b1d1793c502ab92ed07bbecbd6e9526084839621c3852f4bdaf052548dd27a17

Analysis

max time kernel
152s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2023 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.fd7940bb860140134aaaedfd13fde2c0.exe
Size

84KB
MD5

fd7940bb860140134aaaedfd13fde2c0
SHA1

e44b2e58b9b25a6ef8258b2018d06e113f857723
SHA256

b1d1793c502ab92ed07bbecbd6e9526084839621c3852f4bdaf052548dd27a17
SHA512

395d244872eec0c0550bfba7f961ef258ca5a1f4746e279e7f4eb7ff27c79c69cf99170f653a4b956b116c53d208464abc39b79bb4d8b0f803ec4ef042e05f2f
SSDEEP

768:/pQNwC3BESe4Vqth+0V5vKmyLylze70wi3BEmM:BeT7BVwxfvEFwjRM

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 41 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 45 IoCs

pid	Process
4224	backup.exe
4424	backup.exe
1860	backup.exe
4024	backup.exe
1152	backup.exe
4236	backup.exe
2244	backup.exe
1308	backup.exe
2160	backup.exe
816	backup.exe
920	backup.exe
2144	backup.exe
1804	backup.exe
1580	backup.exe
2004	backup.exe
3960	backup.exe
4736	backup.exe
2412	backup.exe
1864	backup.exe
3888	backup.exe
1044	backup.exe
2496	backup.exe
2288	backup.exe
1696	backup.exe
4572	backup.exe
5008	backup.exe
4220	backup.exe
1824	backup.exe
4452	backup.exe
1892	backup.exe
4208	backup.exe
4992	backup.exe
4424	backup.exe
3036	backup.exe
4924	backup.exe
1744	backup.exe
988	backup.exe
4760	backup.exe
1628	backup.exe
1700	backup.exe
3296	backup.exe
4788	backup.exe
1492	backup.exe
4556	backup.exe
1924	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3868-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4224-8-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0008000000022d9d-14.dat	upx
behavioral2/files/0x0008000000022d9d-13.dat	upx
behavioral2/files/0x0008000000022d9d-12.dat	upx
behavioral2/files/0x000b000000022db9-19.dat	upx
behavioral2/files/0x000b000000022db9-21.dat	upx
behavioral2/files/0x0009000000022dbc-27.dat	upx
behavioral2/files/0x0009000000022dbc-26.dat	upx
behavioral2/memory/4424-20-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022da3-7.dat	upx
behavioral2/files/0x0007000000022da3-6.dat	upx
behavioral2/files/0x0008000000022e6c-33.dat	upx
behavioral2/files/0x0008000000022e6c-32.dat	upx
behavioral2/files/0x0009000000022e6d-39.dat	upx
behavioral2/files/0x0009000000022e6d-37.dat	upx
behavioral2/memory/4024-36-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e7c-46.dat	upx
behavioral2/files/0x0007000000022e7c-45.dat	upx
behavioral2/files/0x0007000000022e7d-50.dat	upx
behavioral2/files/0x0007000000022e7d-52.dat	upx
behavioral2/memory/3868-53-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0008000000022e80-57.dat	upx
behavioral2/files/0x0008000000022e80-58.dat	upx
behavioral2/memory/4224-61-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e8f-67.dat	upx
behavioral2/memory/1308-66-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e8f-65.dat	upx
behavioral2/memory/2244-59-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e90-73.dat	upx
behavioral2/memory/2160-76-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1860-75-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e91-81.dat	upx
behavioral2/memory/816-82-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e91-80.dat	upx
behavioral2/files/0x0007000000022e90-74.dat	upx
behavioral2/files/0x0006000000022e93-89.dat	upx
behavioral2/files/0x0007000000022e94-91.dat	upx
behavioral2/files/0x0006000000022e93-92.dat	upx
behavioral2/files/0x0007000000022e94-94.dat	upx
behavioral2/memory/2144-93-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0006000000022e97-104.dat	upx
behavioral2/files/0x0006000000022e98-103.dat	upx
behavioral2/files/0x0006000000022e98-106.dat	upx
behavioral2/memory/1152-105-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4236-108-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0006000000022e97-107.dat	upx
behavioral2/files/0x0007000000022e95-116.dat	upx
behavioral2/files/0x0007000000022e95-118.dat	upx
behavioral2/memory/2004-117-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1804-119-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0006000000022e9a-121.dat	upx
behavioral2/files/0x0006000000022e9a-123.dat	upx
behavioral2/files/0x0006000000022e9d-129.dat	upx
behavioral2/memory/4236-134-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e96-135.dat	upx
behavioral2/memory/2412-138-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1580-137-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e96-136.dat	upx
behavioral2/memory/3960-133-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1864-145-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/920-150-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0006000000022e9e-149.dat	upx
behavioral2/files/0x0009000000022e99-148.dat	upx

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe	backup.exe

Suspicious use of SetWindowsHookEx 43 IoCs

pid	Process
3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe
4224	backup.exe
4424	backup.exe
1860	backup.exe
4024	backup.exe
1152	backup.exe
4236	backup.exe
2244	backup.exe
1308	backup.exe
2160	backup.exe
816	backup.exe
920	backup.exe
2144	backup.exe
1804	backup.exe
1580	backup.exe
2004	backup.exe
3960	backup.exe
4736	backup.exe
2412	backup.exe
1864	backup.exe
3888	backup.exe
1044	backup.exe
2496	backup.exe
2288	backup.exe
1696	backup.exe
4572	backup.exe
5008	backup.exe
4220	backup.exe
1824	backup.exe
4452	backup.exe
4208	backup.exe
4992	data.exe
4424	backup.exe
3036	backup.exe
4924	backup.exe
1744	backup.exe
988	backup.exe
4760	backup.exe
1628	backup.exe
1700	backup.exe
3296	backup.exe
4788	backup.exe
1492	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 4224	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	26
PID 3868 wrote to memory of 4224	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	26
PID 3868 wrote to memory of 4224	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	26
PID 3868 wrote to memory of 4424	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	120
PID 3868 wrote to memory of 4424	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	120
PID 3868 wrote to memory of 4424	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	120
PID 3868 wrote to memory of 1860	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	30
PID 3868 wrote to memory of 1860	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	30
PID 3868 wrote to memory of 1860	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	30
PID 3868 wrote to memory of 4024	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	28
PID 3868 wrote to memory of 4024	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	28
PID 3868 wrote to memory of 4024	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	28
PID 4224 wrote to memory of 1152	4224	backup.exe	79
PID 4224 wrote to memory of 1152	4224	backup.exe	79
PID 4224 wrote to memory of 1152	4224	backup.exe	79
PID 3868 wrote to memory of 4236	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	82
PID 3868 wrote to memory of 4236	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	82
PID 3868 wrote to memory of 4236	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	82
PID 1152 wrote to memory of 2244	1152	backup.exe	80
PID 1152 wrote to memory of 2244	1152	backup.exe	80
PID 1152 wrote to memory of 2244	1152	backup.exe	80
PID 3868 wrote to memory of 1308	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	81
PID 3868 wrote to memory of 1308	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	81
PID 3868 wrote to memory of 1308	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	81
PID 1152 wrote to memory of 2160	1152	backup.exe	84
PID 1152 wrote to memory of 2160	1152	backup.exe	84
PID 1152 wrote to memory of 2160	1152	backup.exe	84
PID 3868 wrote to memory of 816	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	87
PID 3868 wrote to memory of 816	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	87
PID 3868 wrote to memory of 816	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	87
PID 1152 wrote to memory of 920	1152	backup.exe	88
PID 1152 wrote to memory of 920	1152	backup.exe	88
PID 1152 wrote to memory of 920	1152	backup.exe	88
PID 3868 wrote to memory of 2144	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	89
PID 3868 wrote to memory of 2144	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	89
PID 3868 wrote to memory of 2144	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	89
PID 920 wrote to memory of 1804	920	backup.exe	93
PID 920 wrote to memory of 1804	920	backup.exe	93
PID 920 wrote to memory of 1804	920	backup.exe	93
PID 3868 wrote to memory of 1580	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	96
PID 3868 wrote to memory of 1580	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	96
PID 3868 wrote to memory of 1580	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	96
PID 1804 wrote to memory of 2004	1804	backup.exe	102
PID 1804 wrote to memory of 2004	1804	backup.exe	102
PID 1804 wrote to memory of 2004	1804	backup.exe	102
PID 1580 wrote to memory of 3960	1580	backup.exe	101
PID 1580 wrote to memory of 3960	1580	backup.exe	101
PID 1580 wrote to memory of 3960	1580	backup.exe	101
PID 920 wrote to memory of 4736	920	backup.exe	103
PID 920 wrote to memory of 4736	920	backup.exe	103
PID 920 wrote to memory of 4736	920	backup.exe	103
PID 3960 wrote to memory of 2412	3960	backup.exe	104
PID 3960 wrote to memory of 2412	3960	backup.exe	104
PID 3960 wrote to memory of 2412	3960	backup.exe	104
PID 4736 wrote to memory of 1864	4736	backup.exe	105
PID 4736 wrote to memory of 1864	4736	backup.exe	105
PID 4736 wrote to memory of 1864	4736	backup.exe	105
PID 3868 wrote to memory of 3888	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	106
PID 3868 wrote to memory of 3888	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	106
PID 3868 wrote to memory of 3888	3868	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe	106
PID 4736 wrote to memory of 1044	4736	backup.exe	107
PID 4736 wrote to memory of 1044	4736	backup.exe	107
PID 4736 wrote to memory of 1044	4736	backup.exe	107
PID 3888 wrote to memory of 2496	3888	backup.exe	108

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.fd7940bb860140134aaaedfd13fde2c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.fd7940bb860140134aaaedfd13fde2c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.fd7940bb860140134aaaedfd13fde2c0.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3868
- C:\Users\Admin\AppData\Local\Temp\{C7FF5EA3-2F2B-4DAC-B5DA-E57ED8655118}\backup.exe
  C:\Users\Admin\AppData\Local\Temp\{C7FF5EA3-2F2B-4DAC-B5DA-E57ED8655118}\backup.exe C:\Users\Admin\AppData\Local\Temp\{C7FF5EA3-2F2B-4DAC-B5DA-E57ED8655118}\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4224
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1152
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2244
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2160
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
        5⤵
        
        PID:1540
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\
        6⤵
        
        PID:1872
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\
        6⤵
        
        PID:1096
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\
        7⤵
        
        PID:3464
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\
        5⤵
        
        PID:5100
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\
        6⤵
        
        PID:2412
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\
        7⤵
        
        PID:3392
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\
        6⤵
        
        PID:4656
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\
        6⤵
        
        PID:2804
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\
        7⤵
        
        PID:860
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:920
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1804
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2004
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4736
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1864
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1044
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2288
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4572
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4220
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4452
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4208
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3036
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1744
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4760
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        
        PID:1700
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        
        PID:4788
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        
        PID:4556
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        
        PID:848
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        
        PID:2636
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\
        9⤵
        
        PID:3296
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\
        10⤵
        
        PID:2224
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\
        9⤵
        
        PID:2612
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        
        PID:3212
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\
        9⤵
        
        PID:2164
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\
        10⤵
        
        PID:5052
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\
        10⤵
        
        PID:3468
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\
        10⤵
        
        PID:1808
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\
        10⤵
        
        PID:652
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\
        10⤵
        
        PID:3296
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\
        10⤵
        
        PID:2444
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\
        10⤵
        
        PID:2688
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\
        10⤵
        
        PID:1612
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\
        10⤵
        
        PID:2616
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\
        10⤵
        
        PID:3260
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\
        10⤵
        
        PID:2472
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        
        PID:3808
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        
        PID:2248
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        
        PID:1888
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        
        PID:3804
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        
        PID:5112
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        
        PID:1548
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        
        PID:2504
        
        C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\
        10⤵
        
        PID:2896
        
        C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\update.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\update.exe" C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\
        11⤵
        
        PID:4732
        
        C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\
        11⤵
        
        PID:1476
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\
        10⤵
        
        PID:1476
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\x86\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\x86\
        11⤵
        
        PID:4772
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Extensions\
        10⤵
        
        PID:848
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\
        10⤵
        
        PID:4556
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\win10\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\win10\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\win10\
        11⤵
        
        PID:1320
        
        C:\Program Files\Windows Defender\fr-FR\backup.exe
        
        "C:\Program Files\Windows Defender\fr-FR\backup.exe" C:\Program Files\Windows Defender\fr-FR\
        12⤵
        
        PID:3540
        
        C:\Program Files\Windows Defender\ja-JP\data.exe
        
        "C:\Program Files\Windows Defender\ja-JP\data.exe" C:\Program Files\Windows Defender\ja-JP\
        12⤵
        
        PID:2200
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\MEIPreload\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\MEIPreload\
        10⤵
        
        PID:4848
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Notifications\update.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Notifications\update.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Notifications\
        10⤵
        
        PID:4324
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Trust Protection Lists\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Trust Protection Lists\
        10⤵
        
        PID:3736
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\WidevineCdm\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\WidevineCdm\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\WidevineCdm\
        10⤵
        
        PID:184
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        
        PID:1272
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        
        PID:4228
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        
        PID:4624
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        
        PID:2364
        
        C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\
        10⤵
        
        PID:2988
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:4952
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:1604
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        
        PID:560
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        
        PID:2888
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        
        PID:2820
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\data.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:1940
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        
        PID:2492
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        
        PID:1280
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        
        PID:4452
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        
        PID:5096
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        
        PID:4412
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        
        PID:3920
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        
        PID:4480
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        
        PID:4636
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        
        PID:504
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        
        PID:5052
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        
        PID:1556
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        
        PID:3268
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        8⤵
        
        PID:4172
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        8⤵
        
        PID:2060
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\
        9⤵
        
        PID:4240
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\
        10⤵
        
        PID:3560
        
        C:\Program Files\Common Files\microsoft shared\ink\sl-SI\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\data.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
        8⤵
        
        PID:4792
        
        C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\
        9⤵
        
        PID:820
        
        C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
        8⤵
        
        PID:4976
        
        C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
        8⤵
        
        PID:2140
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        9⤵
        
        PID:1688
        
        C:\Program Files\Common Files\microsoft shared\ink\sv-SE\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\update.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
        8⤵
        
        PID:2996
        
        C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
        8⤵
        
        PID:4828
        
        C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
        8⤵
        
        PID:2320
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\
        8⤵
        
        PID:3268
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\
        8⤵
        
        PID:1308
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        
        PID:3248
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        
        PID:1420
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        
        PID:2736
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        
        PID:3908
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        
        PID:2888
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\
        9⤵
        
        PID:2044
        
        C:\Program Files\Microsoft Office\root\vfs\Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Fonts\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Fonts\
        9⤵
        
        PID:4120
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\
        9⤵
        
        PID:884
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\
        10⤵
        
        PID:4500
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\System Restore.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\
        11⤵
        
        PID:1540
        
        C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Conversion.v3.5\3.5.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Conversion.v3.5\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Conversion.v3.5\3.5.0.0__b03f5f7f11d50a3a\
        10⤵
        
        PID:2996
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        
        PID:4940
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:4160
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        
        PID:4968
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\System Restore.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:4792
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2004
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:4148
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:3648
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:3248
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\update.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:3076
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:5052
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        
        PID:3880
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        
        PID:3940
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:4228
        
        C:\Program Files\Common Files\microsoft shared\VSTO\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\update.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        
        PID:388
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        
        PID:1328
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        
        PID:848
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        9⤵
        
        PID:4660
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:1416
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:2620
        
        C:\Program Files\Common Files\System\ado\data.exe
        
        "C:\Program Files\Common Files\System\ado\data.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4992
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:4792
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1492
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1292
        
        C:\Program Files\Common Files\System\ado\fr-FR\update.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\update.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:2288
        
        C:\Program Files\Common Files\System\ado\it-IT\update.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\update.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1504
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\
        9⤵
        
        PID:1708
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:2060
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:2188
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:4956
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:5100
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1652
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:3228
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:4328
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1040
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:1540
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:1960
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        9⤵
        
        PID:3184
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\update.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\update.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        10⤵
        
        PID:4572
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        9⤵
        
        PID:556
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\data.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\data.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\
        10⤵
        
        PID:4908
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\
        9⤵
        
        PID:4936
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\
        10⤵
        
        PID:4904
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:1648
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\
        9⤵
        
        PID:3288
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\
        9⤵
        
        PID:1892
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:4184
        
        C:\Program Files\Common Files\System\msadc\fr-FR\update.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\update.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:1580
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:5080
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
        9⤵
        
        PID:1220
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\
        10⤵
        
        PID:4936
        
        C:\Windows\DigitalLocker\en-US\backup.exe
        
        C:\Windows\DigitalLocker\en-US\backup.exe C:\Windows\DigitalLocker\en-US\
        11⤵
        
        PID:2740
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:3088
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:3628
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:4832
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:456
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:4104
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\System Restore.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:4448
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:3904
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:2988
      - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\
        6⤵
        
        PID:2292
      - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\
        6⤵
        
        PID:3868
      - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System Restore.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System Restore.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\
        6⤵
        
        PID:1252
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:4896
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1296
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:2900
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\data.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\data.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        
        PID:4868
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        9⤵
        
        PID:4416
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        9⤵
        
        PID:3408
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        9⤵
        
        PID:1284
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
        9⤵
        
        PID:2152
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
        9⤵
        
        PID:2492
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
        9⤵
        
        PID:412
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
        9⤵
        
        PID:3236
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\
        10⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4788
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\
        10⤵
        
        PID:4984
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:3060
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2940
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:4920
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:4324
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:224
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\
        7⤵
        
        PID:468
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:4768
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:3444
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1604
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:2944
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:2068
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:3860
      - C:\Program Files\Java\jdk-1.8\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\backup.exe" C:\Program Files\Java\jdk-1.8\
        6⤵
        
        PID:2072
        
        C:\Program Files\Java\jdk-1.8\bin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\bin\backup.exe" C:\Program Files\Java\jdk-1.8\bin\
        7⤵
        
        PID:760
        
        C:\Program Files\Java\jdk-1.8\include\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\backup.exe" C:\Program Files\Java\jdk-1.8\include\
        7⤵
        
        PID:3544
        
        C:\Program Files\Java\jdk-1.8\lib\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\lib\backup.exe" C:\Program Files\Java\jdk-1.8\lib\
        7⤵
        
        PID:2816
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\
        7⤵
        
        PID:1892
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\
        8⤵
        
        PID:3920
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\System Restore.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\System Restore.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\
        9⤵
        
        PID:2496
      - C:\Program Files\Java\jre-1.8\backup.exe
        
        "C:\Program Files\Java\jre-1.8\backup.exe" C:\Program Files\Java\jre-1.8\
        6⤵
        
        PID:4080
        
        C:\Program Files\Java\jre-1.8\bin\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\backup.exe" C:\Program Files\Java\jre-1.8\bin\
        7⤵
        
        PID:4332
        
        C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe" C:\Program Files\Java\jre-1.8\bin\plugin2\
        8⤵
        
        PID:3536
        
        C:\Program Files\Java\jre-1.8\bin\server\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\server\backup.exe" C:\Program Files\Java\jre-1.8\bin\server\
        8⤵
        
        PID:4920
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\3526cd5a741d8cbdf5fa48b7f6fe88d3\data.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\3526cd5a741d8cbdf5fa48b7f6fe88d3\data.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\3526cd5a741d8cbdf5fa48b7f6fe88d3\
        9⤵
        
        PID:2380
        
        C:\Program Files\Java\jre-1.8\lib\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\backup.exe" C:\Program Files\Java\jre-1.8\lib\
        7⤵
        
        PID:3024
        
        C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe" C:\Program Files\Java\jre-1.8\lib\amd64\
        8⤵
        
        PID:4968
        
        C:\Program Files\Java\jre-1.8\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\applet\backup.exe" C:\Program Files\Java\jre-1.8\lib\applet\
        8⤵
        
        PID:4420
        
        C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe" C:\Program Files\Java\jre-1.8\lib\cmm\
        8⤵
        
        PID:4952
        
        C:\Program Files\Java\jre-1.8\lib\fonts\System Restore.exe
        
        "C:\Program Files\Java\jre-1.8\lib\fonts\System Restore.exe" C:\Program Files\Java\jre-1.8\lib\fonts\
        8⤵
        
        PID:5012
        
        C:\Program Files\Java\jre-1.8\lib\management\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\management\backup.exe" C:\Program Files\Java\jre-1.8\lib\management\
        8⤵
        
        PID:4976
        
        C:\Program Files\Java\jre-1.8\lib\security\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\
        8⤵
        
        PID:2448
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:4828
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        
        PID:2940
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        
        PID:2996
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        
        PID:3440
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        
        PID:1192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\
        8⤵
        
        PID:4820
        
        C:\Program Files\Microsoft Office\root\Licenses\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses\backup.exe" C:\Program Files\Microsoft Office\root\Licenses\
        7⤵
        
        PID:1644
        
        C:\Program Files\Microsoft Office\root\Licenses16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\
        7⤵
        
        PID:3416
        
        C:\Program Files\Microsoft Office\root\loc\backup.exe
        
        "C:\Program Files\Microsoft Office\root\loc\backup.exe" C:\Program Files\Microsoft Office\root\loc\
        7⤵
        
        PID:880
        
        C:\Program Files\Microsoft Office\root\Office15\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office15\backup.exe" C:\Program Files\Microsoft Office\root\Office15\
        7⤵
        
        PID:884
        
        C:\Windows\Containers\serviced\backup.exe
        
        C:\Windows\Containers\serviced\backup.exe C:\Windows\Containers\serviced\
        8⤵
        
        PID:4572
        
        C:\Program Files\Microsoft Office\root\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\
        7⤵
        
        PID:2604
        
        C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\
        8⤵
        
        PID:1196
        
        C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\
        9⤵
        
        PID:4304
        
        C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1036\
        8⤵
        
        PID:1864
        
        C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe" C:\Program Files\Microsoft Office\root\Office16\3082\
        8⤵
        
        PID:3780
        
        C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe" C:\Program Files\Microsoft Office\root\Office16\AugLoop\
        8⤵
        
        PID:4660
        
        C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\BORDERS\
        8⤵
        
        PID:4532
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f4\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f4\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f4\
        8⤵
        
        PID:4568
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f7\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f7\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f7\
        8⤵
        
        PID:2612
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\update.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\
        8⤵
        
        PID:2472
    - - C:\Program Files\Mozilla Firefox\System Restore.exe
        
        "C:\Program Files\Mozilla Firefox\System Restore.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2004
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:1772
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        7⤵
        
        PID:2896
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:2844
      - C:\Program Files\Mozilla Firefox\uninstall\backup.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
        6⤵
        
        PID:4992
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1724
      - C:\Program Files\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
        6⤵
        
        PID:4288
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2992
      - C:\Program Files\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
        6⤵
        
        PID:644
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
        7⤵
        
        PID:1804
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\
        7⤵
        
        PID:5000
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      PID:4764
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:900
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        
        PID:1200
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        
        PID:1872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        
        PID:3716
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        
        PID:1648
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        
        PID:4156
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:988
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        
        PID:3800
        
        C:\Program Files\VideoLAN\VLC\lua\http\js\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\js\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\js\
        9⤵
        
        PID:2292
        
        C:\Program Files\VideoLAN\VLC\lua\http\requests\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\requests\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\requests\
        9⤵
        
        PID:1420
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        
        PID:2940
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        
        PID:3532
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        9⤵
        
        PID:1772
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        
        PID:2764
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        
        PID:1960
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        
        PID:3396
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:1356
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\update.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\update.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\
        10⤵
        
        PID:2528
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:3552
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        
        PID:444
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        
        PID:4228
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:60
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        
        PID:3960
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        
        PID:4296
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:468
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:2324
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        
        PID:5112
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:3764
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:1920
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\
        11⤵
        
        PID:3960
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        
        PID:1416
        
        C:\Program Files\Java\jdk-1.8\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\legal\javafx\
        10⤵
        
        PID:3016
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\
        11⤵
        
        PID:4160
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        
        PID:788
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        
        PID:1540
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        
        PID:4668
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        
        PID:3392
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
        9⤵
        
        PID:4564
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        
        PID:1660
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        
        PID:3288
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:1868
        
        C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\applet\
        10⤵
        
        PID:1348
        
        C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\cmm\
        10⤵
        
        PID:4880
        
        C:\Program Files\Java\jdk-1.8\jre\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\fonts\
        10⤵
        
        PID:3572
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\
        11⤵
        
        PID:4672
        
        C:\Program Files\Java\jdk-1.8\jre\lib\images\System Restore.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\images\System Restore.exe" C:\Program Files\Java\jdk-1.8\jre\lib\images\
        10⤵
        
        PID:3912
        
        C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\
        11⤵
        
        PID:2704
        
        C:\Program Files\Java\jdk-1.8\jre\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\jfr\
        10⤵
        
        PID:2496
        
        C:\Program Files\Java\jdk-1.8\jre\lib\management\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\management\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\management\
        10⤵
        
        PID:3108
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\
        10⤵
        
        PID:4328
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:3780
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        
        PID:2144
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:572
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:1860
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        
        PID:4108
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:452
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:4324
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:4408
        
        C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\
        11⤵
        
        PID:3060
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\
        8⤵
        
        PID:4716
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\
        9⤵
        
        PID:552
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\
        8⤵
        
        PID:2760
      - C:\Windows\Globalization\ELS\backup.exe
        
        C:\Windows\Globalization\ELS\backup.exe C:\Windows\Globalization\ELS\
        6⤵
        
        PID:560
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1248
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:2804
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:4696
        
        C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\System Restore.exe
        
        "C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\System Restore.exe" C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1908
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        
        PID:5100
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        
        PID:1296
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        
        PID:116
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        
        PID:4568
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        
        PID:4848
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        
        PID:4444
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        
        PID:3016
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        
        PID:5008
        
        C:\Program Files (x86)\Common Files\Java\Java Update\data.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\data.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:3468
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        
        PID:3900
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        
        PID:4208
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        
        PID:5056
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\data.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\data.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        
        PID:1328
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:788
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        
        PID:4752
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:4936
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:4412
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:2128
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        7⤵
        
        PID:852
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\update.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:3540
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:3484
        
        C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:2820
        
        C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:1072
        
        C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:4656
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:5036
      - C:\Program Files (x86)\Common Files\Oracle\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\backup.exe" C:\Program Files (x86)\Common Files\Oracle\
        6⤵
        
        PID:3920
        
        C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\
        7⤵
        
        PID:3736
        
        C:\Program Files (x86)\Common Files\Oracle\Java\javapath\data.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\data.exe" C:\Program Files (x86)\Common Files\Oracle\Java\javapath\
        8⤵
        
        PID:3040
      - C:\Program Files (x86)\Common Files\System\data.exe
        
        "C:\Program Files (x86)\Common Files\System\data.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:3124
        
        C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        
        PID:4824
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:4524
        
        C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
        7⤵
        
        PID:2764
        
        C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
        7⤵
        
        PID:2820
        
        C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        7⤵
        
        PID:3984
        
        C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\
        7⤵
        
        PID:2792
        
        C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\System Restore.exe" C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:940
        
        C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:3776
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:2844
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:2288
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:232
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:5020
        
        C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
        7⤵
        
        PID:3864
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:3724
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:1304
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\
        9⤵
        
        PID:2232
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:4920
        
        C:\Program Files (x86)\Google\Update\Install\{5D02C9B9-7A41-4ABC-8923-E3E11EEC098C}\update.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{5D02C9B9-7A41-4ABC-8923-E3E11EEC098C}\update.exe" C:\Program Files (x86)\Google\Update\Install\{5D02C9B9-7A41-4ABC-8923-E3E11EEC098C}\
        8⤵
        
        PID:232
        
        C:\Program Files (x86)\Google\Update\Offline\System Restore.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\System Restore.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:4704
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1296
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:468
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:2244
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:1132
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:1988
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:4424
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\logs\
        6⤵
        
        PID:4172
      - C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\
        6⤵
        
        PID:232
        
        C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\
        7⤵
        
        PID:2284
      - C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\backup.exe" C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\
        6⤵
        
        PID:2220
        
        C:\Program Files (x86)\Windows Defender\de-DE\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\de-DE\backup.exe" C:\Program Files (x86)\Windows Defender\de-DE\
        7⤵
        
        PID:4480
    - - C:\Program Files (x86)\Windows Photo Viewer\backup.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\backup.exe" C:\Program Files (x86)\Windows Photo Viewer\
        5⤵
        
        PID:1276
    - - C:\Program Files (x86)\Windows Portable Devices\backup.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\backup.exe" C:\Program Files (x86)\Windows Portable Devices\
        5⤵
        
        PID:4104
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:3944
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:2544
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        
        PID:4952
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:2684
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1328
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:4940
        
        C:\Users\Admin\Documents\OneNote Notebooks\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\
        7⤵
        
        PID:2132
        
        C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\
        8⤵
        
        PID:4732
      - C:\Users\Admin\Downloads\data.exe
        
        C:\Users\Admin\Downloads\data.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:3120
        
        C:\Program Files\VideoLAN\VLC\locale\af\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\update.exe" C:\Program Files\VideoLAN\VLC\locale\af\
        7⤵
        
        PID:4180
        
        C:\Program Files\VideoLAN\VLC\locale\am\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\
        7⤵
        
        PID:676
        
        C:\Program Files\VideoLAN\VLC\locale\an\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\an\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\
        7⤵
        
        PID:4184
        
        C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\
        7⤵
        
        PID:3516
        
        C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\data.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\data.exe" C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\
        8⤵
        
        PID:1160
        
        C:\Program Files\VideoLAN\VLC\locale\be\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\be\backup.exe" C:\Program Files\VideoLAN\VLC\locale\be\
        7⤵
        
        PID:436
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:2224
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:4952
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:776
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:4412
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        
        PID:1220
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:4656
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:4524
      - C:\Users\Admin\Saved Games\System Restore.exe
        
        "C:\Users\Admin\Saved Games\System Restore.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:3444
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\
        6⤵
        
        PID:3444
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:2664
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:4704
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:4952
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:1192
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:468
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:4336
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:3804
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        
        PID:4236
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        
        PID:1340
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        
        PID:1584
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:1468
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        
        PID:4480
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        
        PID:3076
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\
        7⤵
        
        PID:4904
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\
        7⤵
        
        PID:2620
      - C:\Windows\apppatch\de-DE\backup.exe
        
        C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
        6⤵
        
        PID:2988
      - C:\Windows\apppatch\es-ES\data.exe
        
        C:\Windows\apppatch\es-ES\data.exe C:\Windows\apppatch\es-ES\
        6⤵
        
        PID:2164
      - C:\Windows\apppatch\fr-FR\backup.exe
        
        C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\fr-FR\
        6⤵
        
        PID:4956
      - C:\Windows\apppatch\it-IT\update.exe
        
        C:\Windows\apppatch\it-IT\update.exe C:\Windows\apppatch\it-IT\
        6⤵
        
        PID:1696
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\
        7⤵
        
        PID:1652
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\
        7⤵
        
        PID:4936
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\
        7⤵
        
        PID:1248
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\
        7⤵
        
        PID:3332
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\
        7⤵
        
        PID:1628
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\
        7⤵
        
        PID:4444
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\
        7⤵
        
        PID:2288
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:3596
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        
        PID:456
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
        7⤵
        
        PID:4656
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1340
        
        C:\Windows\assembly\GAC_32\ISymWrapper\update.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\update.exe C:\Windows\assembly\GAC_32\ISymWrapper\
        7⤵
        
        PID:1576
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4796
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\
        7⤵
        
        PID:2296
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:4672
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\
        7⤵
        
        PID:2024
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\data.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\data.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\
        7⤵
        
        PID:3724
        
        C:\Windows\assembly\GAC_32\mscorlib\backup.exe
        
        C:\Windows\assembly\GAC_32\mscorlib\backup.exe C:\Windows\assembly\GAC_32\mscorlib\
        7⤵
        
        PID:4832
        
        C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\System Restore.exe
        
        "C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\System Restore.exe" C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:640
        
        C:\Windows\assembly\GAC_32\srmlib\System Restore.exe
        
        "C:\Windows\assembly\GAC_32\srmlib\System Restore.exe" C:\Windows\assembly\GAC_32\srmlib\
        7⤵
        
        PID:5036
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        
        PID:4300
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\data.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\data.exe C:\Windows\assembly\GAC_64\CustomMarshalers\
        7⤵
        
        PID:880
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\
        7⤵
        
        PID:2364
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2024
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\
        7⤵
        
        PID:940
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3532
      - C:\Windows\assembly\GAC_MSIL\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\backup.exe C:\Windows\assembly\GAC_MSIL\
        6⤵
        
        PID:2492
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\backup.exe C:\Windows\assembly\GAC_MSIL\Accessibility\
        7⤵
        
        PID:1272
        
        C:\Windows\assembly\GAC_MSIL\IIEHost\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\IIEHost\backup.exe C:\Windows\assembly\GAC_MSIL\IIEHost\
        7⤵
        
        PID:2464
        
        C:\Windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2708
      - C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\
        6⤵
        
        PID:1328
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Run#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Run#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Run#\
        7⤵
        
        PID:1900
      - C:\Windows\assembly\NativeImages_v4.0.30319_64\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_64\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\
        6⤵
        
        PID:4536
    - - C:\Windows\bcastdvr\backup.exe
        
        C:\Windows\bcastdvr\backup.exe C:\Windows\bcastdvr\
        5⤵
        
        PID:1804
    - - C:\Windows\debug\backup.exe
        
        C:\Windows\debug\backup.exe C:\Windows\debug\
        5⤵
        
        PID:3140
- C:\Users\Admin\AppData\Local\Temp\225938852\backup.exe
  C:\Users\Admin\AppData\Local\Temp\225938852\backup.exe C:\Users\Admin\AppData\Local\Temp\225938852\
  2⤵
  PID:4424
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4024
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1860
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1308
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4236
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:816
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe
  C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1580
- - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe
    C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3960
  - - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe
      C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2412
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3888
- - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\backup.exe
    C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\backup.exe
      C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1696
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\be\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\be\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\be\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5008
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\bn\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\bn\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\bn\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1824
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ca\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ca\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ca\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1892
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\cy\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\cy\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\cy\
        5⤵
        Executes dropped EXE
        
        PID:4992
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\da\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\da\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\da\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4424
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\de\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\de\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\de\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4924
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\
        6⤵
        
        PID:2992
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\el\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\el\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\el\
        5⤵
        
        PID:988
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\en_US\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\en_US\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\en_US\
        5⤵
        
        PID:1628
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\es\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\es\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\es\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3296
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\es_419\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\es_419\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\es_419\
        5⤵
        
        PID:1492
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\et\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\et\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\et\
        5⤵
        Executes dropped EXE
        
        PID:1924
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\eu\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\eu\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\eu\
        5⤵
        
        PID:1872
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fi\System Restore.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fi\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fi\
        5⤵
        
        PID:2588
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fil\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fil\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fil\
        5⤵
        
        PID:1328
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fr\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fr\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fr\
        5⤵
        
        PID:980
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fr_CA\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fr_CA\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fr_CA\
        5⤵
        
        PID:1348
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\gl\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\gl\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\gl\
        5⤵
        
        PID:1648
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\gu\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\gu\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\gu\
        5⤵
        
        PID:2164
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\hr\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\hr\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\hr\
        5⤵
        
        PID:4304
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\hu\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\hu\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\hu\
        5⤵
        
        PID:4308
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\is\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\is\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\is\
        5⤵
        
        PID:4692
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\it\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\it\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\it\
        5⤵
        
        PID:444
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\iw\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\iw\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\iw\
        5⤵
        
        PID:4848
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ja\data.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ja\data.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ja\
        5⤵
        
        PID:640
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ka\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ka\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ka\
        5⤵
        
        PID:1920
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\kk\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\kk\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\kk\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1628
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\km\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\km\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\km\
        5⤵
        
        PID:2040
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ko\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ko\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ko\
        5⤵
        
        PID:1772
      - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        6⤵
        
        PID:2412
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
        7⤵
        
        PID:4408
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\
        8⤵
        
        PID:788
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\
        8⤵
        
        PID:3332
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\lo\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\lo\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\lo\
        5⤵
        
        PID:2004
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\lt\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\lt\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\lt\
        5⤵
        
        PID:860
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ml\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ml\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ml\
        5⤵
        
        PID:4920
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\mn\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\mn\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\mn\
        5⤵
        
        PID:232
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\mr\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\mr\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\mr\
        5⤵
        
        PID:4024
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ms\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ms\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ms\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1700
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\my\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\my\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\my\
        5⤵
        
        PID:3880
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ne\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ne\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ne\
        5⤵
        
        PID:4040
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\nl\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\nl\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\nl\
        5⤵
        
        PID:3556
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\no\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\no\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\no\
        5⤵
        
        PID:644
      - C:\Program Files\Mozilla Firefox\defaults\pref\data.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\data.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
        6⤵
        
        PID:1272
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\pt_BR\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\pt_BR\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\pt_BR\
        5⤵
        
        PID:1920
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ro\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ro\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ro\
        5⤵
        
        PID:4668
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\si\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\si\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\si\
        5⤵
        
        PID:4008
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sk\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sk\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sk\
        5⤵
        
        PID:2224
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sl\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sl\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sl\
        5⤵
        
        PID:1448
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sr\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sr\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sr\
        5⤵
        
        PID:2172
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sv\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sv\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sv\
        5⤵
        
        PID:4336
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ta\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ta\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ta\
        5⤵
        
        PID:4740
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\th\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\th\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\th\
        5⤵
        
        PID:568
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ur\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ur\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ur\
        5⤵
        
        PID:3868
      - C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe" C:\Program Files\Java\jre-1.8\lib\images\cursors\
        6⤵
        
        PID:4872
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\vi\update.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\vi\update.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\vi\
        5⤵
        
        PID:1700
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\zh_CN\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\zh_CN\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\zh_CN\
        5⤵
        
        PID:1220
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_847672536\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_847672536\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_847672536\
  2⤵
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_847672536\CRX_INSTALL\backup.exe
    C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_847672536\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_847672536\CRX_INSTALL\
    3⤵
    PID:852

C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
1⤵
PID:3408

C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe
"C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\bridge\
1⤵
PID:1628
- C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\update.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\
  2⤵
  PID:3540
- - C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
    "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\
    3⤵
    PID:2192

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
1⤵
PID:3456

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
1⤵
PID:2332
- C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
  "C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
  2⤵
  PID:3672

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\System Restore.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
1⤵
PID:4968

C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe
"C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\javafx\
1⤵
PID:3124

C:\Windows\apppatch\Custom\Custom64\backup.exe
C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
1⤵
PID:4656

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\
1⤵
PID:4104

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\
1⤵
PID:3228
- C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
  C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
  2⤵
  PID:3408

C:\Program Files (x86)\Microsoft\Edge\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
1⤵
PID:2528
- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\backup.exe
  C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\
  2⤵
  PID:2464

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\
1⤵
PID:2988
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\
  2⤵
  PID:3804
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\
    3⤵
    PID:1612
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\
    3⤵
    PID:3716
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\
    3⤵
    PID:1436
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\
    3⤵
    PID:1584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\backup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\
      4⤵
      PID:2248
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\
    3⤵
    PID:2024
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\data.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\
      4⤵
      PID:2044
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\System Restore.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\
      4⤵
      PID:576
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\
    3⤵
    PID:2232
- - C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\backup.exe
    "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\
    3⤵
    PID:1744
- - C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\
    3⤵
    PID:1236

C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
"C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
1⤵
PID:2620
- C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe
  "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
  2⤵
  PID:4928
- - C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\backup.exe
    "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\
    3⤵
    PID:3548

C:\Program Files (x86)\Common Files\System\ado\en-US\System Restore.exe
"C:\Program Files (x86)\Common Files\System\ado\en-US\System Restore.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
1⤵
PID:4936

C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
1⤵
PID:4084
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4144D4F1-B7D3-4764-B96B-1DD2F4562087}\backup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4144D4F1-B7D3-4764-B96B-1DD2F4562087}\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4144D4F1-B7D3-4764-B96B-1DD2F4562087}\
  2⤵
  PID:4448
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4144D4F1-B7D3-4764-B96B-1DD2F4562087}\EDGEMITMP_F9E5D.tmp\backup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4144D4F1-B7D3-4764-B96B-1DD2F4562087}\EDGEMITMP_F9E5D.tmp\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4144D4F1-B7D3-4764-B96B-1DD2F4562087}\EDGEMITMP_F9E5D.tmp\
    3⤵
    PID:4360
  - - C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\backup.exe
      C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\
      4⤵
      PID:1096
    - - C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\
        5⤵
        
        PID:1920
      - C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\
        6⤵
        
        PID:1792

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\System Restore.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\System Restore.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
1⤵
PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\
  2⤵
  PID:3864

C:\Program Files\Microsoft Office\Updates\Download\backup.exe
"C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\
1⤵
PID:3448

C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
1⤵
PID:676

C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\backup.exe
"C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\
1⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\
1⤵
PID:504

C:\Program Files (x86)\Microsoft\EdgeCore\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeCore\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\
1⤵
PID:2976
- C:\Windows\DiagTrack\Settings\backup.exe
  C:\Windows\DiagTrack\Settings\backup.exe C:\Windows\DiagTrack\Settings\
  2⤵
  PID:4740

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\
1⤵
PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\
1⤵
PID:2900

C:\Windows\Branding\Basebrd\es-ES\backup.exe
C:\Windows\Branding\Basebrd\es-ES\backup.exe C:\Windows\Branding\Basebrd\es-ES\
1⤵
PID:3864

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe
"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\
1⤵
PID:1924

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\
1⤵
PID:3808

C:\Windows\Branding\Basebrd\fr-FR\backup.exe
C:\Windows\Branding\Basebrd\fr-FR\backup.exe C:\Windows\Branding\Basebrd\fr-FR\
1⤵
PID:2224

C:\Program Files (x86)\Microsoft\EdgeUpdate\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\
1⤵
PID:3808
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\backup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\
  2⤵
  PID:3444

C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System Restore.exe
"C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\
1⤵
PID:1132

C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\118.0.2088.57\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\118.0.2088.57\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\118.0.2088.57\
1⤵
PID:2820

C:\Program Files (x86)\Reference Assemblies\Microsoft\backup.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\
1⤵
PID:3456
- C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backup.exe
  "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\
  2⤵
  PID:2224
- - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
    "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\
    3⤵
    PID:4568
  - - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
      "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\
      4⤵
      PID:4564
  - - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
      "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\
      4⤵
      PID:4960
  - - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe
      "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\
      4⤵
      PID:2448
  - - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe
      "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
      4⤵
      PID:504
  - - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\backup.exe
      "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\
      4⤵
      PID:652
- - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
    "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\
    3⤵
    PID:2916
  - - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
      "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\
      4⤵
      PID:1612

C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.177.11\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.177.11\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.177.11\
1⤵
PID:2764

C:\Program Files (x86)\Microsoft\EdgeWebView\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\
1⤵
PID:1860
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\backup.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\
  2⤵
  PID:4796

C:\Program Files\VideoLAN\VLC\backup.exe
"C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\
1⤵
PID:1868
- C:\Program Files\VideoLAN\VLC\plugins\data.exe
  "C:\Program Files\VideoLAN\VLC\plugins\data.exe" C:\Program Files\VideoLAN\VLC\plugins\
  2⤵
  PID:4860
- - C:\Program Files\VideoLAN\VLC\plugins\access\backup.exe
    "C:\Program Files\VideoLAN\VLC\plugins\access\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\access\
    3⤵
    PID:4672
- - C:\Program Files\VideoLAN\VLC\plugins\audio_filter\backup.exe
    "C:\Program Files\VideoLAN\VLC\plugins\audio_filter\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\audio_filter\
    3⤵
    PID:2380
- - C:\Program Files\VideoLAN\VLC\plugins\codec\backup.exe
    "C:\Program Files\VideoLAN\VLC\plugins\codec\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\codec\
    3⤵
    PID:4012
- - C:\Program Files\VideoLAN\VLC\plugins\control\backup.exe
    "C:\Program Files\VideoLAN\VLC\plugins\control\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\control\
    3⤵
    PID:2036
- - C:\Program Files\VideoLAN\VLC\plugins\d3d9\backup.exe
    "C:\Program Files\VideoLAN\VLC\plugins\d3d9\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\d3d9\
    3⤵
    PID:2296
- C:\Program Files\VideoLAN\VLC\skins\backup.exe
  "C:\Program Files\VideoLAN\VLC\skins\backup.exe" C:\Program Files\VideoLAN\VLC\skins\
  2⤵
  PID:1240

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\
1⤵
PID:4940
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\
  2⤵
  PID:1468
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\
    3⤵
    PID:896
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\
    3⤵
    PID:2812
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\
    3⤵
    PID:5016
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\
    3⤵
    PID:2816

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\System Restore.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\System Restore.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\
1⤵
PID:2036

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\EBWebView\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\EBWebView\
1⤵
PID:3468

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\
1⤵
PID:1480

C:\Program Files (x86)\Microsoft\Temp\update.exe
"C:\Program Files (x86)\Microsoft\Temp\update.exe" C:\Program Files (x86)\Microsoft\Temp\
1⤵
PID:2140

C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\
1⤵
PID:4476

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\identity_proxy\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\identity_proxy\
1⤵
PID:1292
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\identity_proxy\win11\backup.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\identity_proxy\win11\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\identity_proxy\win11\
  2⤵
  PID:1048

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\backup.exe
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\
1⤵
PID:4444

C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\backup.exe
"C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\
1⤵
PID:2996
- C:\Program Files\Windows NT\TableTextService\backup.exe
  "C:\Program Files\Windows NT\TableTextService\backup.exe" C:\Program Files\Windows NT\TableTextService\
  2⤵
  PID:4736

C:\Program Files (x86)\Windows Media Player\fr-FR\data.exe
"C:\Program Files (x86)\Windows Media Player\fr-FR\data.exe" C:\Program Files (x86)\Windows Media Player\fr-FR\
1⤵
PID:4760

C:\Windows\Help\Corporate\backup.exe
C:\Windows\Help\Corporate\backup.exe C:\Windows\Help\Corporate\
1⤵
PID:2296

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\291910c52afc6a4c83bd042f709c7e57\backup.exe
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\291910c52afc6a4c83bd042f709c7e57\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\291910c52afc6a4c83bd042f709c7e57\
1⤵
PID:4328

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Locales\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Locales\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Locales\
1⤵
PID:940

C:\Program Files (x86)\Windows Media Player\it-IT\backup.exe
"C:\Program Files (x86)\Windows Media Player\it-IT\backup.exe" C:\Program Files (x86)\Windows Media Player\it-IT\
1⤵
PID:4160

C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\
1⤵
PID:992

C:\Program Files\VideoLAN\VLC\lua\intf\modules\backup.exe
"C:\Program Files\VideoLAN\VLC\lua\intf\modules\backup.exe" C:\Program Files\VideoLAN\VLC\lua\intf\modules\
1⤵
PID:4912

C:\Program Files (x86)\Windows Media Player\ja-JP\backup.exe
"C:\Program Files (x86)\Windows Media Player\ja-JP\backup.exe" C:\Program Files (x86)\Windows Media Player\ja-JP\
1⤵
PID:1940

C:\Program Files\Windows Media Player\it-IT\backup.exe
"C:\Program Files\Windows Media Player\it-IT\backup.exe" C:\Program Files\Windows Media Player\it-IT\
1⤵
PID:4448

C:\Windows\Help\mui\backup.exe
C:\Windows\Help\mui\backup.exe C:\Windows\Help\mui\
1⤵
PID:1100
- C:\Windows\Help\mui\0410\backup.exe
  C:\Windows\Help\mui\0410\backup.exe C:\Windows\Help\mui\0410\
  2⤵
  PID:4012
- C:\Windows\Help\mui\0411\backup.exe
  C:\Windows\Help\mui\0411\backup.exe C:\Windows\Help\mui\0411\
  2⤵
  PID:4916

C:\Program Files\Windows Media Player\Media Renderer\update.exe
"C:\Program Files\Windows Media Player\Media Renderer\update.exe" C:\Program Files\Windows Media Player\Media Renderer\
1⤵
PID:2896

C:\Program Files (x86)\Windows Media Player\Skins\backup.exe
"C:\Program Files (x86)\Windows Media Player\Skins\backup.exe" C:\Program Files (x86)\Windows Media Player\Skins\
1⤵
PID:2220

C:\Program Files\Windows Media Player\Network Sharing\backup.exe
"C:\Program Files\Windows Media Player\Network Sharing\backup.exe" C:\Program Files\Windows Media Player\Network Sharing\
1⤵
PID:4084

C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb#\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb#\
1⤵
PID:2724
- C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb#\3a302112bfa45c1f317cff0b8fb156d8\backup.exe
  C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb#\3a302112bfa45c1f317cff0b8fb156d8\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb#\3a302112bfa45c1f317cff0b8fb156d8\
  2⤵
  PID:468

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\
1⤵
PID:2320

C:\Program Files\Windows Media Player\Skins\backup.exe
"C:\Program Files\Windows Media Player\Skins\backup.exe" C:\Program Files\Windows Media Player\Skins\
1⤵
PID:2740

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\
1⤵
PID:976

C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a#\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a#\
1⤵
PID:1016
- C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a#\7153ef0bfdd1efd38882e46b46b7745a\backup.exe
  C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a#\7153ef0bfdd1efd38882e46b46b7745a\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a#\7153ef0bfdd1efd38882e46b46b7745a\
  2⤵
  PID:2792

C:\Windows\IME\de-DE\backup.exe
C:\Windows\IME\de-DE\backup.exe C:\Windows\IME\de-DE\
1⤵
PID:2844

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Trust Protection Lists\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Trust Protection Lists\
1⤵
PID:3236

C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\backup.exe
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\
1⤵
PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
84KB

MD5
8cbc5c0f9687e16b2f034fa1bddac2ca

SHA1
e4d07e5fbdabbedd61da9fcbd57a933027b26b42

SHA256
c0c98fbb55a7179dede026d44202526681cba00b7c49be3c155c076f6f4ed288

SHA512
84be6f9508faea90bde6f8581a1e2be99fa2bb3b48ad6d40b4790f7b22770213de76b997d003d38e1877a6b204e9f07f3e4e7617beefa9cb84e0db870ead8109

Download Submit
C:\PerfLogs\backup.exe

Filesize
84KB

MD5
8cbc5c0f9687e16b2f034fa1bddac2ca

SHA1
e4d07e5fbdabbedd61da9fcbd57a933027b26b42

SHA256
c0c98fbb55a7179dede026d44202526681cba00b7c49be3c155c076f6f4ed288

SHA512
84be6f9508faea90bde6f8581a1e2be99fa2bb3b48ad6d40b4790f7b22770213de76b997d003d38e1877a6b204e9f07f3e4e7617beefa9cb84e0db870ead8109

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
e80c344ad67284d84e96a29db471c00e

SHA1
da1c54a9fc1122fd784b00431eb99ac097cc7a71

SHA256
529a770143884047bbaa144edc941acaa1218caf51b8a6b8331e9d186b2c3063

SHA512
5a8f2e8617b274a26debf95ca4f268af2bc1e6d3047982b3e80c198e313ed0bec962bbb6a5e586d091b2a4f6ef269969f6b8e799962226f5d8d7414ad40fbae6

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
e80c344ad67284d84e96a29db471c00e

SHA1
da1c54a9fc1122fd784b00431eb99ac097cc7a71

SHA256
529a770143884047bbaa144edc941acaa1218caf51b8a6b8331e9d186b2c3063

SHA512
5a8f2e8617b274a26debf95ca4f268af2bc1e6d3047982b3e80c198e313ed0bec962bbb6a5e586d091b2a4f6ef269969f6b8e799962226f5d8d7414ad40fbae6

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
b70ad9a2ac0da975f1fbb604b5ad3d01

SHA1
9f76241f445cffd3aef5330ad85c2e9e94ee0f06

SHA256
64cfe7dd66a661530113bf44697cbbcc8cd2fb28a67d1e73555f3f3d7ef07dab

SHA512
4a4bd47e2e6e78e7336098a7084b8aa4b81cb2ebe6fb597fbf284947498d4d5d0916f3c4b5980a9d8fe6fdef383796989819192cd4cab8406dbed257f38014a8

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
b70ad9a2ac0da975f1fbb604b5ad3d01

SHA1
9f76241f445cffd3aef5330ad85c2e9e94ee0f06

SHA256
64cfe7dd66a661530113bf44697cbbcc8cd2fb28a67d1e73555f3f3d7ef07dab

SHA512
4a4bd47e2e6e78e7336098a7084b8aa4b81cb2ebe6fb597fbf284947498d4d5d0916f3c4b5980a9d8fe6fdef383796989819192cd4cab8406dbed257f38014a8

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
84KB

MD5
278a0413448f4678a297224ef8bcb988

SHA1
f5732df5eaede34ddcf88fb00d3b97691beb18aa

SHA256
a7ec7ec49d25323d4a2488b8780aa9b3bee75b1112d6508692af3755606e78b3

SHA512
abf2179af27f5ec12c0167f61719fa4162ed15ab4972cb9a91d87bb5022f38e4bbf161e23990b6f5c6a44ab1fe7b0d2cda122ae82b0ee6e6b4ead3fb793e405b

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
84KB

MD5
278a0413448f4678a297224ef8bcb988

SHA1
f5732df5eaede34ddcf88fb00d3b97691beb18aa

SHA256
a7ec7ec49d25323d4a2488b8780aa9b3bee75b1112d6508692af3755606e78b3

SHA512
abf2179af27f5ec12c0167f61719fa4162ed15ab4972cb9a91d87bb5022f38e4bbf161e23990b6f5c6a44ab1fe7b0d2cda122ae82b0ee6e6b4ead3fb793e405b

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
e0f3ab5de831a582560cf1a7ea463056

SHA1
b6eb8614d28d4bf845145d060072e8e39b1963cb

SHA256
43df64e887ce251d90e4e1771b8e0a275052bba0ef68e09d4acecbc389b42ced

SHA512
02160bde9848a185b6a80f1a1e242fc7ef4488d2c66adfc5c752ce7d2514cdecb83cab6031e366efa9d7033e1f897256218db187ac9db66c813718851c3b7dab

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
e0f3ab5de831a582560cf1a7ea463056

SHA1
b6eb8614d28d4bf845145d060072e8e39b1963cb

SHA256
43df64e887ce251d90e4e1771b8e0a275052bba0ef68e09d4acecbc389b42ced

SHA512
02160bde9848a185b6a80f1a1e242fc7ef4488d2c66adfc5c752ce7d2514cdecb83cab6031e366efa9d7033e1f897256218db187ac9db66c813718851c3b7dab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
84KB

MD5
ab7747a870af62474855ef0a37916abc

SHA1
8fc59c7481ee6dbe987e4d076450bf6b0750a785

SHA256
bc3076052b84815c6fbe8a853ad2b93e13f6c3a970c5d5ea16a61a04416f4e3c

SHA512
2de382490913d1009d5d80668177b454ed356ca8221be9a0f4f0b68519360fcdae1a1a41fdf83403db3e569820da55e364441b73a1cdb171f8a22b818a192b81

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
84KB

MD5
ab7747a870af62474855ef0a37916abc

SHA1
8fc59c7481ee6dbe987e4d076450bf6b0750a785

SHA256
bc3076052b84815c6fbe8a853ad2b93e13f6c3a970c5d5ea16a61a04416f4e3c

SHA512
2de382490913d1009d5d80668177b454ed356ca8221be9a0f4f0b68519360fcdae1a1a41fdf83403db3e569820da55e364441b73a1cdb171f8a22b818a192b81

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
84KB

MD5
6a42590909da661dabe9cf30d973ecf7

SHA1
470f1943d5198ffe93b667346dde54b39e56eef8

SHA256
ef32d01cd3a5f251b52f975e76ee3cf85cd7b0e3d12c659b168c98ddfe70a427

SHA512
b86aa2233b98474e5bec1dcb79ea2d8fe962dae2c03bc5857a91ea54e09d7bbb9d550931f85162bdc5d2c81f4595ad03e393525847449c276affed077bdacdc2

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
84KB

MD5
6a42590909da661dabe9cf30d973ecf7

SHA1
470f1943d5198ffe93b667346dde54b39e56eef8

SHA256
ef32d01cd3a5f251b52f975e76ee3cf85cd7b0e3d12c659b168c98ddfe70a427

SHA512
b86aa2233b98474e5bec1dcb79ea2d8fe962dae2c03bc5857a91ea54e09d7bbb9d550931f85162bdc5d2c81f4595ad03e393525847449c276affed077bdacdc2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
84KB

MD5
93913f33e68374741f7afe9748ea404e

SHA1
d77e8c35b278af58b6313d27df0c19e32abb091b

SHA256
057b0d9cea255c5e11750c63a5f3c6dbb516fc52d695eae5dbbb80f19c3abeab

SHA512
e2e9f36eaae4639f24beeeeaf8947eb8c79dd83102c5b675380f82b35583fb3da51787775bb0af4ad8775ed2a24c55c34e91e444a43606bc018d107a186e9afd

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
84KB

MD5
93913f33e68374741f7afe9748ea404e

SHA1
d77e8c35b278af58b6313d27df0c19e32abb091b

SHA256
057b0d9cea255c5e11750c63a5f3c6dbb516fc52d695eae5dbbb80f19c3abeab

SHA512
e2e9f36eaae4639f24beeeeaf8947eb8c79dd83102c5b675380f82b35583fb3da51787775bb0af4ad8775ed2a24c55c34e91e444a43606bc018d107a186e9afd

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
84KB

MD5
ab7747a870af62474855ef0a37916abc

SHA1
8fc59c7481ee6dbe987e4d076450bf6b0750a785

SHA256
bc3076052b84815c6fbe8a853ad2b93e13f6c3a970c5d5ea16a61a04416f4e3c

SHA512
2de382490913d1009d5d80668177b454ed356ca8221be9a0f4f0b68519360fcdae1a1a41fdf83403db3e569820da55e364441b73a1cdb171f8a22b818a192b81

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
84KB

MD5
ab7747a870af62474855ef0a37916abc

SHA1
8fc59c7481ee6dbe987e4d076450bf6b0750a785

SHA256
bc3076052b84815c6fbe8a853ad2b93e13f6c3a970c5d5ea16a61a04416f4e3c

SHA512
2de382490913d1009d5d80668177b454ed356ca8221be9a0f4f0b68519360fcdae1a1a41fdf83403db3e569820da55e364441b73a1cdb171f8a22b818a192b81

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
84KB

MD5
93913f33e68374741f7afe9748ea404e

SHA1
d77e8c35b278af58b6313d27df0c19e32abb091b

SHA256
057b0d9cea255c5e11750c63a5f3c6dbb516fc52d695eae5dbbb80f19c3abeab

SHA512
e2e9f36eaae4639f24beeeeaf8947eb8c79dd83102c5b675380f82b35583fb3da51787775bb0af4ad8775ed2a24c55c34e91e444a43606bc018d107a186e9afd

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
84KB

MD5
93913f33e68374741f7afe9748ea404e

SHA1
d77e8c35b278af58b6313d27df0c19e32abb091b

SHA256
057b0d9cea255c5e11750c63a5f3c6dbb516fc52d695eae5dbbb80f19c3abeab

SHA512
e2e9f36eaae4639f24beeeeaf8947eb8c79dd83102c5b675380f82b35583fb3da51787775bb0af4ad8775ed2a24c55c34e91e444a43606bc018d107a186e9afd

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
84KB

MD5
4c2e19dc0d66b212f6eefb5a1eb23077

SHA1
e24847dbc2b753c6cdc40b0b85c03e710899b0b1

SHA256
b3fa174adc5c2337d187c215ceae0f965a0160cfa448c0608fdd892f9ed9a202

SHA512
3137b253277abccc44108c0a9a895deba35b3b65d5666be0e546dd08d7d3d1b318c5810d2f5c9df89d80cdab6779468337c5a675841bf7308399b49f804f6e32

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
84KB

MD5
4c2e19dc0d66b212f6eefb5a1eb23077

SHA1
e24847dbc2b753c6cdc40b0b85c03e710899b0b1

SHA256
b3fa174adc5c2337d187c215ceae0f965a0160cfa448c0608fdd892f9ed9a202

SHA512
3137b253277abccc44108c0a9a895deba35b3b65d5666be0e546dd08d7d3d1b318c5810d2f5c9df89d80cdab6779468337c5a675841bf7308399b49f804f6e32

Download Submit
C:\Program Files\backup.exe

Filesize
84KB

MD5
8cbc5c0f9687e16b2f034fa1bddac2ca

SHA1
e4d07e5fbdabbedd61da9fcbd57a933027b26b42

SHA256
c0c98fbb55a7179dede026d44202526681cba00b7c49be3c155c076f6f4ed288

SHA512
84be6f9508faea90bde6f8581a1e2be99fa2bb3b48ad6d40b4790f7b22770213de76b997d003d38e1877a6b204e9f07f3e4e7617beefa9cb84e0db870ead8109

Download Submit
C:\Program Files\backup.exe

Filesize
84KB

MD5
8cbc5c0f9687e16b2f034fa1bddac2ca

SHA1
e4d07e5fbdabbedd61da9fcbd57a933027b26b42

SHA256
c0c98fbb55a7179dede026d44202526681cba00b7c49be3c155c076f6f4ed288

SHA512
84be6f9508faea90bde6f8581a1e2be99fa2bb3b48ad6d40b4790f7b22770213de76b997d003d38e1877a6b204e9f07f3e4e7617beefa9cb84e0db870ead8109

Download Submit
C:\Users\Admin\AppData\Local\Temp\225938852\backup.exe

Filesize
84KB

MD5
2e3ad29eae7ad5b4b719f66cfa6f9570

SHA1
177c42ec99be0538778616b9beab5e0fcf293c96

SHA256
875c5b534e24241808b0385d79ce30a6475a45bf98ed73fc2b4ce81234c3a96c

SHA512
ac886317931cb2edb92ea494bc093532e09a5f5c0067229f35d2028112b37467024b70fa7219d859391ba445212067ee7acc637249b2eeb23e2e3c84836c946f

Download Submit
C:\Users\Admin\AppData\Local\Temp\225938852\backup.exe

Filesize
84KB

MD5
2e3ad29eae7ad5b4b719f66cfa6f9570

SHA1
177c42ec99be0538778616b9beab5e0fcf293c96

SHA256
875c5b534e24241808b0385d79ce30a6475a45bf98ed73fc2b4ce81234c3a96c

SHA512
ac886317931cb2edb92ea494bc093532e09a5f5c0067229f35d2028112b37467024b70fa7219d859391ba445212067ee7acc637249b2eeb23e2e3c84836c946f

Download Submit
C:\Users\Admin\AppData\Local\Temp\225938852\backup.exe

Filesize
84KB

MD5
2e3ad29eae7ad5b4b719f66cfa6f9570

SHA1
177c42ec99be0538778616b9beab5e0fcf293c96

SHA256
875c5b534e24241808b0385d79ce30a6475a45bf98ed73fc2b4ce81234c3a96c

SHA512
ac886317931cb2edb92ea494bc093532e09a5f5c0067229f35d2028112b37467024b70fa7219d859391ba445212067ee7acc637249b2eeb23e2e3c84836c946f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
3b3176a89b089f6ab0fe36056bbf55b5

SHA1
f317514380daf2bc1cd9a2bd370127e4c3457273

SHA256
efe52e90990042647b0fd6d26425d941c3d57e4ea4b21190c1b724c766019655

SHA512
8fc90cc65fd693101dedfbda867d44444435bd98cdf635a9259335e694b112bca65615492b4aaa79ef0c5962c963d59faa3d4f481c8ddeef4f1ae07378ab72a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
3b3176a89b089f6ab0fe36056bbf55b5

SHA1
f317514380daf2bc1cd9a2bd370127e4c3457273

SHA256
efe52e90990042647b0fd6d26425d941c3d57e4ea4b21190c1b724c766019655

SHA512
8fc90cc65fd693101dedfbda867d44444435bd98cdf635a9259335e694b112bca65615492b4aaa79ef0c5962c963d59faa3d4f481c8ddeef4f1ae07378ab72a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
3b3176a89b089f6ab0fe36056bbf55b5

SHA1
f317514380daf2bc1cd9a2bd370127e4c3457273

SHA256
efe52e90990042647b0fd6d26425d941c3d57e4ea4b21190c1b724c766019655

SHA512
8fc90cc65fd693101dedfbda867d44444435bd98cdf635a9259335e694b112bca65615492b4aaa79ef0c5962c963d59faa3d4f481c8ddeef4f1ae07378ab72a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
3b3176a89b089f6ab0fe36056bbf55b5

SHA1
f317514380daf2bc1cd9a2bd370127e4c3457273

SHA256
efe52e90990042647b0fd6d26425d941c3d57e4ea4b21190c1b724c766019655

SHA512
8fc90cc65fd693101dedfbda867d44444435bd98cdf635a9259335e694b112bca65615492b4aaa79ef0c5962c963d59faa3d4f481c8ddeef4f1ae07378ab72a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
04467aa5263190b3d6d0982fa838b1e0

SHA1
a9b84a06a0f58b0e6eeb76bb2a31618171b836e5

SHA256
73c63cca7830a897ef4294afff1ef1ff166c323982cbd088ab37a4ccbfe3d93b

SHA512
5fea9f6750571378f5423c9d556fd3fda97540a141db7a489d697a796ca4c08ad60e02f764bb7830efcb8e1067af1034dc31b38e9496150fa1b551bd973376c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
04467aa5263190b3d6d0982fa838b1e0

SHA1
a9b84a06a0f58b0e6eeb76bb2a31618171b836e5

SHA256
73c63cca7830a897ef4294afff1ef1ff166c323982cbd088ab37a4ccbfe3d93b

SHA512
5fea9f6750571378f5423c9d556fd3fda97540a141db7a489d697a796ca4c08ad60e02f764bb7830efcb8e1067af1034dc31b38e9496150fa1b551bd973376c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
84KB

MD5
2d20d3b2c4929151aabe011821b40c45

SHA1
0413bd27b3e2218cdf6f32a91521925658f5b45a

SHA256
4b0505b6b77c2dd362b5601a4da3b6510037e1b643927548cb713b3bc2af945b

SHA512
bafd792058e2566e980a021647795922c441b22cf5e59e4f2dd0dcaaa4ec64c814649b875810e1a31eed1cf2fb4d8cec700f66c1279f7ca9aadd66f300a33cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
84KB

MD5
2d20d3b2c4929151aabe011821b40c45

SHA1
0413bd27b3e2218cdf6f32a91521925658f5b45a

SHA256
4b0505b6b77c2dd362b5601a4da3b6510037e1b643927548cb713b3bc2af945b

SHA512
bafd792058e2566e980a021647795922c441b22cf5e59e4f2dd0dcaaa4ec64c814649b875810e1a31eed1cf2fb4d8cec700f66c1279f7ca9aadd66f300a33cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
84KB

MD5
12f352226e940f742d434250e7c384c0

SHA1
0d27d37f0490f632f09940cf1e954c150ee1c53d

SHA256
7c5595bd7fdf5c8845c6be2eb0e3e98c233d4ad23084481782530115b2d86083

SHA512
639215d360018415f7ae54fe0447dde379d10b2bde6656f9cc8df0a3bf01de0acb79af13b89de2a5efc617cc8305ffbac69552594c62019392a74091d7227599

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
84KB

MD5
12f352226e940f742d434250e7c384c0

SHA1
0d27d37f0490f632f09940cf1e954c150ee1c53d

SHA256
7c5595bd7fdf5c8845c6be2eb0e3e98c233d4ad23084481782530115b2d86083

SHA512
639215d360018415f7ae54fe0447dde379d10b2bde6656f9cc8df0a3bf01de0acb79af13b89de2a5efc617cc8305ffbac69552594c62019392a74091d7227599

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
84KB

MD5
04467aa5263190b3d6d0982fa838b1e0

SHA1
a9b84a06a0f58b0e6eeb76bb2a31618171b836e5

SHA256
73c63cca7830a897ef4294afff1ef1ff166c323982cbd088ab37a4ccbfe3d93b

SHA512
5fea9f6750571378f5423c9d556fd3fda97540a141db7a489d697a796ca4c08ad60e02f764bb7830efcb8e1067af1034dc31b38e9496150fa1b551bd973376c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
84KB

MD5
04467aa5263190b3d6d0982fa838b1e0

SHA1
a9b84a06a0f58b0e6eeb76bb2a31618171b836e5

SHA256
73c63cca7830a897ef4294afff1ef1ff166c323982cbd088ab37a4ccbfe3d93b

SHA512
5fea9f6750571378f5423c9d556fd3fda97540a141db7a489d697a796ca4c08ad60e02f764bb7830efcb8e1067af1034dc31b38e9496150fa1b551bd973376c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
84KB

MD5
2e3ad29eae7ad5b4b719f66cfa6f9570

SHA1
177c42ec99be0538778616b9beab5e0fcf293c96

SHA256
875c5b534e24241808b0385d79ce30a6475a45bf98ed73fc2b4ce81234c3a96c

SHA512
ac886317931cb2edb92ea494bc093532e09a5f5c0067229f35d2028112b37467024b70fa7219d859391ba445212067ee7acc637249b2eeb23e2e3c84836c946f

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
84KB

MD5
2e3ad29eae7ad5b4b719f66cfa6f9570

SHA1
177c42ec99be0538778616b9beab5e0fcf293c96

SHA256
875c5b534e24241808b0385d79ce30a6475a45bf98ed73fc2b4ce81234c3a96c

SHA512
ac886317931cb2edb92ea494bc093532e09a5f5c0067229f35d2028112b37467024b70fa7219d859391ba445212067ee7acc637249b2eeb23e2e3c84836c946f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
2e3ad29eae7ad5b4b719f66cfa6f9570

SHA1
177c42ec99be0538778616b9beab5e0fcf293c96

SHA256
875c5b534e24241808b0385d79ce30a6475a45bf98ed73fc2b4ce81234c3a96c

SHA512
ac886317931cb2edb92ea494bc093532e09a5f5c0067229f35d2028112b37467024b70fa7219d859391ba445212067ee7acc637249b2eeb23e2e3c84836c946f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
2e3ad29eae7ad5b4b719f66cfa6f9570

SHA1
177c42ec99be0538778616b9beab5e0fcf293c96

SHA256
875c5b534e24241808b0385d79ce30a6475a45bf98ed73fc2b4ce81234c3a96c

SHA512
ac886317931cb2edb92ea494bc093532e09a5f5c0067229f35d2028112b37467024b70fa7219d859391ba445212067ee7acc637249b2eeb23e2e3c84836c946f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
84KB

MD5
04467aa5263190b3d6d0982fa838b1e0

SHA1
a9b84a06a0f58b0e6eeb76bb2a31618171b836e5

SHA256
73c63cca7830a897ef4294afff1ef1ff166c323982cbd088ab37a4ccbfe3d93b

SHA512
5fea9f6750571378f5423c9d556fd3fda97540a141db7a489d697a796ca4c08ad60e02f764bb7830efcb8e1067af1034dc31b38e9496150fa1b551bd973376c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
84KB

MD5
04467aa5263190b3d6d0982fa838b1e0

SHA1
a9b84a06a0f58b0e6eeb76bb2a31618171b836e5

SHA256
73c63cca7830a897ef4294afff1ef1ff166c323982cbd088ab37a4ccbfe3d93b

SHA512
5fea9f6750571378f5423c9d556fd3fda97540a141db7a489d697a796ca4c08ad60e02f764bb7830efcb8e1067af1034dc31b38e9496150fa1b551bd973376c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\backup.exe

Filesize
84KB

MD5
36d502533cde49f9ce84b26cdb12d059

SHA1
14f621dca1f2dcdf19b1db642048a10d7c7fe211

SHA256
def088b1e11ae0e88a877c432334627f7037d5dd8c709a10620bd421f481d05f

SHA512
0b968b21beee4d207fa96bb29a2233ce514a378d589861b346a701698c9b63c8d583ae6e6cff0c879537403b4c360b54e565f39e84fadb8b40a54d79b96a48c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\backup.exe

Filesize
84KB

MD5
36d502533cde49f9ce84b26cdb12d059

SHA1
14f621dca1f2dcdf19b1db642048a10d7c7fe211

SHA256
def088b1e11ae0e88a877c432334627f7037d5dd8c709a10620bd421f481d05f

SHA512
0b968b21beee4d207fa96bb29a2233ce514a378d589861b346a701698c9b63c8d583ae6e6cff0c879537403b4c360b54e565f39e84fadb8b40a54d79b96a48c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\be\backup.exe

Filesize
84KB

MD5
f6a50ee8e885085f5ec2c0b2a1872521

SHA1
76e46bf91c7015c5a0bc654f41bd3bdff394ef7c

SHA256
4ac78c8ba249be0045b76b4d250d4c702428ed6f00167d3568f7f6d912bf6b05

SHA512
54b4800a85ec66e9036dcf955282630669e098740cf6ac512d5d2d8ceca1b207adafc2a62b842064a7e6f46dc5e4653e22ba5fec2fc2ca7636b57289e454f07e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\be\backup.exe

Filesize
84KB

MD5
f6a50ee8e885085f5ec2c0b2a1872521

SHA1
76e46bf91c7015c5a0bc654f41bd3bdff394ef7c

SHA256
4ac78c8ba249be0045b76b4d250d4c702428ed6f00167d3568f7f6d912bf6b05

SHA512
54b4800a85ec66e9036dcf955282630669e098740cf6ac512d5d2d8ceca1b207adafc2a62b842064a7e6f46dc5e4653e22ba5fec2fc2ca7636b57289e454f07e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\bn\backup.exe

Filesize
84KB

MD5
f6a50ee8e885085f5ec2c0b2a1872521

SHA1
76e46bf91c7015c5a0bc654f41bd3bdff394ef7c

SHA256
4ac78c8ba249be0045b76b4d250d4c702428ed6f00167d3568f7f6d912bf6b05

SHA512
54b4800a85ec66e9036dcf955282630669e098740cf6ac512d5d2d8ceca1b207adafc2a62b842064a7e6f46dc5e4653e22ba5fec2fc2ca7636b57289e454f07e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\bn\backup.exe

Filesize
84KB

MD5
f6a50ee8e885085f5ec2c0b2a1872521

SHA1
76e46bf91c7015c5a0bc654f41bd3bdff394ef7c

SHA256
4ac78c8ba249be0045b76b4d250d4c702428ed6f00167d3568f7f6d912bf6b05

SHA512
54b4800a85ec66e9036dcf955282630669e098740cf6ac512d5d2d8ceca1b207adafc2a62b842064a7e6f46dc5e4653e22ba5fec2fc2ca7636b57289e454f07e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ca\backup.exe

Filesize
84KB

MD5
8c30dfef115f09e35489b245865f3d2e

SHA1
282d39e24db8ffe581c01ca852ebf6d366b31146

SHA256
e70c81b700e38056b02dcff64e07f74cb1f6b6e88fe2c9130e0d956fc2238298

SHA512
6d0dbc3211edc873f847763a62bcdafbca72663b400aa361c26b182d85c47f983aa039ca25c24e23d41e1ce6b95f9ac396ac79bcd406a82f99ab7035222fc1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\cy\backup.exe

Filesize
84KB

MD5
8c30dfef115f09e35489b245865f3d2e

SHA1
282d39e24db8ffe581c01ca852ebf6d366b31146

SHA256
e70c81b700e38056b02dcff64e07f74cb1f6b6e88fe2c9130e0d956fc2238298

SHA512
6d0dbc3211edc873f847763a62bcdafbca72663b400aa361c26b182d85c47f983aa039ca25c24e23d41e1ce6b95f9ac396ac79bcd406a82f99ab7035222fc1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\cy\backup.exe

Filesize
84KB

MD5
8c30dfef115f09e35489b245865f3d2e

SHA1
282d39e24db8ffe581c01ca852ebf6d366b31146

SHA256
e70c81b700e38056b02dcff64e07f74cb1f6b6e88fe2c9130e0d956fc2238298

SHA512
6d0dbc3211edc873f847763a62bcdafbca72663b400aa361c26b182d85c47f983aa039ca25c24e23d41e1ce6b95f9ac396ac79bcd406a82f99ab7035222fc1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\da\backup.exe

Filesize
84KB

MD5
8c30dfef115f09e35489b245865f3d2e

SHA1
282d39e24db8ffe581c01ca852ebf6d366b31146

SHA256
e70c81b700e38056b02dcff64e07f74cb1f6b6e88fe2c9130e0d956fc2238298

SHA512
6d0dbc3211edc873f847763a62bcdafbca72663b400aa361c26b182d85c47f983aa039ca25c24e23d41e1ce6b95f9ac396ac79bcd406a82f99ab7035222fc1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\backup.exe

Filesize
84KB

MD5
0328ed6fa1c004a0b70d2258e503df9f

SHA1
c08abc552bd88768620338951bd9f4f073cb6be7

SHA256
48759a38075c0a9b53c1673ab7a0d8ed6ef78363283038abf3968f2506422796

SHA512
81264dcc0f39e0092b16ed60a527e5b03854781f1692861010894337d484e866350a4b15e75a4e099079a48709e0604264b6bb383908e7bb27ee93b71476785b

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\backup.exe

Filesize
84KB

MD5
0328ed6fa1c004a0b70d2258e503df9f

SHA1
c08abc552bd88768620338951bd9f4f073cb6be7

SHA256
48759a38075c0a9b53c1673ab7a0d8ed6ef78363283038abf3968f2506422796

SHA512
81264dcc0f39e0092b16ed60a527e5b03854781f1692861010894337d484e866350a4b15e75a4e099079a48709e0604264b6bb383908e7bb27ee93b71476785b

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\backup.exe

Filesize
84KB

MD5
fa8b8b7b2b85de31a6b174c9fe28c31f

SHA1
8ee417792d51db427eea8d947f72a74510ae4cbc

SHA256
37ef899705384dad0c7b2635a792f676153560806b412c768b8c59fd21618595

SHA512
7478192d0b4fe6d016f1f6f7128f7589b1193160c415aaedf7b040d30d15b6ee8904575ab218c7403ce988bc48f3b1f21b971f7825547e87124367071b2292e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\backup.exe

Filesize
84KB

MD5
fa8b8b7b2b85de31a6b174c9fe28c31f

SHA1
8ee417792d51db427eea8d947f72a74510ae4cbc

SHA256
37ef899705384dad0c7b2635a792f676153560806b412c768b8c59fd21618595

SHA512
7478192d0b4fe6d016f1f6f7128f7589b1193160c415aaedf7b040d30d15b6ee8904575ab218c7403ce988bc48f3b1f21b971f7825547e87124367071b2292e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
30KB

MD5
165e4c78e6ce4d5400f5c6a96036994f

SHA1
6b4e6c64de9af3e304b92361491582d0cbd1a8cf

SHA256
0e77d13f92f74b174d6d8ad7e040c7b9b7552029b1b32373826237a3a88071ff

SHA512
4d8f0cdff7658dca91dd61a99632960656e8b6b31bd65eb1e3784e0fd761d5f63fbdc1e14d851fb40599a3a3f64d1bf47e6a802ac6129255dd80c9c5fba75c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C7FF5EA3-2F2B-4DAC-B5DA-E57ED8655118}\backup.exe

Filesize
84KB

MD5
5065482f1a02739517844c802b5de3e4

SHA1
ef9b47329e77c2e0c207d3eb64ec01c7b1ba83a4

SHA256
cf1990fed31ba21967dc95867d67749b93c0f198e1b8da258266b98ffcbd930f

SHA512
8785c21f9fce3e2e295e3151cb1ae6f2ba75f9b285371a3342c2e816c72107f51ed24106d50b8e1674c72d400eefc1654c341e41175c18cb15c4425a23c30ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C7FF5EA3-2F2B-4DAC-B5DA-E57ED8655118}\backup.exe

Filesize
84KB

MD5
5065482f1a02739517844c802b5de3e4

SHA1
ef9b47329e77c2e0c207d3eb64ec01c7b1ba83a4

SHA256
cf1990fed31ba21967dc95867d67749b93c0f198e1b8da258266b98ffcbd930f

SHA512
8785c21f9fce3e2e295e3151cb1ae6f2ba75f9b285371a3342c2e816c72107f51ed24106d50b8e1674c72d400eefc1654c341e41175c18cb15c4425a23c30ad8

Download Submit
C:\backup.exe

Filesize
84KB

MD5
16eafc4ba60f4400190fb21f8029fdca

SHA1
ebeb548adfc1b807252aee972a073e8bfee0accb

SHA256
41e019b38433927fc361ef6f98a28eb9a0c7c8949cc9e325deeb8c7d2f9f2136

SHA512
18c5aa42b5358049873ae075aec2028db47ddb49f964401a4eb9b724d4d528ee999cf96cf1130b08b72e6d06479563f29e351046db824db5772705f081701380

Download Submit
C:\backup.exe

Filesize
84KB

MD5
16eafc4ba60f4400190fb21f8029fdca

SHA1
ebeb548adfc1b807252aee972a073e8bfee0accb

SHA256
41e019b38433927fc361ef6f98a28eb9a0c7c8949cc9e325deeb8c7d2f9f2136

SHA512
18c5aa42b5358049873ae075aec2028db47ddb49f964401a4eb9b724d4d528ee999cf96cf1130b08b72e6d06479563f29e351046db824db5772705f081701380

Download Submit
C:\odt\backup.exe

Filesize
84KB

MD5
546fb6d437390da9c4c6d6c9f5269ce4

SHA1
d18834cf56a2cd74e3bee3b7aac6fa3881c46151

SHA256
8f252fbde0ec28f3535a1a5fa83abc81d43587d6edb23af7ea4a8b835cd9bb1f

SHA512
08e016b04f9584fbeeac55e464bcbb3dfac1782c342b0ed9ba7b07c9b5221aa91290c70765088c6056e5c8fe640ae5b954c5d8611873914bce657c33ea43f46a

Download Submit
C:\odt\backup.exe

Filesize
84KB

MD5
546fb6d437390da9c4c6d6c9f5269ce4

SHA1
d18834cf56a2cd74e3bee3b7aac6fa3881c46151

SHA256
8f252fbde0ec28f3535a1a5fa83abc81d43587d6edb23af7ea4a8b835cd9bb1f

SHA512
08e016b04f9584fbeeac55e464bcbb3dfac1782c342b0ed9ba7b07c9b5221aa91290c70765088c6056e5c8fe640ae5b954c5d8611873914bce657c33ea43f46a

Download Submit
memory/816-82-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/848-307-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/920-150-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/980-334-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/988-258-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1044-213-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1152-105-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1308-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1328-325-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1348-347-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1492-288-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1580-137-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1628-268-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1648-357-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1696-231-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1700-274-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1744-253-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1804-119-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1824-204-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1860-352-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1860-75-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1864-145-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1872-306-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1892-217-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1924-297-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2004-117-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2144-93-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2160-76-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2164-366-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2244-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2248-346-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2288-171-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2412-138-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2496-215-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2588-316-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2636-317-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3036-242-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3212-327-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3296-279-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3804-367-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3808-337-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3868-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3868-53-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3888-208-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3960-133-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4024-36-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4208-229-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4220-196-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4224-61-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4224-8-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4236-134-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4236-108-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4424-240-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4424-20-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4452-210-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4556-293-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4572-241-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4736-187-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4760-263-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4788-283-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4924-250-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4992-230-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5008-188-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5112-374-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads