
2520	backup.exe
1820	backup.exe
3040	update.exe
776	backup.exe
1712	backup.exe
340	backup.exe
2316	backup.exe
1260	backup.exe
236	backup.exe
2084	backup.exe
1924	System Restore.exe
2272	backup.exe
1708	backup.exe
1824	backup.exe
2380	backup.exe
2704	System Restore.exe
2672	backup.exe
2816	backup.exe
2612	backup.exe
764	update.exe
2384	update.exe
948	backup.exe
2464	backup.exe
2276	backup.exe
2244	backup.exe
2104	backup.exe
588	backup.exe
2912	backup.exe
1744	data.exe
2908	backup.exe
2676	backup.exe
2532	backup.exe
2184	backup.exe
3028	backup.exe
772	System Restore.exe
2408	backup.exe
1328	backup.exe
1284	backup.exe
2024	backup.exe
316	backup.exe
828	data.exe
2088	backup.exe
1652	backup.exe
2000	backup.exe
2852	backup.exe
1844	System Restore.exe
2788	backup.exe
2880	backup.exe
2696	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 2364	904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe	29
PID 904 wrote to memory of 2364	904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe	29
PID 904 wrote to memory of 2364	904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe	29
PID 904 wrote to memory of 2364	904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe	29
PID 904 wrote to memory of 2672	904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe	30
PID 904 wrote to memory of 2672	904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe	30
PID 904 wrote to memory of 2672	904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe	30
PID 904 wrote to memory of 2672	904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe	30
PID 904 wrote to memory of 2804	904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe	31
PID 904 wrote to memory of 2804	904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe	31
PID 904 wrote to memory of 2804	904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe	31
PID 904 wrote to memory of 2804	904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe	31
PID 904 wrote to memory of 2836	904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe	32
PID 904 wrote to memory of 2836	904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe	32
PID 904 wrote to memory of 2836	904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe	32
PID 904 wrote to memory of 2836	904	c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe	32
PID 2364 wrote to memory of 2940	2364	backup.exe	34
PID 2364 wrote to memory of 2940	2364	backup.exe	34
PID 2364 wrote to memory of 2940	2364	backup.exe	34
PID 2364 wrote to memory of 2940	2364	backup.exe	34
PID 2940 wrote to memory of 2636	2940	backup.exe	35
PID 2940 wrote to memory of 2636	2940	backup.exe	35
PID 2940 wrote to memory of 2636	2940	backup.exe	35
PID 2940 wrote to memory of 2636	2940	backup.exe	35
PID 2636 wrote to memory of 2108	2636	backup.exe	36
PID 2636 wrote to memory of 2108	2636	backup.exe	36
PID 2636 wrote to memory of 2108	2636	backup.exe	36
PID 2636 wrote to memory of 2108	2636	backup.exe	36
PID 2940 wrote to memory of 2556	2940	backup.exe	37
PID 2940 wrote to memory of 2556	2940	backup.exe	37
PID 2940 wrote to memory of 2556	2940	backup.exe	37
PID 2940 wrote to memory of 2556	2940	backup.exe	37
PID 2556 wrote to memory of 2196	2556	backup.exe	38
PID 2556 wrote to memory of 2196	2556	backup.exe	38
PID 2556 wrote to memory of 2196	2556	backup.exe	38
PID 2556 wrote to memory of 2196	2556	backup.exe	38
PID 2196 wrote to memory of 2888	2196	backup.exe	39
PID 2196 wrote to memory of 2888	2196	backup.exe	39
PID 2196 wrote to memory of 2888	2196	backup.exe	39
PID 2196 wrote to memory of 2888	2196	backup.exe	39
PID 2556 wrote to memory of 616	2556	backup.exe	40
PID 2556 wrote to memory of 616	2556	backup.exe	40
PID 2556 wrote to memory of 616	2556	backup.exe	40
PID 2556 wrote to memory of 616	2556	backup.exe	40
PID 616 wrote to memory of 2668	616	backup.exe	41
PID 616 wrote to memory of 2668	616	backup.exe	41
PID 616 wrote to memory of 2668	616	backup.exe	41
PID 616 wrote to memory of 2668	616	backup.exe	41
PID 2668 wrote to memory of 2908	2668	data.exe	42
PID 2668 wrote to memory of 2908	2668	data.exe	42
PID 2668 wrote to memory of 2908	2668	data.exe	42
PID 2668 wrote to memory of 2908	2668	data.exe	42
PID 2668 wrote to memory of 1520	2668	data.exe	43
PID 2668 wrote to memory of 1520	2668	data.exe	43
PID 2668 wrote to memory of 1520	2668	data.exe	43
PID 2668 wrote to memory of 1520	2668	data.exe	43
PID 1520 wrote to memory of 2520	1520	backup.exe	44
PID 1520 wrote to memory of 2520	1520	backup.exe	44
PID 1520 wrote to memory of 2520	1520	backup.exe	44
PID 1520 wrote to memory of 2520	1520	backup.exe	44
PID 1520 wrote to memory of 1820	1520	backup.exe	45
PID 1520 wrote to memory of 1820	1520	backup.exe	45
PID 1520 wrote to memory of 1820	1520	backup.exe	45
PID 1520 wrote to memory of 1820	1520	backup.exe	45

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe
"C:\Users\Admin\AppData\Local\Temp\c230de875261b35e2f2e690e46e10a96947fb0db1267cd9b2d909c0ba296314cN.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904
- C:\Users\Admin\AppData\Local\Temp\2727793027\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2727793027\backup.exe C:\Users\Admin\AppData\Local\Temp\2727793027\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2364
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2108
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2196
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2888
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:616
      - C:\Program Files\Common Files\Microsoft Shared\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\data.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3040
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:340
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1260
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:236
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2084
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2464
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2104
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2184
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3028
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2408
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1284
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        
        PID:3056
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        System Location Discovery: System Language Discovery
        System policy modification
        
        PID:1064
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        
        PID:944
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        
        PID:112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        
        PID:2900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        
        PID:2924
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        
        PID:2168
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        
        PID:2112
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:304
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:772
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:2360
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:2456
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:2500
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:2264
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:2700
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2640
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:2440
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2892
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1660
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:2156
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:1160
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:2704
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:2636
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        System policy modification
        
        PID:2072
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1392
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:2960
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:2768
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:3048
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:2560
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        
        PID:2344
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        
        PID:1060
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:392
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:2852
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1032
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:2148
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        
        PID:2412
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:2100
      - C:\Program Files\Common Files\SpeechEngines\update.exe
        
        "C:\Program Files\Common Files\SpeechEngines\update.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2720
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        System policy modification
        
        PID:2500
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        
        PID:1480
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        
        PID:2984
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:2868
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:392
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1580
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:2580
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1304
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:2640
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1292
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:2208
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:2748
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:2380
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1980
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2924
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        
        PID:2984
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:1716
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:2116
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:1652
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:2652
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:2644
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:3052
        
        C:\Program Files\Common Files\System\Ole DB\update.exe
        
        "C:\Program Files\Common Files\System\Ole DB\update.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1852
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1644
        
        C:\Program Files\Common Files\System\Ole DB\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\System Restore.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:2896
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:2644
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:1264
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:1500
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:2112
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Drops file in Program Files directory
        
        PID:964
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:1712
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:932
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:2576
      - C:\Program Files\DVD Maker\fr-FR\update.exe
        
        "C:\Program Files\DVD Maker\fr-FR\update.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:952
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:2172
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1268
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:2300
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        
        PID:2160
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:2256
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:1700
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:2232
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:2184
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        System policy modification
        
        PID:1328
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        System policy modification
        
        PID:2568
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:2804
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:3000
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:2676
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:1500
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:2088
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:2800
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        
        PID:3068
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        
        PID:2544
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
        8⤵
        
        PID:2080
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
        8⤵
        
        PID:2728
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
        8⤵
        
        PID:1940
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
        8⤵
        
        PID:1544
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
        8⤵
        
        PID:1560
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1108
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:2320
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:2576
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        Drops file in Program Files directory
        
        PID:2616
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        9⤵
        
        PID:1804
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        9⤵
        
        PID:2432
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
        9⤵
        
        PID:2524
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:360
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
        9⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2824
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\
        10⤵
        
        PID:2732
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:2788
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:2724
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:2472
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:1400
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2344
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:2468
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1560
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:1720
      - C:\Program Files\Internet Explorer\it-IT\System Restore.exe
        
        "C:\Program Files\Internet Explorer\it-IT\System Restore.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2912
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:2040
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3060
    - - C:\Program Files\Java\System Restore.exe
        
        "C:\Program Files\Java\System Restore.exe" C:\Program Files\Java\
        5⤵
        
        PID:340
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:1272
        
        C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
        7⤵
        
        PID:2780
        
        C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
        7⤵
        
        PID:2916
        
        C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\bin\
        8⤵
        
        PID:2732
        
        C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\lib\
        8⤵
        
        PID:2908
        
        C:\Program Files\Java\jdk1.7.0_80\include\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\
        7⤵
        
        PID:2340
        
        C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\
        8⤵
        
        PID:1568
        
        C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\
        9⤵
        
        PID:2144
        
        C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\
        7⤵
        
        PID:3000
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2500
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\data.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\
        9⤵
        
        PID:2960
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1140
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\
        9⤵
        
        PID:616
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\
        8⤵
        Drops file in Program Files directory
        
        PID:1700
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\
        9⤵
        
        PID:1652
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\
        9⤵
        
        PID:2128
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\
        9⤵
        
        PID:1620
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\
        9⤵
        System policy modification
        
        PID:2288
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\update.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\
        9⤵
        
        PID:932
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\
        9⤵
        
        PID:2248
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\
        9⤵
        
        PID:2292
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\
        10⤵
        
        PID:1744
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\
        9⤵
        
        PID:2496
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\
        9⤵
        
        PID:1600
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\
        9⤵
        
        PID:1688
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\
        10⤵
        
        PID:1724
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\
        10⤵
        
        PID:3056
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\
        11⤵
        
        PID:2628
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2080
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\
        11⤵
        
        PID:2532
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\
        11⤵
        
        PID:2344
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\
        10⤵
        
        PID:2120
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\
        10⤵
        
        PID:1912
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\data.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\
        10⤵
        
        PID:2560
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\
        10⤵
        
        PID:2440
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\
        10⤵
        
        PID:1568
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\
        10⤵
        
        PID:2236
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\
        10⤵
        
        PID:980
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\
        10⤵
        
        PID:2724
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\
        10⤵
        
        PID:1316
        
        C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\
        7⤵
        
        PID:2996
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\
        8⤵
        Drops file in Program Files directory
        
        PID:2692
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\
        9⤵
        
        PID:2816
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
        10⤵
        
        PID:1680
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\
        10⤵
        
        PID:2392
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\
        9⤵
        
        PID:2440
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\
        9⤵
        
        PID:2800
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\
        10⤵
        
        PID:1480
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\
        10⤵
        
        PID:2300
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\
        10⤵
        
        PID:1516
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\
        10⤵
        
        PID:2816
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\
        10⤵
        
        PID:2940
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\
        10⤵
        
        PID:2176
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\
        10⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2384
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\
        10⤵
        
        PID:1292
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\
        10⤵
        
        PID:2796
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\
        10⤵
        
        PID:2672
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\
        11⤵
        
        PID:2084
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\
        10⤵
        
        PID:2144
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\
        11⤵
        
        PID:2628
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\
        10⤵
        
        PID:1520
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\
        11⤵
        
        PID:2788
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\
        10⤵
        
        PID:2084
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\
        10⤵
        
        PID:880
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\
        11⤵
        System policy modification
        
        PID:2400
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\
        9⤵
        
        PID:2116
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\
        10⤵
        
        PID:1800
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\
        11⤵
        
        PID:952
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\
        12⤵
        
        PID:2136
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\
        10⤵
        System policy modification
        
        PID:1944
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\
        11⤵
        
        PID:1052
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\
        12⤵
        
        PID:3048
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\
        9⤵
        System policy modification
        
        PID:2256
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\
        10⤵
        
        PID:948
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\
        11⤵
        Drops file in Program Files directory
        
        PID:3056
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\
        12⤵
        Drops file in Program Files directory
        
        PID:2816
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\
        13⤵
        
        PID:2768
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\
        13⤵
        
        PID:2116
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\
        13⤵
        
        PID:1940
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\
        11⤵
        
        PID:1300
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\
        11⤵
        
        PID:2612
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\
        10⤵
        Drops file in Program Files directory
        
        PID:2704
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\
        11⤵
        
        PID:1464
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\
        11⤵
        
        PID:2532
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\
        11⤵
        
        PID:772
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\
        11⤵
        
        PID:2688
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\
        11⤵
        
        PID:2096
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\
        10⤵
        Drops file in Program Files directory
        
        PID:2352
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1476
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\
        12⤵
        
        PID:1188
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\
        8⤵
        
        PID:3060
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\
        9⤵
        
        PID:1300
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\
        9⤵
        
        PID:2008
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\
        10⤵
        
        PID:1580
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2056
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\
        11⤵
        
        PID:2444
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\
        10⤵
        
        PID:2684
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\
        11⤵
        
        PID:1236
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\
        10⤵
        
        PID:1728
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\
        11⤵
        
        PID:3036
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\
        10⤵
        
        PID:2720
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\
        11⤵
        
        PID:1804
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\
        12⤵
        
        PID:276
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\
        11⤵
        
        PID:2348
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\
        10⤵
        
        PID:2216
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\
        9⤵
        Drops file in Program Files directory
        
        PID:2036
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\
        10⤵
        
        PID:2896
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\
        11⤵
        
        PID:2368
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\
        10⤵
        
        PID:2640
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\
        11⤵
        
        PID:1160
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\
        12⤵
        
        PID:1924
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\
        13⤵
        
        PID:2040
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\
        12⤵
        Drops file in Program Files directory
        
        PID:2920
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\
        13⤵
        
        PID:1776
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\
        11⤵
        
        PID:972
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\
        10⤵
        
        PID:1324
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\
        11⤵
        
        PID:844
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\
        10⤵
        
        PID:3068
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\
        9⤵
        
        PID:1964
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\
        10⤵
        
        PID:392
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\
        11⤵
        
        PID:2388
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\
        10⤵
        
        PID:2636
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1924
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\
        10⤵
        
        PID:1380
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\
        11⤵
        
        PID:2176
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\
        10⤵
        
        PID:2964
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:2588
        
        C:\Program Files\Java\jre7\bin\backup.exe
        
        "C:\Program Files\Java\jre7\bin\backup.exe" C:\Program Files\Java\jre7\bin\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:932
        
        C:\Program Files\Java\jre7\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre7\bin\dtplugin\backup.exe" C:\Program Files\Java\jre7\bin\dtplugin\
        8⤵
        
        PID:2108
        
        C:\Program Files\Java\jre7\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\backup.exe" C:\Program Files\Java\jre7\bin\plugin2\
        8⤵
        
        PID:1860
        
        C:\Program Files\Java\jre7\bin\server\backup.exe
        
        "C:\Program Files\Java\jre7\bin\server\backup.exe" C:\Program Files\Java\jre7\bin\server\
        8⤵
        
        PID:1300
        
        C:\Program Files\Java\jre7\lib\backup.exe
        
        "C:\Program Files\Java\jre7\lib\backup.exe" C:\Program Files\Java\jre7\lib\
        7⤵
        
        PID:2160
        
        C:\Program Files\Java\jre7\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre7\lib\amd64\backup.exe" C:\Program Files\Java\jre7\lib\amd64\
        8⤵
        
        PID:1576
        
        C:\Program Files\Java\jre7\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre7\lib\applet\backup.exe" C:\Program Files\Java\jre7\lib\applet\
        8⤵
        
        PID:1784
        
        C:\Program Files\Java\jre7\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre7\lib\cmm\backup.exe" C:\Program Files\Java\jre7\lib\cmm\
        8⤵
        
        PID:2264
        
        C:\Program Files\Java\jre7\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jre7\lib\deploy\backup.exe" C:\Program Files\Java\jre7\lib\deploy\
        8⤵
        
        PID:2040
        
        C:\Program Files\Java\jre7\lib\ext\backup.exe
        
        "C:\Program Files\Java\jre7\lib\ext\backup.exe" C:\Program Files\Java\jre7\lib\ext\
        8⤵
        
        PID:2392
        
        C:\Program Files\Java\jre7\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jre7\lib\fonts\backup.exe" C:\Program Files\Java\jre7\lib\fonts\
        8⤵
        
        PID:1720
        
        C:\Program Files\Java\jre7\lib\images\backup.exe
        
        "C:\Program Files\Java\jre7\lib\images\backup.exe" C:\Program Files\Java\jre7\lib\images\
        8⤵
        
        PID:2052
        
        C:\Program Files\Java\jre7\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jre7\lib\images\cursors\backup.exe" C:\Program Files\Java\jre7\lib\images\cursors\
        9⤵
        
        PID:2176
        
        C:\Program Files\Java\jre7\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jre7\lib\jfr\backup.exe" C:\Program Files\Java\jre7\lib\jfr\
        8⤵
        
        PID:1984
        
        C:\Program Files\Java\jre7\lib\management\backup.exe
        
        "C:\Program Files\Java\jre7\lib\management\backup.exe" C:\Program Files\Java\jre7\lib\management\
        8⤵
        
        PID:2284
        
        C:\Program Files\Java\jre7\lib\security\backup.exe
        
        "C:\Program Files\Java\jre7\lib\security\backup.exe" C:\Program Files\Java\jre7\lib\security\
        8⤵
        
        PID:2360
        
        C:\Program Files\Java\jre7\lib\zi\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\backup.exe" C:\Program Files\Java\jre7\lib\zi\
        8⤵
        Drops file in Program Files directory
        
        PID:1968
        
        C:\Program Files\Java\jre7\lib\zi\Africa\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Africa\backup.exe" C:\Program Files\Java\jre7\lib\zi\Africa\
        9⤵
        System policy modification
        
        PID:2744
        
        C:\Program Files\Java\jre7\lib\zi\America\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\
        9⤵
        Drops file in Program Files directory
        
        PID:2976
        
        C:\Program Files\Java\jre7\lib\zi\America\Argentina\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\Argentina\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Argentina\
        10⤵
        
        PID:776
        
        C:\Program Files\Java\jre7\lib\zi\America\Indiana\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\Indiana\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Indiana\
        10⤵
        
        PID:2324
        
        C:\Program Files\Java\jre7\lib\zi\America\Kentucky\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\Kentucky\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Kentucky\
        10⤵
        
        PID:2424
        
        C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1984
        
        C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe" C:\Program Files\Java\jre7\lib\zi\Antarctica\
        9⤵
        
        PID:764
        
        C:\Program Files\Java\jre7\lib\zi\Asia\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Asia\backup.exe" C:\Program Files\Java\jre7\lib\zi\Asia\
        9⤵
        
        PID:2248
        
        C:\Program Files\Java\jre7\lib\zi\Atlantic\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Atlantic\backup.exe" C:\Program Files\Java\jre7\lib\zi\Atlantic\
        9⤵
        
        PID:2336
        
        C:\Program Files\Java\jre7\lib\zi\Australia\update.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Australia\update.exe" C:\Program Files\Java\jre7\lib\zi\Australia\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1272
        
        C:\Program Files\Java\jre7\lib\zi\Etc\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Etc\backup.exe" C:\Program Files\Java\jre7\lib\zi\Etc\
        9⤵
        
        PID:1496
        
        C:\Program Files\Java\jre7\lib\zi\Europe\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Europe\backup.exe" C:\Program Files\Java\jre7\lib\zi\Europe\
        9⤵
        
        PID:2036
        
        C:\Program Files\Java\jre7\lib\zi\Indian\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Indian\backup.exe" C:\Program Files\Java\jre7\lib\zi\Indian\
        9⤵
        
        PID:1992
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2548
      - C:\Program Files\Microsoft Games\Chess\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
        6⤵
        Drops file in Program Files directory
        
        PID:1920
        
        C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\
        7⤵
        
        PID:2256
        
        C:\Program Files\Microsoft Games\Chess\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\en-US\backup.exe" C:\Program Files\Microsoft Games\Chess\en-US\
        7⤵
        
        PID:1992
        
        C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe" C:\Program Files\Microsoft Games\Chess\es-ES\
        7⤵
        
        PID:2348
        
        C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\
        7⤵
        
        PID:2040
        
        C:\Program Files\Microsoft Games\Chess\it-IT\update.exe
        
        "C:\Program Files\Microsoft Games\Chess\it-IT\update.exe" C:\Program Files\Microsoft Games\Chess\it-IT\
        7⤵
        
        PID:2668
        
        C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Chess\ja-JP\
        7⤵
        
        PID:2632
      - C:\Program Files\Microsoft Games\FreeCell\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
        6⤵
        Drops file in Program Files directory
        
        PID:1060
        
        C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe" C:\Program Files\Microsoft Games\FreeCell\de-DE\
        7⤵
        
        PID:2044
        
        C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe" C:\Program Files\Microsoft Games\FreeCell\en-US\
        7⤵
        
        PID:2532
        
        C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe" C:\Program Files\Microsoft Games\FreeCell\es-ES\
        7⤵
        
        PID:1724
        
        C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe" C:\Program Files\Microsoft Games\FreeCell\fr-FR\
        7⤵
        
        PID:1332
        
        C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe" C:\Program Files\Microsoft Games\FreeCell\it-IT\
        7⤵
        
        PID:2832
        
        C:\Program Files\Microsoft Games\FreeCell\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\ja-JP\backup.exe" C:\Program Files\Microsoft Games\FreeCell\ja-JP\
        7⤵
        
        PID:1080
      - C:\Program Files\Microsoft Games\Hearts\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Program Files\Microsoft Games\Hearts\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\de-DE\backup.exe" C:\Program Files\Microsoft Games\Hearts\de-DE\
        7⤵
        
        PID:928
        
        C:\Program Files\Microsoft Games\Hearts\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\en-US\backup.exe" C:\Program Files\Microsoft Games\Hearts\en-US\
        7⤵
        
        PID:236
        
        C:\Program Files\Microsoft Games\Hearts\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\es-ES\backup.exe" C:\Program Files\Microsoft Games\Hearts\es-ES\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Hearts\fr-FR\
        7⤵
        
        PID:1480
        
        C:\Program Files\Microsoft Games\Hearts\it-IT\System Restore.exe
        
        "C:\Program Files\Microsoft Games\Hearts\it-IT\System Restore.exe" C:\Program Files\Microsoft Games\Hearts\it-IT\
        7⤵
        System policy modification
        
        PID:1924
        
        C:\Program Files\Microsoft Games\Hearts\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Hearts\ja-JP\
        7⤵
        
        PID:2188
      - C:\Program Files\Microsoft Games\Mahjong\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\backup.exe" C:\Program Files\Microsoft Games\Mahjong\
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Program Files\Microsoft Games\Mahjong\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\de-DE\backup.exe" C:\Program Files\Microsoft Games\Mahjong\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2520
        
        C:\Program Files\Microsoft Games\Mahjong\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\en-US\backup.exe" C:\Program Files\Microsoft Games\Mahjong\en-US\
        7⤵
        
        PID:2768
        
        C:\Program Files\Microsoft Games\Mahjong\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\es-ES\backup.exe" C:\Program Files\Microsoft Games\Mahjong\es-ES\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Program Files\Microsoft Games\Mahjong\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Mahjong\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2516
        
        C:\Program Files\Microsoft Games\Mahjong\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\it-IT\backup.exe" C:\Program Files\Microsoft Games\Mahjong\it-IT\
        7⤵
        System policy modification
        
        PID:1716
        
        C:\Program Files\Microsoft Games\Mahjong\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Mahjong\ja-JP\
        7⤵
        
        PID:3016
      - C:\Program Files\Microsoft Games\Minesweeper\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\
        6⤵
        
        PID:3064
        
        C:\Program Files\Microsoft Games\Minesweeper\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\de-DE\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\de-DE\
        7⤵
        
        PID:1920
        
        C:\Program Files\Microsoft Games\Minesweeper\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\en-US\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2016
        
        C:\Program Files\Microsoft Games\Minesweeper\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\es-ES\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\es-ES\
        7⤵
        
        PID:980
        
        C:\Program Files\Microsoft Games\Minesweeper\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\fr-FR\
        7⤵
        
        PID:2588
        
        C:\Program Files\Microsoft Games\Minesweeper\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\it-IT\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\it-IT\
        7⤵
        
        PID:1388
        
        C:\Program Files\Microsoft Games\Minesweeper\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\ja-JP\
        7⤵
        
        PID:1996
      - C:\Program Files\Microsoft Games\More Games\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\backup.exe" C:\Program Files\Microsoft Games\More Games\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2856
        
        C:\Program Files\Microsoft Games\More Games\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\de-DE\backup.exe" C:\Program Files\Microsoft Games\More Games\de-DE\
        7⤵
        
        PID:296
        
        C:\Program Files\Microsoft Games\More Games\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\en-US\backup.exe" C:\Program Files\Microsoft Games\More Games\en-US\
        7⤵
        
        PID:1860
        
        C:\Program Files\Microsoft Games\More Games\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\es-ES\backup.exe" C:\Program Files\Microsoft Games\More Games\es-ES\
        7⤵
        
        PID:1476
        
        C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe" C:\Program Files\Microsoft Games\More Games\fr-FR\
        7⤵
        
        PID:1480
        
        C:\Program Files\Microsoft Games\More Games\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\it-IT\backup.exe" C:\Program Files\Microsoft Games\More Games\it-IT\
        7⤵
        
        PID:1036
        
        C:\Program Files\Microsoft Games\More Games\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\ja-JP\backup.exe" C:\Program Files\Microsoft Games\More Games\ja-JP\
        7⤵
        
        PID:2272
      - C:\Program Files\Microsoft Games\Multiplayer\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Program Files\Microsoft Games\Multiplayer\Backgammon\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\
        7⤵
        
        PID:2620
        
        C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\data.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\data.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\
        8⤵
        
        PID:2152
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2840
      - C:\Program Files\Microsoft Office\Office14\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\
        6⤵
        
        PID:1604
        
        C:\Program Files\Microsoft Office\Office14\1033\update.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\update.exe" C:\Program Files\Microsoft Office\Office14\1033\
        7⤵
        
        PID:2740
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        Drops file in Program Files directory
        
        PID:2688
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:1064
        
        C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        7⤵
        System policy modification
        
        PID:1476
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        7⤵
        
        PID:3068
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2228
        
        C:\Program Files\Mozilla Firefox\defaults\pref\System Restore.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\System Restore.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
        7⤵
        
        PID:2392
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:2444
      - C:\Program Files\Mozilla Firefox\gmp-clearkey\data.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\data.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
        6⤵
        
        PID:2424
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
        7⤵
        
        PID:3016
      - C:\Program Files\Mozilla Firefox\uninstall\backup.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
        6⤵
        
        PID:1656
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2300
      - C:\Program Files\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        Drops file in Program Files directory
        
        PID:2844
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        8⤵
        
        PID:2532
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        8⤵
        System policy modification
        
        PID:1312
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1912
      - C:\Program Files\Reference Assemblies\Microsoft\data.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\data.exe" C:\Program Files\Reference Assemblies\Microsoft\
        6⤵
        
        PID:3036
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
        7⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
        8⤵
        
        PID:2656
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\
        9⤵
        
        PID:2272
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1944
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\
        9⤵
        
        PID:2276
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\
        9⤵
        
        PID:2788
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
        9⤵
        
        PID:808
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\data.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\data.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2636
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\
        9⤵
        
        PID:772
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\
        9⤵
        
        PID:2660
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\
        9⤵
        
        PID:836
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2672
      - C:\Program Files\VideoLAN\VLC\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\
        6⤵
        
        PID:1284
        
        C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe" C:\Program Files\VideoLAN\VLC\hrtfs\
        7⤵
        
        PID:1292
        
        C:\Program Files\VideoLAN\VLC\locale\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\backup.exe" C:\Program Files\VideoLAN\VLC\locale\
        7⤵
        
        PID:1864
        
        C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\
        8⤵
        
        PID:2516
        
        C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\
        9⤵
        
        PID:2944
        
        C:\Program Files\VideoLAN\VLC\locale\af\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\
        8⤵
        
        PID:2468
    - - C:\Program Files\Windows Defender\backup.exe
        
        "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1236
      - C:\Program Files\Windows Defender\de-DE\backup.exe
        
        "C:\Program Files\Windows Defender\de-DE\backup.exe" C:\Program Files\Windows Defender\de-DE\
        6⤵
        
        PID:2900
      - C:\Program Files\Windows Defender\en-US\backup.exe
        
        "C:\Program Files\Windows Defender\en-US\backup.exe" C:\Program Files\Windows Defender\en-US\
        6⤵
        System policy modification
        
        PID:2748
  - - C:\Program Files (x86)\data.exe
      "C:\Program Files (x86)\data.exe" C:\Program Files (x86)\
      4⤵
      Drops file in Program Files directory
      PID:2196
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2872
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        
        PID:1744
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:1768
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Drops file in Program Files directory
        
        PID:2332
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:808
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:2632
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:2896
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:1692
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:2548
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:636
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:2328
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:1996
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:2080
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:2988
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        System policy modification
        
        PID:1272
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:2504
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        System policy modification
        
        PID:2348
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:2320
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:2908
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        System policy modification
        
        PID:1768
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        
        PID:1868
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:764
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:2580
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:2044
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:2464
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:2096
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:2636
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:1516
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1324
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:928
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        
        PID:2548
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        Drops file in Program Files directory
        
        PID:1652
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
        10⤵
        Drops file in Program Files directory
        
        PID:2580
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
        11⤵
        
        PID:2080
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:276
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:2764
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        9⤵
        Drops file in Program Files directory
        
        PID:2288
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:1724
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2284
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2256
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:940
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        Modifies visibility of file extensions in Explorer
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2444
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1712
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2088
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2904
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:2964
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\data.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:3036
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:2792
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\data.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:2988
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        Drops file in Program Files directory
        
        PID:2624
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        System policy modification
        
        PID:2676
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:2592
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:2632
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        
        PID:588
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        8⤵
        
        PID:2468
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:2708
      - C:\Program Files (x86)\Common Files\microsoft shared\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        Drops file in Program Files directory
        
        PID:1696
        
        C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
        7⤵
        
        PID:2784
        
        C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
        7⤵
        
        PID:2684
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\
        8⤵
        System policy modification
        
        PID:952
        
        C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\
        7⤵
        
        PID:2636
        
        C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\
        7⤵
        
        PID:972
        
        C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\
        7⤵
        
        PID:828
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\
        7⤵
        Drops file in Program Files directory
        
        PID:2116
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\
        8⤵
        
        PID:2768
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\
        8⤵
        
        PID:2688
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\
        8⤵
        
        PID:1080
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\
        8⤵
        
        PID:1108
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\
        8⤵
        
        PID:1660
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\
        8⤵
        
        PID:3028
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\
        8⤵
        
        PID:1992
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\
        8⤵
        
        PID:2296
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\
        8⤵
        System policy modification
        
        PID:2172
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\
        8⤵
        
        PID:2792
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\
        8⤵
        
        PID:1576
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\
        7⤵
        Drops file in Program Files directory
        
        PID:2520
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\
        8⤵
        
        PID:2560
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\
        8⤵
        
        PID:2260
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\
        8⤵
        
        PID:2464
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\
        8⤵
        
        PID:1596
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\
        8⤵
        
        PID:1648
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        
        PID:1712
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:2736
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\
        8⤵
        
        PID:2184
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        
        PID:3044
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\
        7⤵
        
        PID:1476
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\
        7⤵
        Drops file in Program Files directory
        
        PID:1800
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:3016
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\
        7⤵
        
        PID:2468
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        
        PID:1956
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        
        PID:1640
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        
        PID:2124
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        
        PID:2520
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:1856
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\
        7⤵
        
        PID:2956
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\
        8⤵
        System policy modification
        
        PID:1620
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\
        8⤵
        
        PID:2160
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\
        8⤵
        Drops file in Program Files directory
        
        PID:2952
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\
        9⤵
        
        PID:964
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\
        9⤵
        
        PID:2060
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\
        9⤵
        
        PID:392
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\
        9⤵
        
        PID:2316
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\
        9⤵
        
        PID:2648
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\
        9⤵
        
        PID:972
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\
        9⤵
        
        PID:2248
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\
        9⤵
        
        PID:304
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\
        9⤵
        System policy modification
        
        PID:2720
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\
        9⤵
        
        PID:828
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\
        9⤵
        
        PID:1260
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\
        9⤵
        
        PID:932
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\
        9⤵
        
        PID:2732
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\
        9⤵
        
        PID:2636
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\
        9⤵
        
        PID:2836
        
        C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2204
        
        C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\
        7⤵
        
        PID:984
        
        C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\
        8⤵
        
        PID:1864
        
        C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\PROOF\
        7⤵
        
        PID:2744
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\
        8⤵
        
        PID:1996
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\
        8⤵
        
        PID:2668
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\
        9⤵
        
        PID:1304
        
        C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:2992
        
        C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:2988
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\
        7⤵
        Drops file in Program Files directory
        
        PID:1392
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\
        8⤵
        System policy modification
        
        PID:316
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:2716
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1732
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\
        8⤵
        
        PID:2728
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2268
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2696
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\
        8⤵
        
        PID:2888
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\
        7⤵
        Drops file in Program Files directory
        
        PID:2300
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\
        8⤵
        
        PID:2568
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\
        8⤵
        
        PID:940
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\
        8⤵
        
        PID:2660
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\
        8⤵
        System Location Discovery: System Language Discovery
        System policy modification
        
        PID:904
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\
        8⤵
        System policy modification
        
        PID:2560
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\
        8⤵
        
        PID:1328
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:612
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\
        7⤵
        
        PID:340
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\
        8⤵
        
        PID:2668
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\
        8⤵
        
        PID:1456
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\
        8⤵
        
        PID:2288
        
        C:\Program Files (x86)\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
      - C:\Program Files (x86)\Common Files\Services\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Services\System Restore.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2320
      - C:\Program Files (x86)\Common Files\SpeechEngines\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\System Restore.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:3044
        
        C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:2176
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:1844
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        
        PID:2276
        
        C:\Program Files (x86)\Common Files\System\ado\de-DE\data.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\de-DE\data.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
        8⤵
        
        PID:2732
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        
        PID:2908
        
        C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1604
        
        C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1400
        
        C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
        8⤵
        
        PID:2708
        
        C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1596
        
        C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        
        PID:2876
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3060
        
        C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
        7⤵
        
        PID:1652
        
        C:\Program Files (x86)\Common Files\System\fr-FR\update.exe
        
        "C:\Program Files (x86)\Common Files\System\fr-FR\update.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
        7⤵
        
        PID:2812
        
        C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        7⤵
        
        PID:2604
        
        C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\
        7⤵
        
        PID:2188
        
        C:\Program Files (x86)\Common Files\System\msadc\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        
        PID:2792
        
        C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:2420
        
        C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\en-US\
        8⤵
        
        PID:2056
        
        C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:2096
        
        C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:2808
        
        C:\Program Files (x86)\Common Files\System\msadc\it-IT\update.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\it-IT\update.exe" C:\Program Files (x86)\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:2472
        
        C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2736
        
        C:\Program Files (x86)\Common Files\System\MSMAPI\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\MSMAPI\backup.exe" C:\Program Files (x86)\Common Files\System\MSMAPI\
        7⤵
        
        PID:616
        
        C:\Program Files (x86)\Common Files\System\MSMAPI\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\MSMAPI\1033\backup.exe" C:\Program Files (x86)\Common Files\System\MSMAPI\1033\
        8⤵
        
        PID:1496
        
        C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\
        7⤵
        
        PID:2268
        
        C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:2788
        
        C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:1316
        
        C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:1720
        
        C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:2144
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:1120
        
        C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\update.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\update.exe" C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:904
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1236
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:972
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:828
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1624
        
        C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
        7⤵
        
        PID:2584
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:2488
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1856
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\
        9⤵
        
        PID:2080
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        System policy modification
        
        PID:2288
        
        C:\Program Files (x86)\Google\Update\Install\{81B62077-4199-45EB-921D-6EB76AC289EE}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{81B62077-4199-45EB-921D-6EB76AC289EE}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{81B62077-4199-45EB-921D-6EB76AC289EE}\
        8⤵
        
        PID:2224
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:316
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:2816
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1864
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:1684
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:1860
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:1108
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:980
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:612
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:2096
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2780
      - C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
        6⤵
        
        PID:2532
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\data.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\data.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\
        7⤵
        
        PID:2440
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\
        8⤵
        
        PID:112
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\
        8⤵
        
        PID:2180
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\update.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\update.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3052
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1692
      - C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1868
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\
        7⤵
        
        PID:2384
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1304
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\
        8⤵
        
        PID:112
      - C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\
        6⤵
        
        PID:2180
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\
        7⤵
        
        PID:1600
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2784
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\
        7⤵
        
        PID:1672
      - C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\
        6⤵
        
        PID:2320
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\
        7⤵
        
        PID:2044
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\data.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\data.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\
        8⤵
        
        PID:2480
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2732
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\
        8⤵
        
        PID:2916
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\
        8⤵
        
        PID:2224
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\
        8⤵
        
        PID:2468
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\
        8⤵
        
        PID:2296
      - C:\Program Files (x86)\Microsoft Office\Office14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\
        6⤵
        
        PID:1680
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\
        7⤵
        
        PID:1520
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\
        8⤵
        
        PID:360
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\
        8⤵
        System policy modification
        
        PID:2328
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\
        8⤵
        
        PID:2348
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\
        9⤵
        
        PID:1820
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\
        10⤵
        
        PID:848
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\
        10⤵
        System policy modification
        
        PID:1388
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\
        10⤵
        
        PID:2928
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\
        10⤵
        
        PID:2136
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\
        10⤵
        
        PID:2792
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\
        10⤵
        
        PID:1576
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\
        10⤵
        
        PID:1692
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1992
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\
        10⤵
        
        PID:1728
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\
        10⤵
        
        PID:2864
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\
        10⤵
        
        PID:2388
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\
        10⤵
        
        PID:2368
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\
        10⤵
        
        PID:3044
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\
        8⤵
        
        PID:1920
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\
        8⤵
        
        PID:2572
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\System Restore.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\
        8⤵
        
        PID:2352
        
        C:\Program Files (x86)\Microsoft Office\Office14\1036\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1036\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1036\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2384
        
        C:\Program Files (x86)\Microsoft Office\Office14\3082\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\3082\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\3082\
        7⤵
        
        PID:2612
        
        C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\
        7⤵
        
        PID:1656
        
        C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\data.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\data.exe" C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\
        7⤵
        
        PID:2124
        
        C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\
        7⤵
        
        PID:1400
        
        C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\
        7⤵
        
        PID:2788
        
        C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\update.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\update.exe" C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\
        8⤵
        
        PID:832
        
        C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\
        8⤵
        
        PID:2176
        
        C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\
        7⤵
        
        PID:108
        
        C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\
        8⤵
        
        PID:2328
        
        C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\
        7⤵
        
        PID:1804
        
        C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\
        8⤵
        
        PID:1688
        
        C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\System Restore.exe" C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\
        9⤵
        
        PID:2992
        
        C:\Program Files (x86)\Microsoft Office\Office14\FORMS\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\FORMS\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\FORMS\
        7⤵
        Drops file in Program Files directory
        
        PID:2360
        
        C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\update.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\update.exe" C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\
        8⤵
        
        PID:2392
      - C:\Program Files (x86)\Microsoft Office\Stationery\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Stationery\backup.exe" C:\Program Files (x86)\Microsoft Office\Stationery\
        6⤵
        
        PID:2420
        
        C:\Program Files (x86)\Microsoft Office\Stationery\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Stationery\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\Stationery\1033\
        7⤵
        
        PID:2780
      - C:\Program Files (x86)\Microsoft Office\Templates\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\backup.exe" C:\Program Files (x86)\Microsoft Office\Templates\
        6⤵
        
        PID:1948
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\Templates\1033\
        7⤵
        
        PID:2964
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\System Restore.exe" C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\
        8⤵
        Drops file in Program Files directory
        
        PID:2084
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\backup.exe" C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\
        9⤵
        
        PID:2180
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\data.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\data.exe" C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\
        9⤵
        
        PID:2316
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\backup.exe" C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\
        9⤵
        
        PID:1008
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\backup.exe" C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\
        8⤵
        
        PID:2992
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\backup.exe" C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\
        8⤵
        
        PID:1140
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\backup.exe" C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\
        9⤵
        Drops file in Program Files directory
        
        PID:2064
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\backup.exe" C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\
        10⤵
        
        PID:2516
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\backup.exe" C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\
        10⤵
        
        PID:2692
        
        C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\backup.exe" C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\
        7⤵
        
        PID:2172
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\update.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\update.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1304
      - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\
        6⤵
        
        PID:2276
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\
        7⤵
        
        PID:1600
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2784
      - C:\Program Files (x86)\Microsoft Sync Framework\v1.0\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\
        6⤵
        Drops file in Program Files directory
        
        PID:1624
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\
        7⤵
        
        PID:2644
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\
        8⤵
        System policy modification
        
        PID:1672
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\
        9⤵
        System policy modification
        
        PID:2592
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\
        7⤵
        
        PID:2404
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\System Restore.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\
        8⤵
        
        PID:636
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\
        9⤵
        
        PID:2588
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\
        10⤵
        
        PID:236
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2572
      - C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\
        6⤵
        
        PID:964
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\
        7⤵
        
        PID:1732
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        Drops file in Program Files directory
        
        PID:616
      - C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2092
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\
        7⤵
        System policy modification
        
        PID:2520
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\
        8⤵
        
        PID:2016
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\
        8⤵
        
        PID:1040
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\
        8⤵
        
        PID:1724
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\
        9⤵
        
        PID:2472
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\
        10⤵
        
        PID:2844
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2020
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\
        10⤵
        
        PID:2832
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\
        7⤵
        
        PID:1328
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\
        8⤵
        
        PID:2724
      - C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\
        6⤵
        
        PID:1104
      - C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\
        6⤵
        
        PID:2292
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\
        7⤵
        
        PID:1516
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\
        8⤵
        System policy modification
        
        PID:1708
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:772
      - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\
        6⤵
        
        PID:2544
      - C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe" C:\Program Files (x86)\Microsoft.NET\RedistList\
        6⤵
        
        PID:2072
    - - C:\Program Files (x86)\Mozilla Maintenance Service\data.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\data.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:2992
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\logs\
        6⤵
        
        PID:3056
    - - C:\Program Files (x86)\MSBuild\backup.exe
        
        "C:\Program Files (x86)\MSBuild\backup.exe" C:\Program Files (x86)\MSBuild\
        5⤵
        
        PID:1460
      - C:\Program Files (x86)\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\
        6⤵
        
        PID:1264
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        Drops file in Program Files directory
        
        PID:1040
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        8⤵
        
        PID:2868
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        8⤵
        
        PID:932
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:2436
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:2656
      - C:\Users\Admin\Contacts\System Restore.exe
        
        "C:\Users\Admin\Contacts\System Restore.exe" C:\Users\Admin\Contacts\
        6⤵
        
        PID:2772
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:2716
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:2960
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:2936
      - C:\Users\Admin\Favorites\update.exe
        
        C:\Users\Admin\Favorites\update.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1856
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1988
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1464
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2248
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2180
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        System policy modification
        
        PID:2876
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:2812
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2676
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1684
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:964
        
        C:\Users\Public\Music\Sample Music\backup.exe
        
        "C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\
        7⤵
        
        PID:3016
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:2172
        
        C:\Users\Public\Pictures\Sample Pictures\backup.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\backup.exe" C:\Users\Public\Pictures\Sample Pictures\
        7⤵
        
        PID:1816
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:684
        
        C:\Users\Public\Recorded TV\Sample Media\backup.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\backup.exe" C:\Users\Public\Recorded TV\Sample Media\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1924
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:1768
        
        C:\Users\Public\Videos\Sample Videos\backup.exe
        
        "C:\Users\Public\Videos\Sample Videos\backup.exe" C:\Users\Public\Videos\Sample Videos\
        7⤵
        
        PID:2796
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:2948
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:2192
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:2060
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        Drops file in Windows directory
        
        PID:2100
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        
        PID:2612
      - C:\Windows\AppPatch\Custom\backup.exe
        
        C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
        6⤵
        
        PID:1632
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe C:\Windows\AppPatch\Custom\Custom64\
        7⤵
        
        PID:2660
      - C:\Windows\AppPatch\de-DE\System Restore.exe
        
        "C:\Windows\AppPatch\de-DE\System Restore.exe" C:\Windows\AppPatch\de-DE\
        6⤵
        
        PID:808
      - C:\Windows\AppPatch\en-US\data.exe
        
        C:\Windows\AppPatch\en-US\data.exe C:\Windows\AppPatch\en-US\
        6⤵
        
        PID:2672
      - C:\Windows\AppPatch\es-ES\backup.exe
        
        C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1328
      - C:\Windows\AppPatch\fr-FR\backup.exe
        
        C:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\
        6⤵
        
        PID:2720
      - C:\Windows\AppPatch\it-IT\backup.exe
        
        C:\Windows\AppPatch\it-IT\backup.exe C:\Windows\AppPatch\it-IT\
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
      - C:\Windows\AppPatch\ja-JP\backup.exe
        
        C:\Windows\AppPatch\ja-JP\backup.exe C:\Windows\AppPatch\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2204
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Drops file in Windows directory
        
        PID:2408
      - C:\Windows\assembly\GAC\System Restore.exe
        
        "C:\Windows\assembly\GAC\System Restore.exe" C:\Windows\assembly\GAC\
        6⤵
        Drops file in Windows directory
        
        PID:960
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        
        PID:2108
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1064
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        
        PID:2192
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:948
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\
        8⤵
        
        PID:2120
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\
        8⤵
        
        PID:2636
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        
        PID:2676
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:592
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        7⤵
        
        PID:2544
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\
        7⤵
        
        PID:2020
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\data.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\data.exe C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1500
        
        C:\Windows\assembly\GAC\stdole\backup.exe
        
        C:\Windows\assembly\GAC\stdole\backup.exe C:\Windows\assembly\GAC\stdole\
        7⤵
        
        PID:2688
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1940
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        Drops file in Windows directory
        
        PID:2860
        
        C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\backup.exe
        
        C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\backup.exe C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\
        7⤵
        
        PID:1968
        
        C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2724
        
        C:\Windows\assembly\GAC_32\BDATunePIA\backup.exe
        
        C:\Windows\assembly\GAC_32\BDATunePIA\backup.exe C:\Windows\assembly\GAC_32\BDATunePIA\
        7⤵
        System policy modification
        
        PID:360
        
        C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2132
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:636
        
        C:\Windows\assembly\GAC_32\ehexthost32\backup.exe
        
        C:\Windows\assembly\GAC_32\ehexthost32\backup.exe C:\Windows\assembly\GAC_32\ehexthost32\
        7⤵
        Drops file in Windows directory
        
        PID:2108
        
        C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:964
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\
        7⤵
        
        PID:2964
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2612
        
        C:\Windows\assembly\GAC_32\mcstoredb\backup.exe
        
        C:\Windows\assembly\GAC_32\mcstoredb\backup.exe C:\Windows\assembly\GAC_32\mcstoredb\
        7⤵
        
        PID:112
        
        C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2728
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\
        7⤵
        
        PID:1640
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2228
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\update.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\update.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\
        8⤵
        
        PID:1576
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\
        8⤵
        
        PID:360
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\
        8⤵
        
        PID:1912
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\
        8⤵
        
        PID:2760
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\
        8⤵
        
        PID:1456
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_ja_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_ja_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_ja_31bf3856ad364e35\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\
        7⤵
        Drops file in Windows directory
        
        PID:1560
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\
        7⤵
        Drops file in Windows directory
        
        PID:1332
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:880
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\
        7⤵
        Drops file in Windows directory
        
        PID:2228
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:1768
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\
        7⤵
        
        PID:2460
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\14.0.0.0__71e9bce111e9429c\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\14.0.0.0__71e9bce111e9429c\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\14.0.0.0__71e9bce111e9429c\
        8⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\
        7⤵
        Drops file in Windows directory
        
        PID:2072
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\14.0.0.0__71e9bce111e9429c\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\14.0.0.0__71e9bce111e9429c\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\14.0.0.0__71e9bce111e9429c\
        8⤵
        System policy modification
        
        PID:1780
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\
        7⤵
        
        PID:2148
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        Drops file in Windows directory
        
        PID:684
        
        C:\Windows\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\backup.exe
        
        C:\Windows\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\backup.exe C:\Windows\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\
        7⤵
        Drops file in Windows directory
        
        PID:236
        
        C:\Windows\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:904
        
        C:\Windows\assembly\GAC_64\BDATunePIA\backup.exe
        
        C:\Windows\assembly\GAC_64\BDATunePIA\backup.exe C:\Windows\assembly\GAC_64\BDATunePIA\
        7⤵
        Drops file in Windows directory
        
        PID:2236
        
        C:\Windows\assembly\GAC_64\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\BDATunePIA\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2960
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:2904
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2256
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\
        7⤵
        
        PID:2920
        
        C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2396
        
        C:\Windows\assembly\GAC_64\mcstoredb\backup.exe
        
        C:\Windows\assembly\GAC_64\mcstoredb\backup.exe C:\Windows\assembly\GAC_64\mcstoredb\
        7⤵
        Drops file in Windows directory
        
        PID:2340
        
        C:\Windows\assembly\GAC_64\mcstoredb\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\mcstoredb\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\mcstoredb\6.1.0.0__31bf3856ad364e35\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1328
        
        C:\Windows\assembly\GAC_64\mcupdate\update.exe
        
        C:\Windows\assembly\GAC_64\mcupdate\update.exe C:\Windows\assembly\GAC_64\mcupdate\
        7⤵
        
        PID:2216
        
        C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:360
        
        C:\Windows\assembly\GAC_64\Mcx2Dvcs\backup.exe
        
        C:\Windows\assembly\GAC_64\Mcx2Dvcs\backup.exe C:\Windows\assembly\GAC_64\Mcx2Dvcs\
        7⤵
        Drops file in Windows directory
        
        PID:1100
        
        C:\Windows\assembly\GAC_64\Mcx2Dvcs\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Mcx2Dvcs\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Mcx2Dvcs\6.1.0.0__31bf3856ad364e35\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\
        7⤵
        Drops file in Windows directory
        
        PID:2572
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2400
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\backup.exe C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\
        7⤵
        Drops file in Windows directory
        
        PID:2696
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\
        8⤵
        
        PID:2612
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2988
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\
        8⤵
        
        PID:2652
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\
        8⤵
        
        PID:1540
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.Interop\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.Interop\backup.exe C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.Interop\
        7⤵
        Drops file in Windows directory
        
        PID:108
      - C:\Windows\assembly\GAC_MSIL\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\backup.exe C:\Windows\assembly\GAC_MSIL\
        6⤵
        Drops file in Windows directory
        
        PID:2432
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\backup.exe C:\Windows\assembly\GAC_MSIL\Accessibility\
        7⤵
        
        PID:2824
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:296
        
        C:\Windows\assembly\GAC_MSIL\ComSvcConfig\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\ComSvcConfig\backup.exe C:\Windows\assembly\GAC_MSIL\ComSvcConfig\
        7⤵
        
        PID:2852
        
        C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2000
        
        C:\Windows\assembly\GAC_MSIL\cscompmgd\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\cscompmgd\backup.exe C:\Windows\assembly\GAC_MSIL\cscompmgd\
        7⤵
        
        PID:1756
        
        C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:360
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\backup.exe C:\Windows\assembly\GAC_MSIL\dfsvc\
        7⤵
        System policy modification
        
        PID:932
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\data.exe
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\data.exe C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2028
        
        C:\Windows\assembly\GAC_MSIL\ehCIR\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\ehCIR\backup.exe C:\Windows\assembly\GAC_MSIL\ehCIR\
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2960
      - C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\
        6⤵
        Drops file in Windows directory
        System policy modification
        
        PID:1288
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\
        7⤵
        
        PID:2096
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\9859a6e0562f64eacfb8ad76f260a2d6\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\9859a6e0562f64eacfb8ad76f260a2d6\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\9859a6e0562f64eacfb8ad76f260a2d6\
        8⤵
        
        PID:612
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\AuditPolicyGPManage#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\AuditPolicyGPManage#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\AuditPolicyGPManage#\
        7⤵
        
        PID:1856
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\AuditPolicyGPManage#\a0a453714c9ec8d6954490f711f5158a\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\AuditPolicyGPManage#\a0a453714c9ec8d6954490f711f5158a\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\AuditPolicyGPManage#\a0a453714c9ec8d6954490f711f5158a\
        8⤵
        
        PID:2124
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\BDATunePIA\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\BDATunePIA\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\BDATunePIA\
        7⤵
        Drops file in Windows directory
        
        PID:2128
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\BDATunePIA\2823d3be9334fea94dce8001b247589b\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\BDATunePIA\2823d3be9334fea94dce8001b247589b\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\BDATunePIA\2823d3be9334fea94dce8001b247589b\
        8⤵
        System policy modification
        
        PID:1532
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\5f1a06c0108b2c81cde1dc491d74043d\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\5f1a06c0108b2c81cde1dc491d74043d\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\5f1a06c0108b2c81cde1dc491d74043d\
        8⤵
        
        PID:2916
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\
        7⤵
        
        PID:2156
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\bf7e7494e75e32979c7824a07570a8a9\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\bf7e7494e75e32979c7824a07570a8a9\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\bf7e7494e75e32979c7824a07570a8a9\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:360
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\dfsvc\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\dfsvc\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\dfsvc\
        7⤵
        
        PID:2708
      - C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\
        6⤵
        Drops file in Windows directory
        
        PID:1568
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\
        7⤵
        Drops file in Windows directory
        
        PID:1944
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\b03641c39929ad202f0c3a9a64b93d86\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\b03641c39929ad202f0c3a9a64b93d86\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\b03641c39929ad202f0c3a9a64b93d86\
        8⤵
        
        PID:2688
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\AuditPolicyGPManage#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\AuditPolicyGPManage#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\AuditPolicyGPManage#\
        7⤵
        
        PID:2960
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\AuditPolicyGPManage#\ce8c100b866ac8facc1902286aede990\update.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\AuditPolicyGPManage#\ce8c100b866ac8facc1902286aede990\update.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\AuditPolicyGPManage#\ce8c100b866ac8facc1902286aede990\
        8⤵
        
        PID:1100
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\BDATunePIA\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\BDATunePIA\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\BDATunePIA\
        7⤵
        Drops file in Windows directory
        
        PID:2968
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\BDATunePIA\13385391832b7c36af9306baeb570e57\data.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\BDATunePIA\13385391832b7c36af9306baeb570e57\data.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\BDATunePIA\13385391832b7c36af9306baeb570e57\
        8⤵
        
        PID:2748
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\
        7⤵
        Drops file in Windows directory
        
        PID:964
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\d632b7434f821829827657e23ac98589\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\d632b7434f821829827657e23ac98589\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\d632b7434f821829827657e23ac98589\
        8⤵
        
        PID:2788
      - C:\Windows\assembly\NativeImages_v4.0.30319_32\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\
        6⤵
        System policy modification
        
        PID:2752
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\
        7⤵
        
        PID:636
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\bbbbd997a1621cf1e739f922fe653459\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\bbbbd997a1621cf1e739f922fe653459\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\bbbbd997a1621cf1e739f922fe653459\
        8⤵
        
        PID:2216
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\AspNetMMCExt\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\AspNetMMCExt\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\AspNetMMCExt\
        7⤵
        Drops file in Windows directory
        System policy modification
        
        PID:2572
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\AspNetMMCExt\5857dbc9f0d3cb3364728ec72497ece9\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\AspNetMMCExt\5857dbc9f0d3cb3364728ec72497ece9\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\AspNetMMCExt\5857dbc9f0d3cb3364728ec72497ece9\
        8⤵
        
        PID:1576
      - C:\Windows\assembly\NativeImages_v4.0.30319_64\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_64\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\
        6⤵
        
        PID:272
        
        C:\Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\
        7⤵
        
        PID:3012
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:888
      - C:\Windows\Branding\Basebrd\backup.exe
        
        C:\Windows\Branding\Basebrd\backup.exe C:\Windows\Branding\Basebrd\
        6⤵
        Drops file in Windows directory
        
        PID:3056
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe C:\Windows\Branding\Basebrd\de-DE\
        7⤵
        
        PID:2272
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe C:\Windows\Branding\Basebrd\en-US\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe C:\Windows\Branding\Basebrd\es-ES\
        7⤵
        System policy modification
        
        PID:2216
        
        C:\Windows\Branding\Basebrd\fr-FR\backup.exe
        
        C:\Windows\Branding\Basebrd\fr-FR\backup.exe C:\Windows\Branding\Basebrd\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:940
        
        C:\Windows\Branding\Basebrd\it-IT\backup.exe
        
        C:\Windows\Branding\Basebrd\it-IT\backup.exe C:\Windows\Branding\Basebrd\it-IT\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\Branding\Basebrd\ja-JP\backup.exe
        
        C:\Windows\Branding\Basebrd\ja-JP\backup.exe C:\Windows\Branding\Basebrd\ja-JP\
        7⤵
        
        PID:2876
      - C:\Windows\Branding\ShellBrd\backup.exe
        
        C:\Windows\Branding\ShellBrd\backup.exe C:\Windows\Branding\ShellBrd\
        6⤵
        System policy modification
        
        PID:316
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:2752
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:2348
    - - C:\Windows\debug\backup.exe
        
        C:\Windows\debug\backup.exe C:\Windows\debug\
        5⤵
        
        PID:2272
      - C:\Windows\debug\WIA\backup.exe
        
        C:\Windows\debug\WIA\backup.exe C:\Windows\debug\WIA\
        6⤵
        
        PID:1284
    - - C:\Windows\de-DE\backup.exe
        
        C:\Windows\de-DE\backup.exe C:\Windows\de-DE\
        5⤵
        
        PID:2468
    - - C:\Windows\DigitalLocker\update.exe
        
        C:\Windows\DigitalLocker\update.exe C:\Windows\DigitalLocker\
        5⤵
        Drops file in Windows directory
        
        PID:2960
      - C:\Windows\DigitalLocker\de-DE\backup.exe
        
        C:\Windows\DigitalLocker\de-DE\backup.exe C:\Windows\DigitalLocker\de-DE\
        6⤵
        
        PID:2472
      - C:\Windows\DigitalLocker\en-US\update.exe
        
        C:\Windows\DigitalLocker\en-US\update.exe C:\Windows\DigitalLocker\en-US\
        6⤵
        
        PID:1576
      - C:\Windows\DigitalLocker\es-ES\backup.exe
        
        C:\Windows\DigitalLocker\es-ES\backup.exe C:\Windows\DigitalLocker\es-ES\
        6⤵
        
        PID:2112
      - C:\Windows\DigitalLocker\fr-FR\backup.exe
        
        C:\Windows\DigitalLocker\fr-FR\backup.exe C:\Windows\DigitalLocker\fr-FR\
        6⤵
        
        PID:980
      - C:\Windows\DigitalLocker\it-IT\backup.exe
        
        C:\Windows\DigitalLocker\it-IT\backup.exe C:\Windows\DigitalLocker\it-IT\
        6⤵
        
        PID:2088
      - C:\Windows\DigitalLocker\ja-JP\backup.exe
        
        C:\Windows\DigitalLocker\ja-JP\backup.exe C:\Windows\DigitalLocker\ja-JP\
        6⤵
        
        PID:1480
    - - C:\Windows\Downloaded Program Files\backup.exe
        
        "C:\Windows\Downloaded Program Files\backup.exe" C:\Windows\Downloaded Program Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2984
    - - C:\Windows\ehome\backup.exe
        
        C:\Windows\ehome\backup.exe C:\Windows\ehome\
        5⤵
        Drops file in Windows directory
        System policy modification
        
        PID:3028
      - C:\Windows\ehome\CreateDisc\System Restore.exe
        
        "C:\Windows\ehome\CreateDisc\System Restore.exe" C:\Windows\ehome\CreateDisc\
        6⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\ehome\CreateDisc\Components\data.exe
        
        C:\Windows\ehome\CreateDisc\Components\data.exe C:\Windows\ehome\CreateDisc\Components\
        7⤵
        
        PID:904
        
        C:\Windows\ehome\CreateDisc\Components\tables\backup.exe
        
        C:\Windows\ehome\CreateDisc\Components\tables\backup.exe C:\Windows\ehome\CreateDisc\Components\tables\
        8⤵
        
        PID:1576
        
        C:\Windows\ehome\CreateDisc\Filters\backup.exe
        
        C:\Windows\ehome\CreateDisc\Filters\backup.exe C:\Windows\ehome\CreateDisc\Filters\
        7⤵
        
        PID:2320
        
        C:\Windows\ehome\CreateDisc\SFXPlugins\backup.exe
        
        C:\Windows\ehome\CreateDisc\SFXPlugins\backup.exe C:\Windows\ehome\CreateDisc\SFXPlugins\
        7⤵
        
        PID:2764
        
        C:\Windows\ehome\CreateDisc\SonicResources\backup.exe
        
        C:\Windows\ehome\CreateDisc\SonicResources\backup.exe C:\Windows\ehome\CreateDisc\SonicResources\
        7⤵
        
        PID:2124
        
        C:\Windows\ehome\CreateDisc\style\backup.exe
        
        C:\Windows\ehome\CreateDisc\style\backup.exe C:\Windows\ehome\CreateDisc\style\
        7⤵
        
        PID:2228
        
        C:\Windows\ehome\CreateDisc\Styles\backup.exe
        
        C:\Windows\ehome\CreateDisc\Styles\backup.exe C:\Windows\ehome\CreateDisc\Styles\
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\ehome\CreateDisc\Styles\NTSC\backup.exe
        
        C:\Windows\ehome\CreateDisc\Styles\NTSC\backup.exe C:\Windows\ehome\CreateDisc\Styles\NTSC\
        8⤵
        
        PID:1516
      - C:\Windows\ehome\de-DE\backup.exe
        
        C:\Windows\ehome\de-DE\backup.exe C:\Windows\ehome\de-DE\
        6⤵
        
        PID:3060
      - C:\Windows\ehome\en-US\backup.exe
        
        C:\Windows\ehome\en-US\backup.exe C:\Windows\ehome\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1984
      - C:\Windows\ehome\es-ES\backup.exe
        
        C:\Windows\ehome\es-ES\backup.exe C:\Windows\ehome\es-ES\
        6⤵
        
        PID:2200
      - C:\Windows\ehome\fr-FR\backup.exe
        
        C:\Windows\ehome\fr-FR\backup.exe C:\Windows\ehome\fr-FR\
        6⤵
        
        PID:2172
      - C:\Windows\ehome\it-IT\backup.exe
        
        C:\Windows\ehome\it-IT\backup.exe C:\Windows\ehome\it-IT\
        6⤵
        
        PID:2784
    - - C:\Windows\en-US\backup.exe
        
        C:\Windows\en-US\backup.exe C:\Windows\en-US\
        5⤵
        
        PID:2404
    - - C:\Windows\es-ES\backup.exe
        
        C:\Windows\es-ES\backup.exe C:\Windows\es-ES\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:928
    - - C:\Windows\Fonts\backup.exe
        
        C:\Windows\Fonts\backup.exe C:\Windows\Fonts\
        5⤵
        
        PID:2724
    - - C:\Windows\fr-FR\backup.exe
        
        C:\Windows\fr-FR\backup.exe C:\Windows\fr-FR\
        5⤵
        
        PID:3048
    - - C:\Windows\Globalization\backup.exe
        
        C:\Windows\Globalization\backup.exe C:\Windows\Globalization\
        5⤵
        Drops file in Windows directory
        
        PID:1104
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe
  C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1824
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.1.7601.17514_es-es_5d22d1b0b459e72e\System Restore.exe
      "C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.1.7601.17514_es-es_5d22d1b0b459e72e\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.1.7601.17514_es-es_5d22d1b0b459e72e\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.activedir..bservices.resources_31bf3856ad364e35_6.1.7601.17514_es-es_87fa7a898fe0796f\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.activedir..bservices.resources_31bf3856ad364e35_6.1.7601.17514_es-es_87fa7a898fe0796f\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.activedir..bservices.resources_31bf3856ad364e35_6.1.7601.17514_es-es_87fa7a898fe0796f\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.activedir..es.shared.resources_31bf3856ad364e35_6.1.7601.17514_es-es_31dc778ed7dbadb0\update.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.activedir..es.shared.resources_31bf3856ad364e35_6.1.7601.17514_es-es_31dc778ed7dbadb0\update.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.activedir..es.shared.resources_31bf3856ad364e35_6.1.7601.17514_es-es_31dc778ed7dbadb0\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e0b30dfb1f99fa95\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e0b30dfb1f99fa95\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e0b30dfb1f99fa95\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e893ac674fdb5847\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e893ac674fdb5847\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e893ac674fdb5847\
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:588
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7601.17514_es-es_eac4c02f4cc9dbe1\data.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7601.17514_es-es_eac4c02f4cc9dbe1\data.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7601.17514_es-es_eac4c02f4cc9dbe1\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.grouppoli..t.interop.resources_31bf3856ad364e35_6.1.7601.17514_es-es_e23875de650486d3\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.grouppoli..t.interop.resources_31bf3856ad364e35_6.1.7601.17514_es-es_e23875de650486d3\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.grouppoli..t.interop.resources_31bf3856ad364e35_6.1.7601.17514_es-es_e23875de650486d3\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.security...icyengine.resources_31bf3856ad364e35_6.1.7600.16385_es-es_03e774f8a3cfd864\System Restore.exe
      "C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.security...icyengine.resources_31bf3856ad364e35_6.1.7600.16385_es-es_03e774f8a3cfd864\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.security...icyengine.resources_31bf3856ad364e35_6.1.7600.16385_es-es_03e774f8a3cfd864\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:772
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_es-es_ba219eb584c68561\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_es-es_ba219eb584c68561\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_es-es_ba219eb584c68561\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_es-es_103af8cc43d0a688\data.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_es-es_103af8cc43d0a688\data.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_es-es_103af8cc43d0a688\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:828
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.d..ackmodule.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b65fadb214ac7473\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.d..ackmodule.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b65fadb214ac7473\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.d..ackmodule.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b65fadb214ac7473\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1652
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_03780b3ea2ede9ef\System Restore.exe
      "C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_03780b3ea2ede9ef\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_03780b3ea2ede9ef\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1844
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_07e11d96b1593625\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_07e11d96b1593625\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_07e11d96b1593625\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2bdf2a1139ce5a7d\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2bdf2a1139ce5a7d\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2bdf2a1139ce5a7d\
      4⤵
      PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7f9b0c391f93b6e6\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7f9b0c391f93b6e6\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7f9b0c391f93b6e6\
      4⤵
      PID:1400
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a35c4d2dad059433\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a35c4d2dad059433\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a35c4d2dad059433\
      4⤵
      PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bde555fd45a79eb9\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bde555fd45a79eb9\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bde555fd45a79eb9\
      4⤵
      PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c94ff0f7345728e3\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c94ff0f7345728e3\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c94ff0f7345728e3\
      4⤵
      PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d621267d77d470ce\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d621267d77d470ce\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d621267d77d470ce\
      4⤵
      PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.s..ermanager.resources_31bf3856ad364e35_6.1.7601.17514_es-es_acc778d1ef5e3ee3\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.s..ermanager.resources_31bf3856ad364e35_6.1.7601.17514_es-es_acc778d1ef5e3ee3\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.s..ermanager.resources_31bf3856ad364e35_6.1.7601.17514_es-es_acc778d1ef5e3ee3\
      4⤵
      PID:1264
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.s..rt_driver.resources_31bf3856ad364e35_6.1.7600.16385_es-es_acbf87420a757a33\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.s..rt_driver.resources_31bf3856ad364e35_6.1.7600.16385_es-es_acbf87420a757a33\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.s..rt_driver.resources_31bf3856ad364e35_6.1.7600.16385_es-es_acbf87420a757a33\
      4⤵
      PID:340
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_es-es_992b92a25f851dba\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_es-es_992b92a25f851dba\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_es-es_992b92a25f851dba\
      4⤵
      PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windowsdx..xperience.resources_31bf3856ad364e35_6.1.7600.16385_es-es_47ba3aee382d34b3\data.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windowsdx..xperience.resources_31bf3856ad364e35_6.1.7600.16385_es-es_47ba3aee382d34b3\data.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windowsdx..xperience.resources_31bf3856ad364e35_6.1.7600.16385_es-es_47ba3aee382d34b3\
      4⤵
      PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6a6dae8166284ac8\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6a6dae8166284ac8\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6a6dae8166284ac8\
      4⤵
      PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..leshooter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e0b202a4da037729\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..leshooter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e0b202a4da037729\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..leshooter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e0b202a4da037729\
      4⤵
      PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..l-helpchm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_06e8222b977ee0d6\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..l-helpchm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_06e8222b977ee0d6\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..l-helpchm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_06e8222b977ee0d6\
      4⤵
      PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ll-events.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3ea9498b74297fac\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ll-events.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3ea9498b74297fac\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ll-events.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3ea9498b74297fac\
      4⤵
      PID:2236
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\
      4⤵
      PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..l-message.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9c2c816edcf094ba\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..l-message.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9c2c816edcf094ba\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..l-message.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9c2c816edcf094ba\
      4⤵
      PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6e64e1c333d9a87d\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6e64e1c333d9a87d\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6e64e1c333d9a87d\
      4⤵
      PID:2084
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..lprinting.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cbac995d886cf4fd\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..lprinting.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cbac995d886cf4fd\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..lprinting.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cbac995d886cf4fd\
      4⤵
      PID:2728
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..lsservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_333aedcfb7a0ebd7\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..lsservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_333aedcfb7a0ebd7\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..lsservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_333aedcfb7a0ebd7\
      4⤵
      PID:2944
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..migration.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d60900fa278f838a\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..migration.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d60900fa278f838a\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..migration.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d60900fa278f838a\
      4⤵
      PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..mmandline.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4a38206629c26305\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..mmandline.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4a38206629c26305\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..mmandline.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4a38206629c26305\
      4⤵
      PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..n-cmdline.resources_31bf3856ad364e35_6.1.7600.16385_es-es_922ed88ee5a660d1\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..n-cmdline.resources_31bf3856ad364e35_6.1.7600.16385_es-es_922ed88ee5a660d1\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..n-cmdline.resources_31bf3856ad364e35_6.1.7600.16385_es-es_922ed88ee5a660d1\
      4⤵
      PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2eb2f4087360ed21\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2eb2f4087360ed21\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2eb2f4087360ed21\
      4⤵
      PID:1784
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ndservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_32a449fa7cd9b107\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ndservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_32a449fa7cd9b107\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ndservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_32a449fa7cd9b107\
      4⤵
      PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ndservice.resources_31bf3856ad364e35_6.1.7601.17514_es-es_34d55dc279c834a1\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ndservice.resources_31bf3856ad364e35_6.1.7601.17514_es-es_34d55dc279c834a1\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ndservice.resources_31bf3856ad364e35_6.1.7601.17514_es-es_34d55dc279c834a1\
      4⤵
      PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ng-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0b32e1cbabdc002d\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ng-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0b32e1cbabdc002d\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ng-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0b32e1cbabdc002d\
      4⤵
      PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ng-oleprn.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ea53b341a53f805\update.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ng-oleprn.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ea53b341a53f805\update.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ng-oleprn.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ea53b341a53f805\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1096
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ng-wizard.resources_31bf3856ad364e35_6.1.7600.16385_es-es_95954cff3f008af1\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ng-wizard.resources_31bf3856ad364e35_6.1.7600.16385_es-es_95954cff3f008af1\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ng-wizard.resources_31bf3856ad364e35_6.1.7600.16385_es-es_95954cff3f008af1\
      4⤵
      PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..noverride.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f23478cc4df1394f\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..noverride.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f23478cc4df1394f\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..noverride.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f23478cc4df1394f\
      4⤵
      PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ntservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6c223ab5542ecf69\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ntservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6c223ab5542ecf69\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ntservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6c223ab5542ecf69\
      4⤵
      PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..oler-core.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8397ae911b4db071\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..oler-core.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8397ae911b4db071\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..oler-core.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8397ae911b4db071\
      4⤵
      PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..onhandler.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3debeaf9d96546f3\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..onhandler.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3debeaf9d96546f3\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..onhandler.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3debeaf9d96546f3\
      4⤵
      PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_es-es_59ec142e647e499e\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_es-es_59ec142e647e499e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_es-es_59ec142e647e499e\
      4⤵
      PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ooler-ppc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_568a3676e9cb435f\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ooler-ppc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_568a3676e9cb435f\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ooler-ppc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_568a3676e9cb435f\
      4⤵
      PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..opeerbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d703ce9992bb9de9\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..opeerbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d703ce9992bb9de9\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..opeerbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d703ce9992bb9de9\
      4⤵
      PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..opeerpnrp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f6bb96a7ba15910c\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..opeerpnrp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f6bb96a7ba15910c\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..opeerpnrp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f6bb96a7ba15910c\
      4⤵
      PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..orkclient.resources_31bf3856ad364e35_6.1.7600.16385_es-es_154d6207d08820df\update.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..orkclient.resources_31bf3856ad364e35_6.1.7600.16385_es-es_154d6207d08820df\update.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..orkclient.resources_31bf3856ad364e35_6.1.7600.16385_es-es_154d6207d08820df\
      4⤵
      PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..peeradmin.resources_31bf3856ad364e35_6.1.7600.16385_es-es_71694d3c0758d05f\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..peeradmin.resources_31bf3856ad364e35_6.1.7600.16385_es-es_71694d3c0758d05f\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..peeradmin.resources_31bf3856ad364e35_6.1.7600.16385_es-es_71694d3c0758d05f\
      4⤵
      PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..reensaver.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6c9761ceea1e3388\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..reensaver.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6c9761ceea1e3388\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..reensaver.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6c9761ceea1e3388\
      4⤵
      PID:2104
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..rgraphing.resources_31bf3856ad364e35_6.1.7600.16385_es-es_72a54dc2d9272600\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..rgraphing.resources_31bf3856ad364e35_6.1.7600.16385_es-es_72a54dc2d9272600\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..rgraphing.resources_31bf3856ad364e35_6.1.7600.16385_es-es_72a54dc2d9272600\
      4⤵
      PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..rgrouping.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ea5bc8b4d8e6a4d7\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..rgrouping.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ea5bc8b4d8e6a4d7\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..rgrouping.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ea5bc8b4d8e6a4d7\
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..rolspanel.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c6eafc8ed3c38ab2\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..rolspanel.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c6eafc8ed3c38ab2\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..rolspanel.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c6eafc8ed3c38ab2\
      4⤵
      PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..rpautoreg.resources_31bf3856ad364e35_6.1.7600.16385_es-es_da4c7c5db0e22add\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..rpautoreg.resources_31bf3856ad364e35_6.1.7600.16385_es-es_da4c7c5db0e22add\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..rpautoreg.resources_31bf3856ad364e35_6.1.7600.16385_es-es_da4c7c5db0e22add\
      4⤵
      System policy modification
      PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..rtmonitor.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a2e2a10f9181ebc6\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..rtmonitor.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a2e2a10f9181ebc6\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..rtmonitor.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a2e2a10f9181ebc6\
      4⤵
      PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..rtmonitor.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b0fb0851370c0513\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..rtmonitor.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b0fb0851370c0513\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..rtmonitor.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b0fb0851370c0513\
      4⤵
      PID:2220
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..rtmonitor.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d64324541520a364\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..rtmonitor.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d64324541520a364\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..rtmonitor.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d64324541520a364\
      4⤵
      PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..shell-mui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9ca9b40f90079c50\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..shell-mui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9ca9b40f90079c50\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..shell-mui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9ca9b40f90079c50\
      4⤵
      PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..sions-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_194039000e7ad3f0\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..sions-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_194039000e7ad3f0\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..sions-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_194039000e7ad3f0\
      4⤵
      System policy modification
      PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..snonwinpe.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9f3fa15008a01dc3\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..snonwinpe.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9f3fa15008a01dc3\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..snonwinpe.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9f3fa15008a01dc3\
      4⤵
      System policy modification
      PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ssettings.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a4ec92544ecf016d\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ssettings.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a4ec92544ecf016d\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ssettings.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a4ec92544ecf016d\
      4⤵
      PID:776
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..st-common.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c651f525f5764e2f\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..st-common.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c651f525f5764e2f\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..st-common.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c651f525f5764e2f\
      4⤵
      PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..stics-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_28f920d2b604bbde\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..stics-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_28f920d2b604bbde\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..stics-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_28f920d2b604bbde\
      4⤵
      PID:360
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c0dcaa2ad5c24a80\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c0dcaa2ad5c24a80\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c0dcaa2ad5c24a80\
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..tcpmondll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7ad25ea6a3f9f793\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..tcpmondll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7ad25ea6a3f9f793\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..tcpmondll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7ad25ea6a3f9f793\
      4⤵
      PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..topeerdrt.resources_31bf3856ad364e35_6.1.7600.16385_es-es_81aff0275b7ad50e\data.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..topeerdrt.resources_31bf3856ad364e35_6.1.7600.16385_es-es_81aff0275b7ad50e\data.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..topeerdrt.resources_31bf3856ad364e35_6.1.7600.16385_es-es_81aff0275b7ad50e\
      4⤵
      PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..track-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c108b5c831ff8a60\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..track-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c108b5c831ff8a60\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..track-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c108b5c831ff8a60\
      4⤵
      PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..trols-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_eccc1389986bccf5\update.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..trols-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_eccc1389986bccf5\update.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..trols-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_eccc1389986bccf5\
      4⤵
      PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ui-pmcppc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ac6ed8cbdf793fd9\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ui-pmcppc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ac6ed8cbdf793fd9\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ui-pmcppc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ac6ed8cbdf793fd9\
      4⤵
      PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..utilities.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e7fc600777ea8426\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..utilities.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e7fc600777ea8426\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..utilities.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e7fc600777ea8426\
      4⤵
      PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ystem-web.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0c773247e275eda3\data.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ystem-web.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0c773247e275eda3\data.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\amd64_microsoft-windows-p..ystem-web.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0c773247e275eda3\
      4⤵
      PID:2008
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000007\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000007\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000007\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2628
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000008\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000008\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000008\
    3⤵
    PID:2928
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000009\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000009\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000009\
    3⤵
    PID:2676
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000a\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000a\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000a\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2020
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000b\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000b\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000b\
    3⤵
    PID:2736
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000c\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000c\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000c\
    3⤵
    PID:2724
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000d\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000d\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000d\
    3⤵
    PID:1236
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000e\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000e\
    3⤵
    PID:1948
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  PID:1800
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  PID:2504
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  PID:1600
- C:\Users\Admin\AppData\Local\Temp\VBE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\VBE\backup.exe C:\Users\Admin\AppData\Local\Temp\VBE\
  2⤵
  PID:1868
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
88KB

MD5
c767cdb8c447705afc7774a8a9537655

SHA1
2106d717f3b9cf7e085c06ac012e88ddf5c6431f

SHA256
d7de5414597b4ff2f99baab937b2d3c96575fb1b0e93b89c1ec406fc30c4d3f3

SHA512
756b0bcc55c0d4c9125942b9880befa53e3b1fb6692d550b07496b7cc06394bdf3e31b6e6ccf4a274c7f1749f3db7399f0984e09914a942bca9a6b5f6cde8bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
30KB

MD5
6621a0418cb368177ade2fbac4173793

SHA1
f789bb0a4f9ef49f3431f96d2f0c47d109207e18

SHA256
49b4437fd6a6d413005cb4127649267e05b263c2638030260ee377985d9c0c0b

SHA512
e812b27dd3fa106a913673e04db3c1da7af1ce56740345b125c173db21c237a72c0c87fdcd8cfc25a085f28ed26e4c36129516f41f0b0e13d3eadedbf4c38815

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
88KB

MD5
358890bc746d38eb9f30d2c1b058c8c1

SHA1
18b4ea1064dc3c5987e152882f1005c27f067522

SHA256
c948900f29df0536902cb50befd42c58b646f1e48ea979c46f5ee7cbbec48bdb

SHA512
7c304729b649207a3aacc2c17675e43d6a6edc56c090e1e35be73e04a381702426422d64cd8e515ddd389c24132c41d45e0568eaadac7c5abe0d8edaebcbd6a0

Download Submit
\PerfLogs\backup.exe

Filesize
88KB

MD5
60bafff7bb5c6ec94dd653bee1c299b1

SHA1
68671501c244441bbaf9f767ea52122627c14008

SHA256
449a0b4b7934c126fa04d1b29bed5c697f373113e23cce5593d65478052e3c55

SHA512
2686c2cf950623c58cc5934f026ea9fa5afa862d23ae30f320ec75bf13734ca9ea03c4f2aae2ede382481d350ad095e01dd8ab7d105c78347dd2cd35d7e246ff

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
88KB

MD5
d5611038db76606c406a2696df0b573a

SHA1
8b8a71d2fa9550d2558fe0fec19f7b488875427d

SHA256
c753cfdd60fc858dd4a1e0775551af8da8a24f362ed7c5acd4eee8702ae3ee59

SHA512
373b1d07ecf15960f2727db62eb7ca6c51b5a67581d04aa9e315b4b9410357248563414f7d36f0708a0ae45db7bcbb9f2443f7d5b2e5f2a6d725a92f9b21bd20

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
88KB

MD5
9501a9a7d4dece36f21508a748b99983

SHA1
b7527747c1e13e9bd7b593f1b8aec93043125d27

SHA256
617853264b1ac86544f6417ae264494b709f7360c62f976d81c08ebd537a5c98

SHA512
d60f1fe17b3afc18c326beb4f6aa4af17cccb36bb47204fb3ffabb8bc29178dee8f86b98b74d58dfbd095b820d2120c270a30d8c88bd97495f338fc9d8591012

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe

Filesize
88KB

MD5
892207f5dea01604bbeb80398ad598ce

SHA1
575bb05f8ca7d8c7fe5ad623e22afb3fa3a3daf3

SHA256
0c8f1bfa365e1dc50e49451148accd189bc0662be728cc98fab629cfbbff64cb

SHA512
0277b45a500e36054fc2abca46a41e8915f96fb493198e08647ef4feca271a5bd3533341e683ec214373babc0be15b4d7eac5632bad3e61b815768d0d207ab27

Download Submit
\Users\Admin\AppData\Local\Temp\2727793027\backup.exe

Filesize
88KB

MD5
1b5efced642f0f8bd3517d431d541a0a

SHA1
ab98943537a644c3277eae3428e8b4b20e82daf6

SHA256
56524763310eba6734a4765d172de7d002e06d36cd90baa5402897a0bb371122

SHA512
139f257c013f49c015662dcd15f1279931465ee960f6cbd718cf099cc56539a47c8a65062f990cea7fcf727a28f70654d11f23dcaee79baf710e5912b0bb1b36

Download Submit
\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\backup.exe

Filesize
88KB

MD5
7deb9f58e66c68c52df552e877a451c5

SHA1
e1d018869747cc6f73f6a042adb33b3329501c72

SHA256
90df9512e8539e92bb6ee1a95850672dc938d20ae189111c4f1292faf4931b88

SHA512
87536bccb4db425e4628a07be45db6e7e2b7f9d6ad9a643a9e785734a1780d944dea64ba231b1ee29384f1cfb9f2b1a86e7d01c140e595873ed82ea87de6cc3f

Download Submit
memory/236-290-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/340-258-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/588-456-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/616-204-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/616-190-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/616-191-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/616-149-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/764-371-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/764-380-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/764-372-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/776-240-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/904-34-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/904-71-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/904-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/904-22-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/904-41-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/904-21-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/948-394-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1260-275-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1520-280-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1520-296-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1520-254-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1520-245-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1520-281-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1520-223-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1520-237-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1520-271-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1520-205-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1520-189-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1520-188-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1520-235-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1520-289-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1520-442-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1660-3182-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1708-325-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1712-250-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1820-210-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1824-343-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/1824-355-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1824-363-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/1824-373-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/1824-460-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/1824-407-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/1824-443-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/1924-302-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2084-293-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2104-437-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2108-97-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2196-131-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2244-429-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2272-386-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2272-438-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2272-414-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2272-413-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2272-370-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2272-425-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2272-424-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2272-342-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2276-426-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2316-266-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2364-52-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2380-337-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2384-405-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2384-387-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2464-408-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2500-1233-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2500-907-0x00000000775C0000-0x00000000776BA000-memory.dmp

Filesize
1000KB

Download
memory/2500-1232-0x00000000775C0000-0x00000000776BA000-memory.dmp

Filesize
1000KB

Download
memory/2500-906-0x00000000774A0000-0x00000000775BF000-memory.dmp

Filesize
1.1MB

Download
memory/2500-1231-0x00000000774A0000-0x00000000775BF000-memory.dmp

Filesize
1.1MB

Download
memory/2520-198-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2556-111-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2556-177-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2556-150-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2556-144-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2556-112-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2612-377-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2636-98-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2636-74-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2636-85-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/2668-176-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/2668-175-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/2668-221-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/2668-162-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/2668-222-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/2668-214-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/2668-213-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/2668-206-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2672-350-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2672-27-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2704-360-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2720-3365-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2804-73-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2816-369-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2836-87-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2888-128-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2896-1269-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/2896-1268-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/2908-169-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2908-1964-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2912-450-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2940-110-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2940-136-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2940-70-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/3040-220-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/3040-231-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads