51175b2d22e470a943f12c6acee6a60ae845b9bad36a1b4f91865f7069e28c76

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2023 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7845a4f627c524d3bf3559a310fdf480.exe
Size

450KB
MD5

7845a4f627c524d3bf3559a310fdf480
SHA1

5f8d3001b28f4df0657dbf07a1b9d624e4036c46
SHA256

51175b2d22e470a943f12c6acee6a60ae845b9bad36a1b4f91865f7069e28c76
SHA512

765b21d808c9f4999025c85eab02c0f98470a7cbbb553641f34978279aeb29612d272f0d43256da2ac1900bba1a72790b64b7aeff5493042ee029e29f33341d9
SSDEEP

768:/pQNwC3BESe4Vqth+0V5vKPyLylze70wi3BEmRjmJO:BeT7BVwxfvLFwjRRl

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 50 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.7845a4f627c524d3bf3559a310fdf480.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	sihclient.exe

Executes dropped EXE 53 IoCs

pid	Process
3324	backup.exe
2816	backup.exe
4224	backup.exe
3116	backup.exe
1688	backup.exe
1660	backup.exe
2764	backup.exe
1152	backup.exe
2624	backup.exe
2036	backup.exe
3748	backup.exe
2544	backup.exe
2128	backup.exe
3056	backup.exe
1492	backup.exe
4972	backup.exe
980	backup.exe
60	backup.exe
1772	backup.exe
2072	backup.exe
3396	backup.exe
4332	backup.exe
2684	backup.exe
1348	backup.exe
2896	backup.exe
2500	backup.exe
2116	backup.exe
2220	backup.exe
3332	backup.exe
1416	backup.exe
4920	backup.exe
1420	backup.exe
2052	backup.exe
3440	backup.exe
4536	backup.exe
1884	backup.exe
2332	backup.exe
3860	backup.exe
2068	backup.exe
2364	data.exe
2764	sihclient.exe
2172	backup.exe
644	data.exe
4352	backup.exe
3672	backup.exe
4788	backup.exe
2324	backup.exe
1200	backup.exe
3752	backup.exe
4084	backup.exe
1048	backup.exe
856	wmiprvse.exe
4008	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4976-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022da3-6.dat	upx
behavioral2/files/0x0007000000022da3-7.dat	upx
behavioral2/files/0x0009000000022dbc-11.dat	upx
behavioral2/files/0x0009000000022dbc-12.dat	upx
behavioral2/files/0x0009000000022dbc-13.dat	upx
behavioral2/files/0x0008000000022dbf-18.dat	upx
behavioral2/memory/2816-19-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0008000000022dbf-20.dat	upx
behavioral2/files/0x000200000001e83e-25.dat	upx
behavioral2/files/0x000200000001e83e-26.dat	upx
behavioral2/memory/1688-34-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0009000000022e69-33.dat	upx
behavioral2/memory/3116-32-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0009000000022e69-31.dat	upx
behavioral2/files/0x0008000000022e6a-40.dat	upx
behavioral2/files/0x0008000000022e6a-39.dat	upx
behavioral2/files/0x000a000000022e6b-44.dat	upx
behavioral2/files/0x000a000000022e6b-46.dat	upx
behavioral2/files/0x0007000000022e7c-52.dat	upx
behavioral2/files/0x0007000000022e7c-51.dat	upx
behavioral2/memory/2764-54-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0008000000022e7d-57.dat	upx
behavioral2/memory/4976-59-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0008000000022e7d-58.dat	upx
behavioral2/files/0x0008000000022e80-67.dat	upx
behavioral2/memory/3324-69-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0008000000022e80-66.dat	upx
behavioral2/memory/2624-71-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e8f-74.dat	upx
behavioral2/files/0x0007000000022e8f-73.dat	upx
behavioral2/memory/1152-64-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/2036-80-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e90-82.dat	upx
behavioral2/memory/3748-87-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e91-88.dat	upx
behavioral2/files/0x0007000000022e91-86.dat	upx
behavioral2/files/0x0007000000022e90-81.dat	upx
behavioral2/memory/4224-83-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0006000000022e93-96.dat	upx
behavioral2/files/0x0006000000022e95-100.dat	upx
behavioral2/memory/1688-97-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1660-102-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0006000000022e93-95.dat	upx
behavioral2/files/0x0006000000022e95-104.dat	upx
behavioral2/files/0x0006000000022e97-109.dat	upx
behavioral2/files/0x0006000000022e97-110.dat	upx
behavioral2/files/0x0006000000022e99-114.dat	upx
behavioral2/files/0x0006000000022e99-116.dat	upx
behavioral2/memory/3056-119-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4972-121-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e96-123.dat	upx
behavioral2/files/0x0007000000022e96-124.dat	upx
behavioral2/memory/2128-129-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1492-128-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e94-132.dat	upx
behavioral2/files/0x0007000000022e94-133.dat	upx
behavioral2/memory/980-127-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0008000000022e9a-137.dat	upx
behavioral2/files/0x0008000000022e9a-139.dat	upx
behavioral2/files/0x0006000000022e9c-145.dat	upx
behavioral2/files/0x0006000000022e9c-144.dat	upx
behavioral2/memory/2072-151-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e9d-150.dat	upx

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe
3324	backup.exe
2816	backup.exe
4224	backup.exe
3116	backup.exe
1688	backup.exe
1660	backup.exe
2764	backup.exe
1152	backup.exe
2624	backup.exe
2036	backup.exe
3748	backup.exe
2544	backup.exe
2128	backup.exe
3056	backup.exe
1492	backup.exe
4972	backup.exe
980	backup.exe
60	backup.exe
1772	backup.exe
2072	backup.exe
3396	backup.exe
4332	backup.exe
2684	backup.exe
1348	backup.exe
2896	backup.exe
2500	backup.exe
2116	backup.exe
3332	backup.exe
2220	backup.exe
1416	backup.exe
4920	backup.exe
1420	backup.exe
2052	backup.exe
3440	backup.exe
4536	backup.exe
1884	backup.exe
2332	backup.exe
3860	backup.exe
2068	backup.exe
2364	backup.exe
2764	sihclient.exe
2172	backup.exe
644	data.exe
4352	backup.exe
3672	backup.exe
4788	backup.exe
2324	backup.exe
1200	backup.exe
3752	backup.exe
4084	backup.exe
1048	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 3324	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	85
PID 4976 wrote to memory of 3324	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	85
PID 4976 wrote to memory of 3324	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	85
PID 4976 wrote to memory of 2816	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	86
PID 4976 wrote to memory of 2816	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	86
PID 4976 wrote to memory of 2816	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	86
PID 4976 wrote to memory of 4224	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	87
PID 4976 wrote to memory of 4224	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	87
PID 4976 wrote to memory of 4224	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	87
PID 4976 wrote to memory of 3116	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	88
PID 4976 wrote to memory of 3116	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	88
PID 4976 wrote to memory of 3116	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	88
PID 4976 wrote to memory of 1688	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	89
PID 4976 wrote to memory of 1688	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	89
PID 4976 wrote to memory of 1688	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	89
PID 3324 wrote to memory of 1660	3324	backup.exe	90
PID 3324 wrote to memory of 1660	3324	backup.exe	90
PID 3324 wrote to memory of 1660	3324	backup.exe	90
PID 4976 wrote to memory of 2764	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	91
PID 4976 wrote to memory of 2764	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	91
PID 4976 wrote to memory of 2764	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	91
PID 1660 wrote to memory of 1152	1660	backup.exe	92
PID 1660 wrote to memory of 1152	1660	backup.exe	92
PID 1660 wrote to memory of 1152	1660	backup.exe	92
PID 4976 wrote to memory of 2624	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	93
PID 4976 wrote to memory of 2624	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	93
PID 4976 wrote to memory of 2624	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	93
PID 1660 wrote to memory of 2036	1660	backup.exe	94
PID 1660 wrote to memory of 2036	1660	backup.exe	94
PID 1660 wrote to memory of 2036	1660	backup.exe	94
PID 4976 wrote to memory of 3748	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	95
PID 4976 wrote to memory of 3748	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	95
PID 4976 wrote to memory of 3748	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	95
PID 1660 wrote to memory of 2544	1660	backup.exe	96
PID 1660 wrote to memory of 2544	1660	backup.exe	96
PID 1660 wrote to memory of 2544	1660	backup.exe	96
PID 4976 wrote to memory of 2128	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	97
PID 4976 wrote to memory of 2128	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	97
PID 4976 wrote to memory of 2128	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	97
PID 2544 wrote to memory of 3056	2544	backup.exe	98
PID 2544 wrote to memory of 3056	2544	backup.exe	98
PID 2544 wrote to memory of 3056	2544	backup.exe	98
PID 2128 wrote to memory of 1492	2128	backup.exe	99
PID 2128 wrote to memory of 1492	2128	backup.exe	99
PID 2128 wrote to memory of 1492	2128	backup.exe	99
PID 3056 wrote to memory of 4972	3056	backup.exe	100
PID 3056 wrote to memory of 4972	3056	backup.exe	100
PID 3056 wrote to memory of 4972	3056	backup.exe	100
PID 1492 wrote to memory of 980	1492	backup.exe	101
PID 1492 wrote to memory of 980	1492	backup.exe	101
PID 1492 wrote to memory of 980	1492	backup.exe	101
PID 2544 wrote to memory of 60	2544	backup.exe	102
PID 2544 wrote to memory of 60	2544	backup.exe	102
PID 2544 wrote to memory of 60	2544	backup.exe	102
PID 4976 wrote to memory of 1772	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	103
PID 4976 wrote to memory of 1772	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	103
PID 4976 wrote to memory of 1772	4976	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	103
PID 60 wrote to memory of 2072	60	backup.exe	104
PID 60 wrote to memory of 2072	60	backup.exe	104
PID 60 wrote to memory of 2072	60	backup.exe	104
PID 1772 wrote to memory of 3396	1772	backup.exe	105
PID 1772 wrote to memory of 3396	1772	backup.exe	105
PID 1772 wrote to memory of 3396	1772	backup.exe	105
PID 60 wrote to memory of 4332	60	backup.exe	106

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.7845a4f627c524d3bf3559a310fdf480.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.7845a4f627c524d3bf3559a310fdf480.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.7845a4f627c524d3bf3559a310fdf480.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7845a4f627c524d3bf3559a310fdf480.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4976
- C:\Users\Admin\AppData\Local\Temp\{C7FF5EA3-2F2B-4DAC-B5DA-E57ED8655118}\backup.exe
  C:\Users\Admin\AppData\Local\Temp\{C7FF5EA3-2F2B-4DAC-B5DA-E57ED8655118}\backup.exe C:\Users\Admin\AppData\Local\Temp\{C7FF5EA3-2F2B-4DAC-B5DA-E57ED8655118}\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1152
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2036
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2544
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3056
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4972
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:60
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2072
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4332
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1348
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2500
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4920
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2052
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3440
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1884
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3860
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\data.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        
        PID:2172
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        
        PID:4352
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\data.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        
        PID:4788
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        
        PID:1200
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        
        PID:1048
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        
        PID:4008
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        
        PID:2664
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        
        PID:3184
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        
        PID:2496
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        
        PID:2276
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2116
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        
        PID:3892
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        
        PID:4140
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        
        PID:4992
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        
        PID:4856
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        
        PID:4228
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:4984
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:2764
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        
        PID:920
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\data.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        
        PID:3800
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1048
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:4924
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\data.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        
        PID:820
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        
        PID:2748
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        
        PID:4108
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        
        PID:4300
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        
        PID:1292
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        
        PID:1576
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        
        PID:4856
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        
        PID:4120
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        
        PID:1804
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\data.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        
        PID:1200
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        
        PID:2940
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        
        PID:444
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        8⤵
        
        PID:3380
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        8⤵
        
        PID:3664
        
        C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
        8⤵
        
        PID:1688
        
        C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2364
        
        C:\Program Files\Common Files\microsoft shared\ink\sv-SE\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\data.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
        8⤵
        
        PID:5080
        
        C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
        8⤵
        
        PID:3768
        
        C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
        8⤵
        
        PID:4648
        
        C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
        8⤵
        
        PID:2200
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\
        8⤵
        
        PID:5028
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-TW\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-TW\data.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\
        8⤵
        
        PID:4272
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        
        PID:1448
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        
        PID:4992
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\data.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        
        PID:1512
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        
        PID:848
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        
        PID:4804
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        
        PID:1040
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:976
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        
        PID:8
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:4556
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\System Restore.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:676
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:4740
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:4296
        
        C:\Windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3476
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:4668
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:2116
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:3628
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        
        PID:4912
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        
        PID:3112
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:3664
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        
        PID:2116
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        
        PID:444
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\update.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        
        PID:1112
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:1864
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:4908
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:1404
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:4984
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:2144
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:2232
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:2472
        
        C:\Program Files\Common Files\System\ado\it-IT\update.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\update.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:3564
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:4776
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\
        8⤵
        
        PID:4940
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\
        9⤵
        
        PID:2060
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\
        9⤵
        
        PID:2972
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\
        8⤵
        
        PID:1308
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1580
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:2396
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:4640
        
        C:\Program Files\Common Files\System\fr-FR\update.exe
        
        "C:\Program Files\Common Files\System\fr-FR\update.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:2608
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:2888
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2248
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:4760
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:3056
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:2728
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:660
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:2332
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:3112
        
        C:\Program Files\Common Files\System\msadc\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\System Restore.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:1304
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1016
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:4228
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:2116
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\update.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\update.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:1292
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:4960
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:1196
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:5000
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1664
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1276
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:4892
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        
        PID:2604
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        9⤵
        
        PID:2212
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        9⤵
        
        PID:1152
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        9⤵
        
        PID:3408
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
        9⤵
        
        PID:3016
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
        9⤵
        
        PID:4480
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
        9⤵
        
        PID:896
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
        9⤵
        
        PID:4540
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\
        10⤵
        
        PID:2764
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:2072
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:2276
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2232
      - C:\Program Files\Internet Explorer\de-DE\System Restore.exe
        
        "C:\Program Files\Internet Explorer\de-DE\System Restore.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:3248
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1612
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:3476
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:4080
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:4208
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1132
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:4980
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:4732
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\
        7⤵
        
        PID:1688
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\
        8⤵
        
        PID:4956
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\BHO\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\BHO\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\BHO\
        9⤵
        
        PID:4496
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\EBWebView\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\EBWebView\
        9⤵
        
        PID:2820
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\EBWebView\x86\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\EBWebView\x86\
        10⤵
        
        PID:4660
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\EBWebView\x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\EBWebView\x64\
        10⤵
        
        PID:2172
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Extensions\
        9⤵
        
        PID:2120
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\edge_feedback\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\edge_feedback\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\edge_feedback\
        9⤵
        
        PID:2764
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\identity_proxy\
        9⤵
        
        PID:1124
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\identity_proxy\win10\data.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\identity_proxy\win10\data.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\identity_proxy\win10\
        10⤵
        
        PID:2136
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Installer\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Installer\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Installer\
        9⤵
        
        PID:2592
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Locales\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Locales\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Locales\
        9⤵
        
        PID:1548
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\MEIPreload\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\MEIPreload\
        9⤵
        
        PID:4536
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Notifications\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Notifications\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Notifications\
        9⤵
        
        PID:3520
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\ResiliencyLinks\update.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\ResiliencyLinks\update.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\ResiliencyLinks\
        9⤵
        
        PID:1052
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\PdfPreview\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\PdfPreview\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\PdfPreview\
        9⤵
        
        PID:4728
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\System Restore.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\
        8⤵
        
        PID:3868
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2052
      - C:\Program Files\Java\jdk-1.8\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\backup.exe" C:\Program Files\Java\jdk-1.8\
        6⤵
        
        PID:4764
        
        C:\Program Files\Java\jdk-1.8\bin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\bin\backup.exe" C:\Program Files\Java\jdk-1.8\bin\
        7⤵
        
        PID:3288
        
        C:\Program Files\Java\jdk-1.8\include\update.exe
        
        "C:\Program Files\Java\jdk-1.8\include\update.exe" C:\Program Files\Java\jdk-1.8\include\
        7⤵
        
        PID:1612
        
        C:\Program Files\Java\jdk-1.8\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\win32\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\
        8⤵
        
        PID:4828
        
        C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\bridge\
        9⤵
        
        PID:1504
        
        C:\Program Files\Java\jdk-1.8\jre\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\backup.exe" C:\Program Files\Java\jdk-1.8\jre\
        7⤵
        
        PID:4832
        
        C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\
        8⤵
        
        PID:3916
        
        C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\
        9⤵
        
        PID:4328
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\
        10⤵
        
        PID:848
        
        C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\
        9⤵
        
        PID:924
        
        C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\server\
        9⤵
        
        PID:4980
        
        C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\
        8⤵
        
        PID:4416
        
        C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\javafx\
        9⤵
        
        PID:2912
        
        C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\jdk\
        9⤵
        
        PID:880
        
        C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\
        8⤵
        
        PID:3292
        
        C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\amd64\
        9⤵
        
        PID:2640
        
        C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\applet\
        9⤵
        
        PID:1936
        
        C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\cmm\
        9⤵
        
        PID:2812
        
        C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\deploy\
        9⤵
        
        PID:1540
        
        C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\ext\
        9⤵
        
        PID:3336
        
        C:\Program Files\Java\jdk-1.8\jre\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\fonts\
        9⤵
        
        PID:1848
        
        C:\Program Files\Java\jdk-1.8\jre\lib\images\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\images\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\images\
        9⤵
        
        PID:116
        
        C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\
        10⤵
        
        PID:4916
        
        C:\Program Files\Java\jdk-1.8\jre\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\jfr\
        9⤵
        
        PID:4952
        
        C:\Program Files\Java\jdk-1.8\jre\lib\management\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\management\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\management\
        9⤵
        
        PID:456
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\
        9⤵
        
        PID:1732
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\
        10⤵
        
        PID:1476
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\
        11⤵
        
        PID:4980
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\
        11⤵
        
        PID:4668
        
        C:\Program Files\Java\jdk-1.8\legal\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\backup.exe" C:\Program Files\Java\jdk-1.8\legal\
        7⤵
        
        PID:2624
        
        C:\Program Files\Java\jdk-1.8\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\legal\javafx\
        8⤵
        
        PID:2976
        
        C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\legal\jdk\
        8⤵
        
        PID:3056
        
        C:\Program Files\Java\jdk-1.8\lib\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\lib\backup.exe" C:\Program Files\Java\jdk-1.8\lib\
        7⤵
        
        PID:4972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\System Restore.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\
        7⤵
        
        PID:456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\
        8⤵
        
        PID:1688
      - C:\Program Files\Java\jre-1.8\backup.exe
        
        "C:\Program Files\Java\jre-1.8\backup.exe" C:\Program Files\Java\jre-1.8\
        6⤵
        
        PID:2060
        
        C:\Program Files\Java\jre-1.8\bin\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\backup.exe" C:\Program Files\Java\jre-1.8\bin\
        7⤵
        
        PID:3748
        
        C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe" C:\Program Files\Java\jre-1.8\bin\dtplugin\
        8⤵
        
        PID:2812
        
        C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe" C:\Program Files\Java\jre-1.8\bin\plugin2\
        8⤵
        
        PID:2220
        
        C:\Program Files\Java\jre-1.8\bin\server\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\server\backup.exe" C:\Program Files\Java\jre-1.8\bin\server\
        8⤵
        
        PID:1936
        
        C:\Program Files\Java\jre-1.8\legal\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\backup.exe" C:\Program Files\Java\jre-1.8\legal\
        7⤵
        
        PID:4880
        
        C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jre-1.8\legal\javafx\
        8⤵
        
        PID:4568
        
        C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jre-1.8\legal\jdk\
        8⤵
        
        PID:3452
        
        C:\Program Files\Java\jre-1.8\lib\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\backup.exe" C:\Program Files\Java\jre-1.8\lib\
        7⤵
        
        PID:4564
        
        C:\Program Files\Java\jre-1.8\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\applet\backup.exe" C:\Program Files\Java\jre-1.8\lib\applet\
        8⤵
        
        PID:4288
        
        C:\Program Files\Java\jre-1.8\lib\amd64\System Restore.exe
        
        "C:\Program Files\Java\jre-1.8\lib\amd64\System Restore.exe" C:\Program Files\Java\jre-1.8\lib\amd64\
        8⤵
        
        PID:1920
        
        C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe" C:\Program Files\Java\jre-1.8\lib\cmm\
        8⤵
        
        PID:1192
        
        C:\Program Files\Java\jre-1.8\lib\deploy\data.exe
        
        "C:\Program Files\Java\jre-1.8\lib\deploy\data.exe" C:\Program Files\Java\jre-1.8\lib\deploy\
        8⤵
        
        PID:3752
        
        C:\Program Files\Java\jre-1.8\lib\ext\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\ext\backup.exe" C:\Program Files\Java\jre-1.8\lib\ext\
        8⤵
        
        PID:3120
        
        C:\Program Files\Java\jre-1.8\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\fonts\backup.exe" C:\Program Files\Java\jre-1.8\lib\fonts\
        8⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Program Files\Java\jre-1.8\lib\images\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\images\backup.exe" C:\Program Files\Java\jre-1.8\lib\images\
        8⤵
        
        PID:2172
        
        C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe" C:\Program Files\Java\jre-1.8\lib\images\cursors\
        9⤵
        
        PID:3564
        
        C:\Program Files\Java\jre-1.8\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\jfr\backup.exe" C:\Program Files\Java\jre-1.8\lib\jfr\
        8⤵
        
        PID:4776
        
        C:\Program Files\Java\jre-1.8\lib\management\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\management\backup.exe" C:\Program Files\Java\jre-1.8\lib\management\
        8⤵
        
        PID:4240
        
        C:\Program Files\Java\jre-1.8\lib\security\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\
        8⤵
        
        PID:3460
        
        C:\Program Files\Java\jre-1.8\lib\security\policy\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\policy\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\
        9⤵
        
        PID:2640
        
        C:\Program Files\Java\jre-1.8\lib\security\policy\limited\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\policy\limited\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\limited\
        10⤵
        
        PID:896
        
        C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\
        10⤵
        
        PID:4856
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:4920
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        
        PID:2636
      - C:\Program Files\Microsoft Office\PackageManifests\System Restore.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\System Restore.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        
        PID:3484
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        
        PID:4620
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        
        PID:1940
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        
        PID:860
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        
        PID:2464
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        8⤵
        
        PID:1512
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        8⤵
        
        PID:5000
        
        C:\Program Files\Microsoft Office\root\fre\backup.exe
        
        "C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
        7⤵
        
        PID:1612
        
        C:\Program Files\Microsoft Office\root\Integration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
        7⤵
        
        PID:3620
        
        C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
        8⤵
        
        PID:8
        
        C:\Program Files\Microsoft Office\root\Licenses\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses\backup.exe" C:\Program Files\Microsoft Office\root\Licenses\
        7⤵
        
        PID:2224
        
        C:\Program Files\Microsoft Office\root\Licenses16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\
        7⤵
        
        PID:4924
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:4944
        
        C:\Program Files\Microsoft Office\root\loc\backup.exe
        
        "C:\Program Files\Microsoft Office\root\loc\backup.exe" C:\Program Files\Microsoft Office\root\loc\
        7⤵
        
        PID:1200
        
        C:\Program Files\Microsoft Office\root\Office15\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office15\backup.exe" C:\Program Files\Microsoft Office\root\Office15\
        7⤵
        
        PID:4556
        
        C:\Program Files\Microsoft Office\root\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\
        7⤵
        
        PID:924
        
        C:\Program Files\Microsoft Office\root\Office16\1033\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\1033\
        8⤵
        
        PID:2276
        
        C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\
        9⤵
        
        PID:2116
        
        C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\update.exe" C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\
        9⤵
        
        PID:1220
        
        C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\
        9⤵
        
        PID:3432
        
        C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1036\
        8⤵
        
        PID:4248
        
        C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe" C:\Program Files\Microsoft Office\root\Office16\3082\
        8⤵
        
        PID:644
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\
        8⤵
        
        PID:1512
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\
        9⤵
        
        PID:1072
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\
        9⤵
        
        PID:4708
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\
        10⤵
        
        PID:460
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\
        9⤵
        
        PID:816
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\
        9⤵
        
        PID:4536
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\
        9⤵
        
        PID:1328
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\
        10⤵
        
        PID:896
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\
        10⤵
        
        PID:4736
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\
        10⤵
        
        PID:2144
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\
        11⤵
        
        PID:2052
        
        C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe" C:\Program Files\Microsoft Office\root\Office16\AugLoop\
        8⤵
        
        PID:1644
        
        C:\Program Files\Microsoft Office\root\Office16\Bibliography\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\
        8⤵
        
        PID:3408
        
        C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\
        9⤵
        
        PID:2396
        
        C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\
        9⤵
        
        PID:3328
        
        C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\BORDERS\
        8⤵
        
        PID:1540
        
        C:\Program Files\Microsoft Office\root\Office16\Configuration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Configuration\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Configuration\
        8⤵
        
        PID:2204
        
        C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\
        8⤵
        
        PID:2192
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f14\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f14\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f14\
        8⤵
        
        PID:4620
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f2\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f2\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f2\
        8⤵
        
        PID:1916
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f3\data.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f3\data.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f3\
        8⤵
        
        PID:652
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f33\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f33\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f33\
        8⤵
        
        PID:4164
        
        C:\Windows\Help\Corporate\backup.exe
        
        C:\Windows\Help\Corporate\backup.exe C:\Windows\Help\Corporate\
        9⤵
        
        PID:1284
        
        C:\Windows\Help\en-US\update.exe
        
        C:\Windows\Help\en-US\update.exe C:\Windows\Help\en-US\
        9⤵
        
        PID:3816
        
        C:\Windows\Help\mui\backup.exe
        
        C:\Windows\Help\mui\backup.exe C:\Windows\Help\mui\
        9⤵
        
        PID:3940
        
        C:\Windows\Help\Help\backup.exe
        
        C:\Windows\Help\Help\backup.exe C:\Windows\Help\Help\
        9⤵
        
        PID:2004
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f4\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f4\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f4\
        8⤵
        
        PID:1072
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\
        8⤵
        
        PID:2192
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\
        8⤵
        
        PID:2972
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_w1\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_w1\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_w1\
        8⤵
        
        PID:5080
        
        C:\Program Files\Microsoft Office\root\Office16\Library\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Library\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\Library\
        8⤵
        
        PID:2992
        
        C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\update.exe" C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\
        9⤵
        
        PID:3748
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\
        8⤵
        
        PID:1504
        
        C:\Program Files\Microsoft Office\root\Templates\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\backup.exe" C:\Program Files\Microsoft Office\root\Templates\
        7⤵
        
        PID:3456
        
        C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\
        8⤵
        
        PID:1968
        
        C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\
        9⤵
        
        PID:5028
        
        C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\
        10⤵
        
        PID:560
        
        C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\
        11⤵
        
        PID:1308
        
        C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\backup.exe" C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\
        8⤵
        
        PID:1096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\
        9⤵
        
        PID:4492
        
        C:\Program Files\Microsoft Office\root\rsod\backup.exe
        
        "C:\Program Files\Microsoft Office\root\rsod\backup.exe" C:\Program Files\Microsoft Office\root\rsod\
        7⤵
        
        PID:2120
        
        C:\Program Files\Microsoft Office\root\vfs\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\backup.exe" C:\Program Files\Microsoft Office\root\vfs\
        7⤵
        
        PID:4352
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\update.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\update.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\
        8⤵
        
        PID:3260
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\
        9⤵
        
        PID:3640
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\
        10⤵
        
        PID:1276
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\
        11⤵
        
        PID:1468
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\
        9⤵
        
        PID:4764
        
        C:\Program Files\Microsoft Office\root\vfs\Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Fonts\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Fonts\
        8⤵
        
        PID:3808
        
        C:\Program Files\Microsoft Office\root\vfs\Fonts\private\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Fonts\private\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Fonts\private\
        9⤵
        
        PID:844
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\
        8⤵
        
        PID:2188
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\
        9⤵
        
        PID:1164
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\
        9⤵
        
        PID:404
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\
        10⤵
        
        PID:4768
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\
        11⤵
        
        PID:4812
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\update.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\update.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\
        10⤵
        
        PID:4536
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\
        10⤵
        
        PID:2916
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\
        10⤵
        
        PID:4940
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\
        8⤵
        
        PID:2616
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\
        9⤵
        
        PID:1644
        
        C:\Program Files\Microsoft Office\root\vreg\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vreg\backup.exe" C:\Program Files\Microsoft Office\root\vreg\
        7⤵
        
        PID:2940
      - C:\Program Files\Microsoft Office\Updates\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
        6⤵
        
        PID:1416
        
        C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
        7⤵
        
        PID:2844
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
        8⤵
        
        PID:3552
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\
        9⤵
        
        PID:2124
        
        C:\Program Files\Microsoft Office\Updates\Download\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\
        7⤵
        
        PID:4912
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\
        8⤵
        
        PID:4696
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\
        9⤵
        
        PID:4880
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\
        10⤵
        
        PID:820
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\
        11⤵
        
        PID:116
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\System Restore.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\System Restore.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\
        12⤵
        
        PID:2624
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\update.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\update.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\
        13⤵
        
        PID:572
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\GAC_MSIL\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\GAC_MSIL\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\GAC_MSIL\
        14⤵
        
        PID:2664
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\
        15⤵
        
        PID:4196
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\
        16⤵
        
        PID:3620
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        
        PID:4892
      - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        
        PID:4856
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:560
      - C:\Program Files\Mozilla Firefox\browser\data.exe
        
        "C:\Program Files\Mozilla Firefox\browser\data.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:1660
        
        C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        7⤵
        
        PID:2796
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        7⤵
        
        PID:4288
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:2148
        
        C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
        7⤵
        
        PID:1420
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:4232
      - C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
        6⤵
        
        PID:1468
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\System Restore.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\System Restore.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
        7⤵
        
        PID:3868
      - C:\Program Files\Mozilla Firefox\uninstall\backup.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
        6⤵
        
        PID:1504
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:232
      - C:\Program Files\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
        6⤵
        
        PID:3268
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        
        PID:2028
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        8⤵
        
        PID:4220
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        8⤵
        
        PID:4664
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1580
      - C:\Program Files\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
        6⤵
        
        PID:4232
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\update.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\update.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
        7⤵
        
        PID:3224
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
        8⤵
        
        PID:3808
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\
        9⤵
        
        PID:4108
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\
        9⤵
        
        PID:3716
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System Restore.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System Restore.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\
        9⤵
        
        PID:4220
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\
        9⤵
        
        PID:4272
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\
        9⤵
        
        PID:552
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
        9⤵
        
        PID:572
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\
        8⤵
        
        PID:3664
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\data.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\data.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\
        9⤵
        
        PID:4672
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\
        9⤵
        
        PID:4412
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\update.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\update.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\
        9⤵
        
        PID:3484
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\
        9⤵
        
        PID:4980
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\
        9⤵
        
        PID:3688
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\
        9⤵
        
        PID:900
    - - C:\Program Files\VideoLAN\System Restore.exe
        
        "C:\Program Files\VideoLAN\System Restore.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:3648
      - C:\Program Files\VideoLAN\VLC\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\
        6⤵
        
        PID:3912
        
        C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe" C:\Program Files\VideoLAN\VLC\hrtfs\
        7⤵
        
        PID:2728
        
        C:\Program Files\VideoLAN\VLC\locale\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\backup.exe" C:\Program Files\VideoLAN\VLC\locale\
        7⤵
        
        PID:2612
        
        C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\
        8⤵
        
        PID:5032
        
        C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\update.exe" C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\
        9⤵
        
        PID:4548
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\srmlib\e7a3b638f7646fc8439936218d34b2b7\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\srmlib\e7a3b638f7646fc8439936218d34b2b7\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\srmlib\e7a3b638f7646fc8439936218d34b2b7\
        10⤵
        
        PID:4704
        
        C:\Program Files\VideoLAN\VLC\locale\am\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\
        8⤵
        
        PID:3028
        
        C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\
        9⤵
        
        PID:3532
        
        C:\Program Files\VideoLAN\VLC\locale\af\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\
        8⤵
        
        PID:4332
        
        C:\Program Files\VideoLAN\VLC\locale\an\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\an\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\
        8⤵
        
        PID:3520
        
        C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\
        9⤵
        
        PID:4480
        
        C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\
        8⤵
        
        PID:2592
        
        C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\
        9⤵
        
        PID:4008
        
        C:\Program Files\VideoLAN\VLC\locale\az\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\az\backup.exe" C:\Program Files\VideoLAN\VLC\locale\az\
        8⤵
        
        PID:1512
        
        C:\Program Files\VideoLAN\VLC\lua\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\backup.exe" C:\Program Files\VideoLAN\VLC\lua\
        7⤵
        
        PID:456
        
        C:\Program Files\VideoLAN\VLC\lua\extensions\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\extensions\backup.exe" C:\Program Files\VideoLAN\VLC\lua\extensions\
        8⤵
        
        PID:844
        
        C:\Program Files\VideoLAN\VLC\lua\http\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\
        8⤵
        
        PID:4120
        
        C:\Program Files\VideoLAN\VLC\lua\http\css\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\css\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\css\
        9⤵
        
        PID:1872
        
        C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\
        10⤵
        
        PID:3596
        
        C:\Program Files\VideoLAN\VLC\lua\http\dialogs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\dialogs\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\dialogs\
        9⤵
        
        PID:660
        
        C:\Program Files\VideoLAN\VLC\lua\meta\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\meta\backup.exe" C:\Program Files\VideoLAN\VLC\lua\meta\
        8⤵
        
        PID:2220
        
        C:\Program Files\VideoLAN\VLC\lua\meta\reader\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\meta\reader\backup.exe" C:\Program Files\VideoLAN\VLC\lua\meta\reader\
        9⤵
        
        PID:1788
        
        C:\Program Files\VideoLAN\VLC\lua\meta\art\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\meta\art\backup.exe" C:\Program Files\VideoLAN\VLC\lua\meta\art\
        9⤵
        
        PID:116
        
        C:\Program Files\VideoLAN\VLC\lua\modules\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\modules\backup.exe" C:\Program Files\VideoLAN\VLC\lua\modules\
        8⤵
        
        PID:3888
        
        C:\Program Files\VideoLAN\VLC\skins\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\backup.exe" C:\Program Files\VideoLAN\VLC\skins\
        7⤵
        
        PID:576
    - - C:\Program Files\Windows Defender\backup.exe
        
        "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
        5⤵
        
        PID:1804
      - C:\Program Files\Windows Defender\fr-FR\backup.exe
        
        "C:\Program Files\Windows Defender\fr-FR\backup.exe" C:\Program Files\Windows Defender\fr-FR\
        6⤵
        
        PID:2912
      - C:\Program Files\Windows Defender\es-ES\backup.exe
        
        "C:\Program Files\Windows Defender\es-ES\backup.exe" C:\Program Files\Windows Defender\es-ES\
        6⤵
        
        PID:3492
      - C:\Program Files\Windows Defender\de-DE\backup.exe
        
        "C:\Program Files\Windows Defender\de-DE\backup.exe" C:\Program Files\Windows Defender\de-DE\
        6⤵
        
        PID:4828
      - C:\Program Files\Windows Defender\it-IT\backup.exe
        
        "C:\Program Files\Windows Defender\it-IT\backup.exe" C:\Program Files\Windows Defender\it-IT\
        6⤵
        
        PID:224
        
        C:\Program Files\VideoLAN\VLC\lua\intf\modules\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\intf\modules\backup.exe" C:\Program Files\VideoLAN\VLC\lua\intf\modules\
        7⤵
        
        PID:4532
      - C:\Program Files\Windows Defender\ja-JP\backup.exe
        
        "C:\Program Files\Windows Defender\ja-JP\backup.exe" C:\Program Files\Windows Defender\ja-JP\
        6⤵
        
        PID:3660
    - - C:\Program Files\Windows Mail\backup.exe
        
        "C:\Program Files\Windows Mail\backup.exe" C:\Program Files\Windows Mail\
        5⤵
        
        PID:3476
    - - C:\Program Files\Windows Media Player\backup.exe
        
        "C:\Program Files\Windows Media Player\backup.exe" C:\Program Files\Windows Media Player\
        5⤵
        
        PID:2284
      - C:\Program Files\Windows Media Player\de-DE\backup.exe
        
        "C:\Program Files\Windows Media Player\de-DE\backup.exe" C:\Program Files\Windows Media Player\de-DE\
        6⤵
        
        PID:1604
      - C:\Program Files\Windows Media Player\en-US\backup.exe
        
        "C:\Program Files\Windows Media Player\en-US\backup.exe" C:\Program Files\Windows Media Player\en-US\
        6⤵
        
        PID:2164
      - C:\Program Files\Windows Media Player\es-ES\backup.exe
        
        "C:\Program Files\Windows Media Player\es-ES\backup.exe" C:\Program Files\Windows Media Player\es-ES\
        6⤵
        
        PID:3940
      - C:\Program Files\Windows Media Player\Network Sharing\backup.exe
        
        "C:\Program Files\Windows Media Player\Network Sharing\backup.exe" C:\Program Files\Windows Media Player\Network Sharing\
        6⤵
        
        PID:3432
      - C:\Program Files\Windows Media Player\Media Renderer\update.exe
        
        "C:\Program Files\Windows Media Player\Media Renderer\update.exe" C:\Program Files\Windows Media Player\Media Renderer\
        6⤵
        
        PID:572
    - - C:\Program Files\Windows NT\System Restore.exe
        
        "C:\Program Files\Windows NT\System Restore.exe" C:\Program Files\Windows NT\
        5⤵
        
        PID:5008
  - - C:\Program Files (x86)\System Restore.exe
      "C:\Program Files (x86)\System Restore.exe" C:\Program Files (x86)\
      4⤵
      PID:2484
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:3296
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        
        PID:1872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        
        PID:2040
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        
        PID:3716
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        
        PID:4828
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        
        PID:444
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        
        PID:1960
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        
        PID:3236
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        
        PID:1132
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        
        PID:4140
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        
        PID:3436
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2172
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:3764
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:460
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        
        PID:3448
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        
        PID:4408
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:1492
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        
        PID:2688
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        
        PID:884
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:4084
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:2676
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        
        PID:4976
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:4404
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:4620
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:2464
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:4024
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        
        PID:924
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        
        PID:2940
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        
        PID:4980
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        
        PID:2676
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        
        PID:2604
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        
        PID:820
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
        9⤵
        
        PID:2688
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
        10⤵
        
        PID:3184
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
        11⤵
        
        PID:2244
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\
        12⤵
        
        PID:4332
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\
        13⤵
        
        PID:1732
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\
        14⤵
        
        PID:4212
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\
        14⤵
        
        PID:1724
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\
        12⤵
        
        PID:3484
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\
        13⤵
        
        PID:4208
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\
        14⤵
        
        PID:3024
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\
        14⤵
        
        PID:1512
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\
        12⤵
        
        PID:1328
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\
        13⤵
        
        PID:4268
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\
        14⤵
        
        PID:3332
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\
        14⤵
        
        PID:3432
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\
        11⤵
        
        PID:2504
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\
        12⤵
        
        PID:2364
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\
        13⤵
        
        PID:4704
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\
        13⤵
        
        PID:2608
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\
        14⤵
        
        PID:1612
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\
        12⤵
        
        PID:3224
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\
        12⤵
        
        PID:2128
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\
        13⤵
        
        PID:2172
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\
        12⤵
        
        PID:2896
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\
        12⤵
        
        PID:3452
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\
        13⤵
        
        PID:1960
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\
        14⤵
        
        PID:3648
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\
        11⤵
        
        PID:4268
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\
        12⤵
        
        PID:4804
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\
        13⤵
        
        PID:4660
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\System Restore.exe
        
        "C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\System Restore.exe" C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\
        13⤵
        
        PID:2192
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\
        12⤵
        
        PID:492
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\
        13⤵
        
        PID:4416
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\
        12⤵
        
        PID:4532
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\
        13⤵
        
        PID:1200
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\
        14⤵
        
        PID:4716
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\
        15⤵
        
        PID:1584
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\
        15⤵
        
        PID:116
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\
        15⤵
        
        PID:1512
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\
        15⤵
        
        PID:5036
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\
        15⤵
        
        PID:1616
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\
        15⤵
        
        PID:2220
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\
        15⤵
        
        PID:644
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\
        15⤵
        
        PID:4116
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\
        15⤵
        
        PID:3564
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\
        15⤵
        
        PID:4048
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\
        15⤵
        
        PID:3888
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\
        15⤵
        
        PID:4080
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\
        15⤵
        
        PID:2820
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\
        15⤵
        
        PID:4556
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\
        12⤵
        
        PID:1152
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\
        13⤵
        
        PID:4136
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\
        12⤵
        
        PID:3056
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\
        13⤵
        
        PID:2844
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\
        14⤵
        
        PID:1644
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\
        15⤵
        
        PID:2128
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\
        16⤵
        
        PID:3916
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\
        13⤵
        
        PID:888
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\
        12⤵
        
        PID:2940
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\
        13⤵
        
        PID:3764
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\
        14⤵
        
        PID:1288
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\
        14⤵
        
        PID:1888
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        
        PID:2388
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        
        PID:2124
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:5096
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:3268
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        
        PID:2804
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:1444
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:1200
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        
        PID:3364
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:1584
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:4840
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:4708
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        
        PID:1884
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:2640
    - - C:\Program Files (x86)\Common Files\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System Restore.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:3456
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:4972
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:2672
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        
        PID:2128
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        
        PID:3384
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        
        PID:3328
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        
        PID:2672
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        
        PID:1272
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        
        PID:2444
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        
        PID:676
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        
        PID:3564
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        
        PID:2288
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
        11⤵
        
        PID:3484
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        11⤵
        
        PID:1960
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        12⤵
        
        PID:1304
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
        13⤵
        
        PID:4052
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
        14⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1200
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
        14⤵
        
        PID:1740
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
        14⤵
        
        PID:2040
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
        13⤵
        
        PID:1660
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
        14⤵
        
        PID:4708
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\
        14⤵
        
        PID:1924
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\
        14⤵
        
        PID:900
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
        13⤵
        
        PID:3380
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\
        14⤵
        
        PID:4008
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\
        14⤵
        
        PID:2788
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\
        14⤵
        
        PID:3572
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        
        PID:4316
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:660
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        
        PID:2144
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        
        PID:3736
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        
        PID:3764
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        
        PID:556
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        
        PID:4776
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:4912
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        
        PID:2396
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        
        PID:4024
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:1612
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:3548
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:3916
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        7⤵
        
        PID:2472
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:1688
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:4828
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:556
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:4760
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:4704
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:4840
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:3736
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:1152
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\data.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\data.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:2788
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1584
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\
        7⤵
        
        PID:3908
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\
        8⤵
        
        PID:3228
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\
        9⤵
        
        PID:5016
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\
        8⤵
        
        PID:2004
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\
        9⤵
        
        PID:4440
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\
        9⤵
        
        PID:4352
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\
        9⤵
        
        PID:4528
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\
        9⤵
        
        PID:4952
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:4024
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:3124
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        
        PID:4664
      - C:\Program Files (x86)\Common Files\Oracle\data.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\data.exe" C:\Program Files (x86)\Common Files\Oracle\
        6⤵
        
        PID:3108
        
        C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\
        7⤵
        
        PID:2120
        
        C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\javapath\
        8⤵
        
        PID:2172
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:4352
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:852
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        
        PID:1872
        
        C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
        8⤵
        
        PID:5044
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        
        PID:4180
        
        C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
        8⤵
        
        PID:2448
        
        C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:3548
        
        C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
        8⤵
        
        PID:3672
        
        C:\Program Files (x86)\Common Files\System\ado\ja-JP\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\ja-JP\System Restore.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:2796
        
        C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        
        PID:3016
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:3800
        
        C:\Program Files (x86)\Common Files\System\es-ES\update.exe
        
        "C:\Program Files (x86)\Common Files\System\es-ES\update.exe" C:\Program Files (x86)\Common Files\System\es-ES\
        7⤵
        
        PID:3476
        
        C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
        7⤵
        
        PID:4024
        
        C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        7⤵
        
        PID:2324
        
        C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\
        7⤵
        
        PID:5012
        
        C:\Program Files (x86)\Common Files\System\msadc\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\
        7⤵
        
        PID:4212
        
        C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:8
        
        C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\en-US\
        8⤵
        
        PID:3584
        
        C:\Program Files (x86)\Common Files\System\msadc\es-ES\data.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\es-ES\data.exe" C:\Program Files (x86)\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:4736
        
        C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:1292
        
        C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:2660
        
        C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:4640
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\
        8⤵
        
        PID:1664
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0db851c73d11018ad4b5a4d0d4be2e36\data.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0db851c73d11018ad4b5a4d0d4be2e36\data.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0db851c73d11018ad4b5a4d0d4be2e36\
        9⤵
        
        PID:4820
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0c5c095df94f2312c1107726858cffe2\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0c5c095df94f2312c1107726858cffe2\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0c5c095df94f2312c1107726858cffe2\
        9⤵
        
        PID:4196
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f18ff42b17aa9990ee61ad0c4aea9b1c\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f18ff42b17aa9990ee61ad0c4aea9b1c\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f18ff42b17aa9990ee61ad0c4aea9b1c\
        9⤵
        
        PID:556
        
        C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\
        7⤵
        
        PID:2388
        
        C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:4816
        
        C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:4964
        
        C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:760
        
        C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:2636
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:1464
        
        C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:2844
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:2976
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        Executes dropped EXE
        
        PID:1200
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:4960
      - C:\Program Files (x86)\Google\Update\update.exe
        
        "C:\Program Files (x86)\Google\Update\update.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1284
        
        C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
        7⤵
        
        PID:4444
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:3492
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:660
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\
        9⤵
        
        PID:4620
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:2036
        
        C:\Program Files (x86)\Google\Update\Install\{5D02C9B9-7A41-4ABC-8923-E3E11EEC098C}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{5D02C9B9-7A41-4ABC-8923-E3E11EEC098C}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{5D02C9B9-7A41-4ABC-8923-E3E11EEC098C}\
        8⤵
        
        PID:4192
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:4872
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:2804
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:900
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:2124
      - C:\Program Files (x86)\Internet Explorer\es-ES\data.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\data.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:8
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:1016
      - C:\Program Files (x86)\Internet Explorer\images\update.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\update.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        
        PID:3028
      - C:\Program Files (x86)\Internet Explorer\it-IT\data.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\data.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:644
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:2940
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:1016
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        
        PID:2888
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        
        PID:3112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
        7⤵
        
        PID:2072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
        8⤵
        
        PID:660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
        9⤵
        
        PID:2812
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
        9⤵
        
        PID:232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
        10⤵
        
        PID:4804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\
        10⤵
        
        PID:1304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\
        9⤵
        
        PID:572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\
        9⤵
        
        PID:1628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\
        9⤵
        
        PID:4856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\
        9⤵
        
        PID:1192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\
        9⤵
        
        PID:1584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\
        9⤵
        
        PID:1628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\System Restore.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\
        9⤵
        
        PID:2324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\
        9⤵
        
        PID:4764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\
        9⤵
        
        PID:3460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\
        10⤵
        
        PID:4944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\
        10⤵
        
        PID:988
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\data.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\data.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\
        11⤵
        
        PID:3572
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\
        12⤵
        
        PID:4736
        
        C:\Program Files (x86)\Windows NT\Accessories\en-US\backup.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\en-US\backup.exe" C:\Program Files (x86)\Windows NT\Accessories\en-US\
        13⤵
        
        PID:3292
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\data.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\data.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\
        11⤵
        
        PID:2412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\
        10⤵
        
        PID:1540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\
        10⤵
        
        PID:4332
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\
        11⤵
        
        PID:4108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\
        10⤵
        
        PID:4524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\
        10⤵
        
        PID:1272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\
        10⤵
        
        PID:1096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\
        10⤵
        
        PID:1096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\
        11⤵
        
        PID:4568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\
        11⤵
        
        PID:3776
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\
        12⤵
        
        PID:3752
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\
        12⤵
        
        PID:2152
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\
        12⤵
        
        PID:2140
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\
        12⤵
        
        PID:3552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\
        10⤵
        
        PID:4024
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\c4e350255dfdcb7457109e297b572b31\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\c4e350255dfdcb7457109e297b572b31\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\c4e350255dfdcb7457109e297b572b31\
        10⤵
        
        PID:2608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\
        9⤵
        
        PID:3024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\
        9⤵
        
        PID:940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\
        10⤵
        
        PID:2748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\System Restore.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\
        9⤵
        
        PID:3548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\update.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\update.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\
        9⤵
        
        PID:1644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\
        8⤵
        
        PID:2188
      - C:\Program Files (x86)\Microsoft\EdgeCore\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\
        6⤵
        
        PID:1988
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\
        7⤵
        
        PID:1772
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\BHO\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\BHO\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\BHO\
        8⤵
        
        PID:2052
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\
        8⤵
        
        PID:1864
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\x64\
        9⤵
        
        PID:2136
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\x86\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\x86\
        9⤵
        
        PID:3024
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\edge_feedback\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\edge_feedback\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\edge_feedback\
        8⤵
        
        PID:1272
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Extensions\
        8⤵
        
        PID:4272
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\
        8⤵
        
        PID:4564
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\win10\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\win10\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\win10\
        9⤵
        
        PID:1892
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\win11\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\win11\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\win11\
        9⤵
        
        PID:3552
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Installer\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Installer\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Installer\
        8⤵
        
        PID:1696
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Locales\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Locales\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Locales\
        8⤵
        
        PID:1936
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\MEIPreload\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\MEIPreload\
        8⤵
        
        PID:3296
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Notifications\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Notifications\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Notifications\
        8⤵
        
        PID:3332
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\PdfPreview\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\PdfPreview\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\PdfPreview\
        8⤵
        
        PID:1580
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Trust Protection Lists\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Trust Protection Lists\
        8⤵
        
        PID:3660
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Trust Protection Lists\Mu\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Trust Protection Lists\Mu\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Trust Protection Lists\Mu\
        9⤵
        
        PID:3940
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Trust Protection Lists\Sigma\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Trust Protection Lists\Sigma\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Trust Protection Lists\Sigma\
        9⤵
        
        PID:3432
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\VisualElements\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\VisualElements\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\VisualElements\
        8⤵
        
        PID:4528
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\WidevineCdm\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\WidevineCdm\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\WidevineCdm\
        8⤵
        
        PID:568
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\WidevineCdm\_platform_specific\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\WidevineCdm\_platform_specific\
        9⤵
        
        PID:3380
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\WidevineCdm\_platform_specific\win_x64\
        10⤵
        
        PID:3184
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\
        6⤵
        
        PID:1560
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\
        7⤵
        
        PID:1744
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\
        7⤵
        
        PID:3888
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\
        8⤵
        
        PID:572
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\118.0.2088.57\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\118.0.2088.57\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\118.0.2088.57\
        9⤵
        
        PID:3960
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\update.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\update.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\
        8⤵
        
        PID:2128
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.177.11\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.177.11\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.177.11\
        9⤵
        
        PID:3184
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\
        7⤵
        
        PID:3916
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4144D4F1-B7D3-4764-B96B-1DD2F4562087}\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4144D4F1-B7D3-4764-B96B-1DD2F4562087}\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4144D4F1-B7D3-4764-B96B-1DD2F4562087}\
        8⤵
        
        PID:4640
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4144D4F1-B7D3-4764-B96B-1DD2F4562087}\EDGEMITMP_F9E5D.tmp\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4144D4F1-B7D3-4764-B96B-1DD2F4562087}\EDGEMITMP_F9E5D.tmp\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4144D4F1-B7D3-4764-B96B-1DD2F4562087}\EDGEMITMP_F9E5D.tmp\
        9⤵
        
        PID:3484
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\Offline\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Offline\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Offline\
        7⤵
        
        PID:2200
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4288
      - C:\Program Files (x86)\Microsoft\EdgeWebView\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\
        6⤵
        
        PID:4732
      - C:\Program Files (x86)\Microsoft\Temp\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\backup.exe" C:\Program Files (x86)\Microsoft\Temp\
        6⤵
        
        PID:1252
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:2492
      - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\
        6⤵
        
        PID:2280
      - C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe" C:\Program Files (x86)\Microsoft.NET\RedistList\
        6⤵
        
        PID:3464
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:880
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\logs\
        6⤵
        
        PID:2060
    - - C:\Program Files (x86)\MSBuild\backup.exe
        
        "C:\Program Files (x86)\MSBuild\backup.exe" C:\Program Files (x86)\MSBuild\
        5⤵
        
        PID:5112
      - C:\Program Files (x86)\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\
        6⤵
        
        PID:1700
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        
        PID:4080
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        8⤵
        
        PID:1664
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\
        9⤵
        
        PID:4820
    - - C:\Program Files (x86)\Reference Assemblies\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\backup.exe" C:\Program Files (x86)\Reference Assemblies\
        5⤵
        
        PID:2136
      - C:\Program Files (x86)\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\
        6⤵
        
        PID:1312
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\
        7⤵
        
        PID:860
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\
        8⤵
        
        PID:1448
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\
        9⤵
        
        PID:2200
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\
        9⤵
        
        PID:2128
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\
        9⤵
        
        PID:1788
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\
        9⤵
        
        PID:2384
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\
        9⤵
        
        PID:3056
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\
        9⤵
        
        PID:4160
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\data.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\data.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
        9⤵
        
        PID:4412
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\
        8⤵
        
        PID:1404
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\
        9⤵
        
        PID:1044
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\
        9⤵
        
        PID:816
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\
        9⤵
        
        PID:1864
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\
        9⤵
        
        PID:3748
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\
        9⤵
        
        PID:4892
    - - C:\Program Files (x86)\Windows Defender\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\backup.exe" C:\Program Files (x86)\Windows Defender\
        5⤵
        
        PID:3752
      - C:\Program Files (x86)\Windows Defender\es-ES\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\backup.exe" C:\Program Files (x86)\Windows Defender\es-ES\
        6⤵
        
        PID:2884
      - C:\Program Files (x86)\Windows Defender\de-DE\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\de-DE\backup.exe" C:\Program Files (x86)\Windows Defender\de-DE\
        6⤵
        
        PID:2396
      - C:\Program Files (x86)\Windows Defender\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\backup.exe" C:\Program Files (x86)\Windows Defender\fr-FR\
        6⤵
        
        PID:4992
      - C:\Program Files (x86)\Windows Defender\it-IT\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\backup.exe" C:\Program Files (x86)\Windows Defender\it-IT\
        6⤵
        
        PID:1420
      - C:\Program Files (x86)\Windows Defender\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\backup.exe" C:\Program Files (x86)\Windows Defender\ja-JP\
        6⤵
        
        PID:4920
    - - C:\Program Files (x86)\Windows Mail\backup.exe
        
        "C:\Program Files (x86)\Windows Mail\backup.exe" C:\Program Files (x86)\Windows Mail\
        5⤵
        
        PID:2728
    - - C:\Program Files (x86)\Windows Media Player\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\backup.exe" C:\Program Files (x86)\Windows Media Player\
        5⤵
        
        PID:3336
      - C:\Program Files (x86)\Windows Media Player\es-ES\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\es-ES\backup.exe" C:\Program Files (x86)\Windows Media Player\es-ES\
        6⤵
        
        PID:4824
      - C:\Program Files (x86)\Windows Media Player\Network Sharing\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\Network Sharing\backup.exe" C:\Program Files (x86)\Windows Media Player\Network Sharing\
        6⤵
        
        PID:3296
      - C:\Program Files (x86)\Windows Media Player\Media Renderer\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\Media Renderer\backup.exe" C:\Program Files (x86)\Windows Media Player\Media Renderer\
        6⤵
        
        PID:888
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:2244
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:848
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        
        PID:2496
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:4648
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1016
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:5008
        
        C:\Users\Admin\Documents\OneNote Notebooks\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\
        7⤵
        
        PID:4528
        
        C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\
        8⤵
        
        PID:1892
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:4300
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:4160
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\update.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\update.exe C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\
        7⤵
        
        PID:4208
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4352
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:5008
        
        C:\Program Files\Windows NT\Accessories\backup.exe
        
        "C:\Program Files\Windows NT\Accessories\backup.exe" C:\Program Files\Windows NT\Accessories\
        7⤵
        
        PID:1576
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:4180
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:4360
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        
        PID:1576
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        
        PID:572
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:4696
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:3532
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:4236
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:116
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4084
      - C:\Users\Public\Downloads\System Restore.exe
        
        "C:\Users\Public\Downloads\System Restore.exe" C:\Users\Public\Downloads\
        6⤵
        
        PID:8
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:4736
      - C:\Users\Public\Pictures\data.exe
        
        C:\Users\Public\Pictures\data.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:2248
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:1928
  - - C:\Windows\System Restore.exe
      "C:\Windows\System Restore.exe" C:\Windows\
      4⤵
      PID:1340
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:3016
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        
        PID:1900
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        
        PID:2604
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:2812
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:2932
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        
        PID:2280
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        
        PID:1848
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        
        PID:2464
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        
        PID:2508
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        
        PID:1292
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        
        PID:4752
      - C:\Windows\apppatch\de-DE\backup.exe
        
        C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
        6⤵
        
        PID:3452
      - C:\Windows\apppatch\en-US\backup.exe
        
        C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
        6⤵
        
        PID:2276
      - C:\Windows\apppatch\es-ES\backup.exe
        
        C:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\es-ES\
        6⤵
        
        PID:3952
      - C:\Windows\apppatch\fr-FR\backup.exe
        
        C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\fr-FR\
        6⤵
        
        PID:1744
      - C:\Windows\apppatch\it-IT\backup.exe
        
        C:\Windows\apppatch\it-IT\backup.exe C:\Windows\apppatch\it-IT\
        6⤵
        
        PID:3444
      - C:\Windows\apppatch\ja-JP\backup.exe
        
        C:\Windows\apppatch\ja-JP\backup.exe C:\Windows\apppatch\ja-JP\
        6⤵
        
        PID:4660
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\
        7⤵
        
        PID:2812
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\
        8⤵
        
        PID:2280
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\
        8⤵
        
        PID:3960
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\
        8⤵
        
        PID:3716
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\
        8⤵
        
        PID:1468
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\
        8⤵
        
        PID:4180
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\
        8⤵
        
        PID:5036
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\
        8⤵
        
        PID:2612
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\
        8⤵
        
        PID:3688
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\
        8⤵
        
        PID:3400
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\
        8⤵
        
        PID:4696
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\
        8⤵
        
        PID:4248
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\
        8⤵
        
        PID:4964
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\
        8⤵
        
        PID:2128
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\
        8⤵
        
        PID:4496
        
        C:\Program Files\VideoLAN\VLC\plugins\access\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\access\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\access\
        9⤵
        
        PID:4832
        
        C:\Program Files\VideoLAN\VLC\plugins\access_output\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\access_output\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\access_output\
        9⤵
        
        PID:5028
        
        C:\Program Files\VideoLAN\VLC\plugins\audio_filter\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\audio_filter\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\audio_filter\
        9⤵
        
        PID:1304
        
        C:\Program Files\VideoLAN\VLC\plugins\audio_output\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\audio_output\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\audio_output\
        9⤵
        
        PID:3904
        
        C:\Program Files\VideoLAN\VLC\plugins\codec\update.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\codec\update.exe" C:\Program Files\VideoLAN\VLC\plugins\codec\
        9⤵
        
        PID:4748
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\
        8⤵
        
        PID:4916
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\
        8⤵
        
        PID:4912
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\
        8⤵
        
        PID:2120
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\
        8⤵
        
        PID:3484
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\
        8⤵
        
        PID:1648
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\
        8⤵
        
        PID:1560
    - - C:\Windows\AppReadiness\System Restore.exe
        
        "C:\Windows\AppReadiness\System Restore.exe" C:\Windows\AppReadiness\
        5⤵
        
        PID:8
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:2272
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        
        PID:1616
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        
        PID:4300
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:924
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        
        PID:2324
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3556
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        
        PID:3336
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2152
        
        C:\Program Files (x86)\Windows Media Player\de-DE\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\de-DE\backup.exe" C:\Program Files (x86)\Windows Media Player\de-DE\
        8⤵
        
        PID:2468
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        7⤵
        
        PID:1864
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2916
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\
        7⤵
        
        PID:4728
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\
        7⤵
        
        PID:1016
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1328
        
        C:\Windows\assembly\GAC\stdole\backup.exe
        
        C:\Windows\assembly\GAC\stdole\backup.exe C:\Windows\assembly\GAC\stdole\
        7⤵
        
        PID:1740
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1724
        
        C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\
        7⤵
        
        PID:1444
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        
        PID:2212
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
        7⤵
        
        PID:568
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3492
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\
        7⤵
        
        PID:4080
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        Drops file in Program Files directory
        
        PID:2500
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        8⤵
        
        PID:3464
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\System Restore.exe
        
        "C:\Windows\assembly\GAC_32\Microsoft.Ink\System Restore.exe" C:\Windows\assembly\GAC_32\Microsoft.Ink\
        7⤵
        
        PID:1576
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:4640
        
        C:\Program Files\Windows NT\Accessories\en-US\backup.exe
        
        "C:\Program Files\Windows NT\Accessories\en-US\backup.exe" C:\Program Files\Windows NT\Accessories\en-US\
        8⤵
        
        PID:4892
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\
        7⤵
        
        PID:4220
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3664
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\
        7⤵
        
        PID:2320
        
        C:\Windows\assembly\GAC_32\MSBuild\update.exe
        
        C:\Windows\assembly\GAC_32\MSBuild\update.exe C:\Windows\assembly\GAC_32\MSBuild\
        7⤵
        
        PID:3532
        
        C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2332
        
        C:\Windows\assembly\GAC_32\mscorlib\backup.exe
        
        C:\Windows\assembly\GAC_32\mscorlib\backup.exe C:\Windows\assembly\GAC_32\mscorlib\
        7⤵
        
        PID:4360
        
        C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:3620
        
        C:\Windows\assembly\GAC_32\PresentationCore\backup.exe
        
        C:\Windows\assembly\GAC_32\PresentationCore\backup.exe C:\Windows\assembly\GAC_32\PresentationCore\
        7⤵
        
        PID:5000
        
        C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:1416
        
        C:\Windows\assembly\GAC_32\srmlib\backup.exe
        
        C:\Windows\assembly\GAC_32\srmlib\backup.exe C:\Windows\assembly\GAC_32\srmlib\
        7⤵
        
        PID:1616
        
        C:\Windows\assembly\GAC_32\System.Data\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data\backup.exe C:\Windows\assembly\GAC_32\System.Data\
        7⤵
        
        PID:4668
        
        C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:3328
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\backup.exe C:\Windows\assembly\GAC_32\System.Data.OracleClient\
        7⤵
        
        PID:4924
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\backup.exe
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\backup.exe C:\Windows\assembly\GAC_32\System.EnterpriseServices\
        7⤵
        
        PID:5032
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:5016
        
        C:\Windows\assembly\GAC_32\System.Printing\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Printing\backup.exe C:\Windows\assembly\GAC_32\System.Printing\
        7⤵
        
        PID:2976
        
        C:\Windows\assembly\GAC_32\System.Transactions\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Transactions\backup.exe C:\Windows\assembly\GAC_32\System.Transactions\
        7⤵
        
        PID:1808
        
        C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:4624
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        
        PID:3120
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\
        7⤵
        
        PID:2804
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3556
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\
        7⤵
        
        PID:5096
        
        C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3672
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Ink\
        7⤵
        
        PID:4864
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:4872
        
        C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\
        9⤵
        
        PID:572
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\
        7⤵
        
        PID:3716
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\data.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\data.exe C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:3124
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\
        7⤵
        
        PID:4160
        
        C:\Windows\assembly\GAC_64\MSBuild\backup.exe
        
        C:\Windows\assembly\GAC_64\MSBuild\backup.exe C:\Windows\assembly\GAC_64\MSBuild\
        7⤵
        
        PID:1492
        
        C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4288
        
        C:\Windows\assembly\GAC_64\mscorlib\backup.exe
        
        C:\Windows\assembly\GAC_64\mscorlib\backup.exe C:\Windows\assembly\GAC_64\mscorlib\
        7⤵
        
        PID:896
        
        C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:3124
        
        C:\Windows\assembly\GAC_64\PresentationCore\backup.exe
        
        C:\Windows\assembly\GAC_64\PresentationCore\backup.exe C:\Windows\assembly\GAC_64\PresentationCore\
        7⤵
        
        PID:1348
        
        C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:4116
        
        C:\Windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\
        9⤵
        
        PID:2504
        
        C:\Windows\assembly\GAC_64\srmlib\backup.exe
        
        C:\Windows\assembly\GAC_64\srmlib\backup.exe C:\Windows\assembly\GAC_64\srmlib\
        7⤵
        
        PID:1308
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2220
        
        C:\Windows\assembly\GAC_64\System.EnterpriseServices\backup.exe
        
        C:\Windows\assembly\GAC_64\System.EnterpriseServices\backup.exe C:\Windows\assembly\GAC_64\System.EnterpriseServices\
        7⤵
        
        PID:1928
        
        C:\Windows\assembly\GAC_64\System.Data.OracleClient\backup.exe
        
        C:\Windows\assembly\GAC_64\System.Data.OracleClient\backup.exe C:\Windows\assembly\GAC_64\System.Data.OracleClient\
        7⤵
        
        PID:2496
      - C:\Windows\assembly\GAC_MSIL\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\backup.exe C:\Windows\assembly\GAC_MSIL\
        6⤵
        
        PID:3464
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\backup.exe C:\Windows\assembly\GAC_MSIL\Accessibility\
        7⤵
        
        PID:2224
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\System Restore.exe
        
        "C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\System Restore.exe" C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4024
        
        C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\
        8⤵
        
        PID:652
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\System Restore.exe
        
        "C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\System Restore.exe" C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\
        7⤵
        
        PID:2072
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_de_b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_de_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_de_b03f5f7f11d50a3a\
        8⤵
        
        PID:3024
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\
        8⤵
        
        PID:1468
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_es_b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_es_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_es_b03f5f7f11d50a3a\
        8⤵
        
        PID:1580
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\
        9⤵
        
        PID:3460
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\
        8⤵
        
        PID:4880
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_it_b03f5f7f11d50a3a\data.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_it_b03f5f7f11d50a3a\data.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_it_b03f5f7f11d50a3a\
        8⤵
        
        PID:1788
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\
        7⤵
        
        PID:4332
        
        C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\
        8⤵
        
        PID:3456
        
        C:\Windows\assembly\GAC_MSIL\ComSvcConfig\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\ComSvcConfig\backup.exe C:\Windows\assembly\GAC_MSIL\ComSvcConfig\
        7⤵
        
        PID:1584
        
        C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1860
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\backup.exe C:\Windows\assembly\GAC_MSIL\dfsvc\
        7⤵
        
        PID:184
        
        C:\Windows\assembly\GAC_MSIL\IEHost\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\IEHost\backup.exe C:\Windows\assembly\GAC_MSIL\IEHost\
        7⤵
        
        PID:4296
      - C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\
        6⤵
        
        PID:4212
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\srmlib\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\srmlib\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\srmlib\
        7⤵
        
        PID:4548
      - C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\
        6⤵
        
        PID:2036
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\
        7⤵
        
        PID:1284
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\
        7⤵
        
        PID:4976
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\f334dca9ae9dc06224e9b43875b3aa90\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\f334dca9ae9dc06224e9b43875b3aa90\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\f334dca9ae9dc06224e9b43875b3aa90\
        8⤵
        
        PID:1048
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b78cfccbd1eab27ca35b2ac67d102907\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b78cfccbd1eab27ca35b2ac67d102907\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b78cfccbd1eab27ca35b2ac67d102907\
        8⤵
        
        PID:4792
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\System Restore.exe
        
        "C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\System Restore.exe" C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\
        7⤵
        
        PID:1196
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\a58e7ee3da68f0652eb20fee5787ba4b\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\a58e7ee3da68f0652eb20fee5787ba4b\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\a58e7ee3da68f0652eb20fee5787ba4b\
        8⤵
        
        PID:652
    - - C:\Windows\bcastdvr\backup.exe
        
        C:\Windows\bcastdvr\backup.exe C:\Windows\bcastdvr\
        5⤵
        
        PID:1372
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:1076
      - C:\Windows\Branding\Basebrd\backup.exe
        
        C:\Windows\Branding\Basebrd\backup.exe C:\Windows\Branding\Basebrd\
        6⤵
        
        PID:4832
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe C:\Windows\Branding\Basebrd\de-DE\
        7⤵
        
        PID:4760
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe C:\Windows\Branding\Basebrd\en-US\
        7⤵
        
        PID:1892
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe C:\Windows\Branding\Basebrd\es-ES\
        7⤵
        
        PID:3572
        
        C:\Windows\Branding\Basebrd\fr-FR\backup.exe
        
        C:\Windows\Branding\Basebrd\fr-FR\backup.exe C:\Windows\Branding\Basebrd\fr-FR\
        7⤵
        
        PID:4452
        
        C:\Windows\Branding\Basebrd\ja-JP\backup.exe
        
        C:\Windows\Branding\Basebrd\ja-JP\backup.exe C:\Windows\Branding\Basebrd\ja-JP\
        7⤵
        
        PID:1740
        
        C:\Windows\Branding\Basebrd\it-IT\backup.exe
        
        C:\Windows\Branding\Basebrd\it-IT\backup.exe C:\Windows\Branding\Basebrd\it-IT\
        7⤵
        
        PID:5000
      - C:\Windows\Branding\shellbrd\backup.exe
        
        C:\Windows\Branding\shellbrd\backup.exe C:\Windows\Branding\shellbrd\
        6⤵
        
        PID:3304
    - - C:\Windows\CbsTemp\backup.exe
        
        C:\Windows\CbsTemp\backup.exe C:\Windows\CbsTemp\
        5⤵
        
        PID:4792
    - - C:\Windows\Containers\backup.exe
        
        C:\Windows\Containers\backup.exe C:\Windows\Containers\
        5⤵
        
        PID:4316
      - C:\Windows\Containers\serviced\backup.exe
        
        C:\Windows\Containers\serviced\backup.exe C:\Windows\Containers\serviced\
        6⤵
        
        PID:2496
        
        C:\Windows\assembly\GAC_64\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_64\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_64\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\
        7⤵
        
        PID:1804
      - C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\73c6ae4303a31ae701dd97dcdda2523d\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\73c6ae4303a31ae701dd97dcdda2523d\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\73c6ae4303a31ae701dd97dcdda2523d\
        6⤵
        
        PID:4564
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:2464
    - - C:\Windows\debug\backup.exe
        
        C:\Windows\debug\backup.exe C:\Windows\debug\
        5⤵
        
        PID:4516
    - - C:\Windows\de-DE\backup.exe
        
        C:\Windows\de-DE\backup.exe C:\Windows\de-DE\
        5⤵
        
        PID:1808
    - - C:\Windows\DiagTrack\backup.exe
        
        C:\Windows\DiagTrack\backup.exe C:\Windows\DiagTrack\
        5⤵
        
        PID:1804
      - C:\Windows\DiagTrack\Scenarios\backup.exe
        
        C:\Windows\DiagTrack\Scenarios\backup.exe C:\Windows\DiagTrack\Scenarios\
        6⤵
        
        PID:1504
      - C:\Windows\DiagTrack\Settings\backup.exe
        
        C:\Windows\DiagTrack\Settings\backup.exe C:\Windows\DiagTrack\Settings\
        6⤵
        
        PID:2232
    - - C:\Windows\DigitalLocker\backup.exe
        
        C:\Windows\DigitalLocker\backup.exe C:\Windows\DigitalLocker\
        5⤵
        
        PID:4920
      - C:\Windows\DigitalLocker\en-US\backup.exe
        
        C:\Windows\DigitalLocker\en-US\backup.exe C:\Windows\DigitalLocker\en-US\
        6⤵
        
        PID:3456
    - - C:\Windows\Fonts\backup.exe
        
        C:\Windows\Fonts\backup.exe C:\Windows\Fonts\
        5⤵
        
        PID:2396
    - - C:\Windows\fr-FR\backup.exe
        
        C:\Windows\fr-FR\backup.exe C:\Windows\fr-FR\
        5⤵
        
        PID:5080
    - - C:\Windows\es-ES\backup.exe
        
        C:\Windows\es-ES\backup.exe C:\Windows\es-ES\
        5⤵
        
        PID:5052
    - - C:\Windows\en-US\backup.exe
        
        C:\Windows\en-US\backup.exe C:\Windows\en-US\
        5⤵
        
        PID:1348
    - - C:\Windows\Globalization\backup.exe
        
        C:\Windows\Globalization\backup.exe C:\Windows\Globalization\
        5⤵
        
        PID:1132
      - C:\Windows\Globalization\ELS\backup.exe
        
        C:\Windows\Globalization\ELS\backup.exe C:\Windows\Globalization\ELS\
        6⤵
        
        PID:3492
      - C:\Windows\Globalization\ICU\backup.exe
        
        C:\Windows\Globalization\ICU\backup.exe C:\Windows\Globalization\ICU\
        6⤵
        
        PID:1096
    - - C:\Windows\GameBarPresenceWriter\update.exe
        
        C:\Windows\GameBarPresenceWriter\update.exe C:\Windows\GameBarPresenceWriter\
        5⤵
        
        PID:5056
    - - C:\Windows\IdentityCRL\backup.exe
        
        C:\Windows\IdentityCRL\backup.exe C:\Windows\IdentityCRL\
        5⤵
        
        PID:940
- C:\Users\Admin\AppData\Local\Temp\225938852\backup.exe
  C:\Users\Admin\AppData\Local\Temp\225938852\backup.exe C:\Users\Admin\AppData\Local\Temp\225938852\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4224
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3116
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1688
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2764
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3748
- C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe
  C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2128
- - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe
    C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe
      C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:980
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1772
- - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\backup.exe
    C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:3396
  - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\backup.exe
      C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2684
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\be\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\be\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\be\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2896
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\bn\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\bn\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\bn\
        5⤵
        
        PID:2116
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ca\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ca\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ca\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3332
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\cy\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\cy\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\cy\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1416
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\da\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\da\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\da\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1420
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\de\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\de\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\de\
        5⤵
        
        PID:4536
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\el\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\el\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\el\
        5⤵
        
        PID:2332
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\en_US\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\en_US\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\en_US\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2068
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\es\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\es\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\es\
        5⤵
        
        PID:2764
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\es_419\data.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\es_419\data.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\es_419\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:644
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\et\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\et\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\et\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3672
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\eu\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\eu\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\eu\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2324
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fi\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fi\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fi\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3752
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fil\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fil\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fil\
        5⤵
        
        PID:4084
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fr\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fr\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fr\
        5⤵
        
        PID:856
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fr_CA\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fr_CA\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fr_CA\
        5⤵
        
        PID:1040
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\gl\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\gl\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\gl\
        5⤵
        
        PID:388
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\gu\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\gu\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\gu\
        5⤵
        
        PID:852
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\hr\System Restore.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\hr\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\hr\
        5⤵
        
        PID:3908
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\hu\update.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\hu\update.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\hu\
        5⤵
        
        PID:2296
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\is\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\is\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\is\
        5⤵
        
        PID:4540
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\it\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\it\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\it\
        5⤵
        
        PID:2740
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\iw\data.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\iw\data.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\iw\
        5⤵
        
        PID:2408
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ja\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ja\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ja\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4536
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ka\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ka\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ka\
        5⤵
        
        PID:3116
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\kk\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\kk\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\kk\
        5⤵
        
        PID:2796
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\km\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\km\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\km\
        5⤵
        
        PID:2244
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ko\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ko\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ko\
        5⤵
        
        PID:4300
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\lo\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\lo\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\lo\
        5⤵
        
        PID:3108
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\lt\System Restore.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\lt\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\lt\
        5⤵
        
        PID:1076
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ml\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ml\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ml\
        5⤵
        
        PID:2492
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\mn\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\mn\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\mn\
        5⤵
        
        PID:1892
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\mr\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\mr\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\mr\
        5⤵
        
        PID:2140
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ms\data.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ms\data.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ms\
        5⤵
        
        PID:5056
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\my\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\my\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\my\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4788
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ne\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ne\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ne\
        5⤵
        
        PID:3124
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\nl\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\nl\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\nl\
        5⤵
        
        PID:1072
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\no\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\no\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\no\
        5⤵
        
        PID:4564
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\pt_BR\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\pt_BR\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\pt_BR\
        5⤵
        
        PID:1616
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ro\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ro\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ro\
        5⤵
        
        PID:4352
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\si\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\si\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\si\
        5⤵
        
        PID:5052
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sk\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sk\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sk\
        5⤵
        
        PID:4820
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sl\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sl\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sl\
        5⤵
        
        PID:880
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sr\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sr\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sr\
        5⤵
        
        PID:1960
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sv\update.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sv\update.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sv\
        5⤵
        
        PID:660
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ta\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ta\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ta\
        5⤵
        
        PID:1584
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\th\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\th\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\th\
        5⤵
        
        PID:4840
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ur\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ur\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ur\
        5⤵
        
        PID:1540
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\vi\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\vi\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\vi\
        5⤵
        
        PID:2940
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\zh_CN\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\zh_CN\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\zh_CN\
        5⤵
        
        PID:1616
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_847672536\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_847672536\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_847672536\
  2⤵
  PID:2992
- - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_847672536\CRX_INSTALL\update.exe
    C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_847672536\CRX_INSTALL\update.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_847672536\CRX_INSTALL\
    3⤵
    PID:860

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv f57e0lelgk+NUa73LxfPGg.0.1
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2764

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Executes dropped EXE
PID:856

C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\
1⤵
PID:2896
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\
  2⤵
  PID:848
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\
    3⤵
    PID:3548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\backup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\
      4⤵
      PID:1328
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\data.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\data.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\
        5⤵
        
        PID:3916

C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\
1⤵
PID:2128

C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe
"C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\
1⤵
PID:4912

C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\System Restore.exe
"C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\
1⤵
PID:4976
- C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\backup.exe
  "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\
  2⤵
  PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\
1⤵
PID:5112

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\
1⤵
PID:4040
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\
  2⤵
  PID:1464
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\
  2⤵
  PID:4044
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\
  2⤵
  PID:3296
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\data.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\
  2⤵
  PID:3808
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\
  2⤵
  PID:3296
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\
  2⤵
  PID:8
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\
  2⤵
  PID:3868
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\data.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\
  2⤵
  PID:1860

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\
1⤵
PID:1444

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\
1⤵
PID:1836

C:\Program Files (x86)\Windows NT\TableTextService\backup.exe
"C:\Program Files (x86)\Windows NT\TableTextService\backup.exe" C:\Program Files (x86)\Windows NT\TableTextService\
1⤵
PID:4672

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\ResiliencyLinks\edge_feedback\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\ResiliencyLinks\edge_feedback\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\ResiliencyLinks\edge_feedback\
1⤵
PID:1900

C:\Program Files\VideoLAN\VLC\skins\fonts\backup.exe
"C:\Program Files\VideoLAN\VLC\skins\fonts\backup.exe" C:\Program Files\VideoLAN\VLC\skins\fonts\
1⤵
PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
450KB

MD5
e6a01ea56097e2009ea848a0273f9e1e

SHA1
3a40e4b50683cf5698e08d8a7969c6f83e40fb3f

SHA256
ea7b57a795e8956ad17673588dc14ef2e60ac0aa261cfa584e52692556182622

SHA512
de1b349973e68ec01f8f69186f27768ed476521fefbfd1383c090c9a97b7926ba6f01c9b52443838dda12de6170095d6c4f980fbb89c800708d20a8bbf6f6e8a

Download Submit
C:\PerfLogs\backup.exe

Filesize
450KB

MD5
e6a01ea56097e2009ea848a0273f9e1e

SHA1
3a40e4b50683cf5698e08d8a7969c6f83e40fb3f

SHA256
ea7b57a795e8956ad17673588dc14ef2e60ac0aa261cfa584e52692556182622

SHA512
de1b349973e68ec01f8f69186f27768ed476521fefbfd1383c090c9a97b7926ba6f01c9b52443838dda12de6170095d6c4f980fbb89c800708d20a8bbf6f6e8a

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
450KB

MD5
58510903d7655689a80609d149bc9fa4

SHA1
e8b48cdaed0c8461596fb6b25c75f66e5dec06ca

SHA256
68ab481a1b070031d06e9c0f0781a3a6db267b4747e42dc91f6ae6976fb51b7a

SHA512
9735925e8165394bd785bf16d287876348dbd3566046b6a1f2969aa87581ee4d7f9d65c2b0cce6cb61ddc3792a277c3217299bf02c9717b3bf955451706917bc

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
450KB

MD5
58510903d7655689a80609d149bc9fa4

SHA1
e8b48cdaed0c8461596fb6b25c75f66e5dec06ca

SHA256
68ab481a1b070031d06e9c0f0781a3a6db267b4747e42dc91f6ae6976fb51b7a

SHA512
9735925e8165394bd785bf16d287876348dbd3566046b6a1f2969aa87581ee4d7f9d65c2b0cce6cb61ddc3792a277c3217299bf02c9717b3bf955451706917bc

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
450KB

MD5
771cb4eb315110783c33c5794007dc7a

SHA1
8ea058e07995db38e534eb0b69aae23ab683c039

SHA256
eab039c955ef0d951ec0ff06ea12d08468a411eaf97ae7d1edaf5ed30f2dd2c9

SHA512
5665cf72cdc086e6db78df9d867d46a824545182ef36213d240289f3db2f07f010efa53754a9172b947b50d9fed8e77c5c56175f85e492f5e22bc97db101ea9a

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
450KB

MD5
771cb4eb315110783c33c5794007dc7a

SHA1
8ea058e07995db38e534eb0b69aae23ab683c039

SHA256
eab039c955ef0d951ec0ff06ea12d08468a411eaf97ae7d1edaf5ed30f2dd2c9

SHA512
5665cf72cdc086e6db78df9d867d46a824545182ef36213d240289f3db2f07f010efa53754a9172b947b50d9fed8e77c5c56175f85e492f5e22bc97db101ea9a

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
450KB

MD5
4ebac021326348fc72cfc2f2ce49d52e

SHA1
6672777995bab29c025c556e7a3087f182e7ea53

SHA256
017bd1ce21e437eba92c9c5f7c7926f4539a54b533457a7a1efe520e31e1de81

SHA512
4dfaf2f69028dd62610d4a5a85461f2dd8fcf6aa87bd20ba17122857b7554b1efac62e2d917d2bca13a89ad01c5569e549066341a226876047d32b76d6ad74b5

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
450KB

MD5
4ebac021326348fc72cfc2f2ce49d52e

SHA1
6672777995bab29c025c556e7a3087f182e7ea53

SHA256
017bd1ce21e437eba92c9c5f7c7926f4539a54b533457a7a1efe520e31e1de81

SHA512
4dfaf2f69028dd62610d4a5a85461f2dd8fcf6aa87bd20ba17122857b7554b1efac62e2d917d2bca13a89ad01c5569e549066341a226876047d32b76d6ad74b5

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
450KB

MD5
771cb4eb315110783c33c5794007dc7a

SHA1
8ea058e07995db38e534eb0b69aae23ab683c039

SHA256
eab039c955ef0d951ec0ff06ea12d08468a411eaf97ae7d1edaf5ed30f2dd2c9

SHA512
5665cf72cdc086e6db78df9d867d46a824545182ef36213d240289f3db2f07f010efa53754a9172b947b50d9fed8e77c5c56175f85e492f5e22bc97db101ea9a

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
450KB

MD5
771cb4eb315110783c33c5794007dc7a

SHA1
8ea058e07995db38e534eb0b69aae23ab683c039

SHA256
eab039c955ef0d951ec0ff06ea12d08468a411eaf97ae7d1edaf5ed30f2dd2c9

SHA512
5665cf72cdc086e6db78df9d867d46a824545182ef36213d240289f3db2f07f010efa53754a9172b947b50d9fed8e77c5c56175f85e492f5e22bc97db101ea9a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
450KB

MD5
68d83dabb5502f8b881685ab40609239

SHA1
6b3587a5b6f26c1fd2437a6fe25f7bc5526ef1ad

SHA256
dc0d038f17e7004aa4c8564dc73e02c5904a8d1d0e087a21a430fedcfd310be0

SHA512
207e174da1d0b7b41a48b7b9f1c41ef12d24a287f4199a717daa53ab74e625351afd0b8dc4f285399ed6fdda406898cf2ab771fb4cd5f16b630f87f757975e14

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
450KB

MD5
68d83dabb5502f8b881685ab40609239

SHA1
6b3587a5b6f26c1fd2437a6fe25f7bc5526ef1ad

SHA256
dc0d038f17e7004aa4c8564dc73e02c5904a8d1d0e087a21a430fedcfd310be0

SHA512
207e174da1d0b7b41a48b7b9f1c41ef12d24a287f4199a717daa53ab74e625351afd0b8dc4f285399ed6fdda406898cf2ab771fb4cd5f16b630f87f757975e14

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
450KB

MD5
4ebac021326348fc72cfc2f2ce49d52e

SHA1
6672777995bab29c025c556e7a3087f182e7ea53

SHA256
017bd1ce21e437eba92c9c5f7c7926f4539a54b533457a7a1efe520e31e1de81

SHA512
4dfaf2f69028dd62610d4a5a85461f2dd8fcf6aa87bd20ba17122857b7554b1efac62e2d917d2bca13a89ad01c5569e549066341a226876047d32b76d6ad74b5

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
450KB

MD5
4ebac021326348fc72cfc2f2ce49d52e

SHA1
6672777995bab29c025c556e7a3087f182e7ea53

SHA256
017bd1ce21e437eba92c9c5f7c7926f4539a54b533457a7a1efe520e31e1de81

SHA512
4dfaf2f69028dd62610d4a5a85461f2dd8fcf6aa87bd20ba17122857b7554b1efac62e2d917d2bca13a89ad01c5569e549066341a226876047d32b76d6ad74b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
450KB

MD5
36ef4d56600e7978a9e967ff9a0c5147

SHA1
6657638c906f46fa3c750f771d80aeeab6dc2134

SHA256
6e66948835ac7be7ade0eb38969676a5d93c08107ae7f384ddd9308e9dbe5f66

SHA512
1e33c20ed2db36cba59cc6f73909db3cf8179a8678469c6ec4ae27d11d69c1f4dbd991dfb11209725a819700b10092727ee73c9d2c82e687f36d7974842c510e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
450KB

MD5
36ef4d56600e7978a9e967ff9a0c5147

SHA1
6657638c906f46fa3c750f771d80aeeab6dc2134

SHA256
6e66948835ac7be7ade0eb38969676a5d93c08107ae7f384ddd9308e9dbe5f66

SHA512
1e33c20ed2db36cba59cc6f73909db3cf8179a8678469c6ec4ae27d11d69c1f4dbd991dfb11209725a819700b10092727ee73c9d2c82e687f36d7974842c510e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
450KB

MD5
68d83dabb5502f8b881685ab40609239

SHA1
6b3587a5b6f26c1fd2437a6fe25f7bc5526ef1ad

SHA256
dc0d038f17e7004aa4c8564dc73e02c5904a8d1d0e087a21a430fedcfd310be0

SHA512
207e174da1d0b7b41a48b7b9f1c41ef12d24a287f4199a717daa53ab74e625351afd0b8dc4f285399ed6fdda406898cf2ab771fb4cd5f16b630f87f757975e14

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
450KB

MD5
68d83dabb5502f8b881685ab40609239

SHA1
6b3587a5b6f26c1fd2437a6fe25f7bc5526ef1ad

SHA256
dc0d038f17e7004aa4c8564dc73e02c5904a8d1d0e087a21a430fedcfd310be0

SHA512
207e174da1d0b7b41a48b7b9f1c41ef12d24a287f4199a717daa53ab74e625351afd0b8dc4f285399ed6fdda406898cf2ab771fb4cd5f16b630f87f757975e14

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
450KB

MD5
83f394f6e87f43e85261708de85af20a

SHA1
2fa86d0474235ed147f1290eaf6004f676812100

SHA256
b831eb5cc854277b23a8e1cfded36cb798b387c49cd7767503c1d97b3c46c951

SHA512
51d3ee17ce85bce6ce022bb8625284fe520efc62b5195458ef3d01ee436aa1f0b0b1a18628299e3754bc09e592c02d4781b0b3bb72e33cefe7761d2a2c94a4dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
450KB

MD5
83f394f6e87f43e85261708de85af20a

SHA1
2fa86d0474235ed147f1290eaf6004f676812100

SHA256
b831eb5cc854277b23a8e1cfded36cb798b387c49cd7767503c1d97b3c46c951

SHA512
51d3ee17ce85bce6ce022bb8625284fe520efc62b5195458ef3d01ee436aa1f0b0b1a18628299e3754bc09e592c02d4781b0b3bb72e33cefe7761d2a2c94a4dd

Download Submit
C:\Program Files\backup.exe

Filesize
450KB

MD5
e6a01ea56097e2009ea848a0273f9e1e

SHA1
3a40e4b50683cf5698e08d8a7969c6f83e40fb3f

SHA256
ea7b57a795e8956ad17673588dc14ef2e60ac0aa261cfa584e52692556182622

SHA512
de1b349973e68ec01f8f69186f27768ed476521fefbfd1383c090c9a97b7926ba6f01c9b52443838dda12de6170095d6c4f980fbb89c800708d20a8bbf6f6e8a

Download Submit
C:\Program Files\backup.exe

Filesize
450KB

MD5
e6a01ea56097e2009ea848a0273f9e1e

SHA1
3a40e4b50683cf5698e08d8a7969c6f83e40fb3f

SHA256
ea7b57a795e8956ad17673588dc14ef2e60ac0aa261cfa584e52692556182622

SHA512
de1b349973e68ec01f8f69186f27768ed476521fefbfd1383c090c9a97b7926ba6f01c9b52443838dda12de6170095d6c4f980fbb89c800708d20a8bbf6f6e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\225938852\backup.exe

Filesize
450KB

MD5
8d61c4d58ad10191ed62d3a426eb6e98

SHA1
cec8738d1903fce950b19a65b5f70455ebeb1080

SHA256
e4e4083d971f2b6ed607765261bfb99180780d5d826e8e955fc5ba1f38342d00

SHA512
898acaef3bfeca8ece7ec5e08b75a94a4744e736bf6f3f95927c28067ecdb63f516c3780291c75ad5d6dd1ebf606e5eec345bea765160360ee4fd06aabe42d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\225938852\backup.exe

Filesize
450KB

MD5
8d61c4d58ad10191ed62d3a426eb6e98

SHA1
cec8738d1903fce950b19a65b5f70455ebeb1080

SHA256
e4e4083d971f2b6ed607765261bfb99180780d5d826e8e955fc5ba1f38342d00

SHA512
898acaef3bfeca8ece7ec5e08b75a94a4744e736bf6f3f95927c28067ecdb63f516c3780291c75ad5d6dd1ebf606e5eec345bea765160360ee4fd06aabe42d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\225938852\backup.exe

Filesize
450KB

MD5
8d61c4d58ad10191ed62d3a426eb6e98

SHA1
cec8738d1903fce950b19a65b5f70455ebeb1080

SHA256
e4e4083d971f2b6ed607765261bfb99180780d5d826e8e955fc5ba1f38342d00

SHA512
898acaef3bfeca8ece7ec5e08b75a94a4744e736bf6f3f95927c28067ecdb63f516c3780291c75ad5d6dd1ebf606e5eec345bea765160360ee4fd06aabe42d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
450KB

MD5
d766ab402f363eaf6e2a9322f6c3fe19

SHA1
d17dbd8e941be3611695a46fbba9c4c54b31e014

SHA256
5a8c0b14bc63bc1e97df633653e78b67ed8695614759679fd295a09402752cb8

SHA512
a5a4a6e24ad5e9a5b421deb187b5c4b59051342c3d94a0a5b6061610c9c9877449ddf07c4c7807edd028bf7884f0d9004fb797ba635742f678f0071b02fe32b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
450KB

MD5
d766ab402f363eaf6e2a9322f6c3fe19

SHA1
d17dbd8e941be3611695a46fbba9c4c54b31e014

SHA256
5a8c0b14bc63bc1e97df633653e78b67ed8695614759679fd295a09402752cb8

SHA512
a5a4a6e24ad5e9a5b421deb187b5c4b59051342c3d94a0a5b6061610c9c9877449ddf07c4c7807edd028bf7884f0d9004fb797ba635742f678f0071b02fe32b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
450KB

MD5
d766ab402f363eaf6e2a9322f6c3fe19

SHA1
d17dbd8e941be3611695a46fbba9c4c54b31e014

SHA256
5a8c0b14bc63bc1e97df633653e78b67ed8695614759679fd295a09402752cb8

SHA512
a5a4a6e24ad5e9a5b421deb187b5c4b59051342c3d94a0a5b6061610c9c9877449ddf07c4c7807edd028bf7884f0d9004fb797ba635742f678f0071b02fe32b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
450KB

MD5
d766ab402f363eaf6e2a9322f6c3fe19

SHA1
d17dbd8e941be3611695a46fbba9c4c54b31e014

SHA256
5a8c0b14bc63bc1e97df633653e78b67ed8695614759679fd295a09402752cb8

SHA512
a5a4a6e24ad5e9a5b421deb187b5c4b59051342c3d94a0a5b6061610c9c9877449ddf07c4c7807edd028bf7884f0d9004fb797ba635742f678f0071b02fe32b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
450KB

MD5
cc2b698e1ff2c1970989fa7c97cdec16

SHA1
9d4a28fe4f1a34361468bb6bc6bf577b00feacca

SHA256
d980f9acbedda1e920b04c927c38de46e435fa355c8ff5eff8ca343c1bfe97a0

SHA512
8a830f657192ffc45352ed004d471237cf5905346f5824ffe4fc8caa95322870994b45adab97c8e975f63b1b61687d04cd4635f3322c3b606478b80a5dbceb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
450KB

MD5
cc2b698e1ff2c1970989fa7c97cdec16

SHA1
9d4a28fe4f1a34361468bb6bc6bf577b00feacca

SHA256
d980f9acbedda1e920b04c927c38de46e435fa355c8ff5eff8ca343c1bfe97a0

SHA512
8a830f657192ffc45352ed004d471237cf5905346f5824ffe4fc8caa95322870994b45adab97c8e975f63b1b61687d04cd4635f3322c3b606478b80a5dbceb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
450KB

MD5
8b913dffb365d907e96e97e603db2ecb

SHA1
ffbedde32491761a9a77b4a4b618e528f735e376

SHA256
134c45e2b831c2de0bd591d40a628d87666a47089d44776501d084bbc8349f13

SHA512
4ecbab2e83df06c2f45d4f2fa82eb88c9dc25fa52ba7699fbcd794f26d073322f6b01b29dc53dac3a207985d6df0dedd61d61631c760047d54db54198c373865

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
450KB

MD5
8b913dffb365d907e96e97e603db2ecb

SHA1
ffbedde32491761a9a77b4a4b618e528f735e376

SHA256
134c45e2b831c2de0bd591d40a628d87666a47089d44776501d084bbc8349f13

SHA512
4ecbab2e83df06c2f45d4f2fa82eb88c9dc25fa52ba7699fbcd794f26d073322f6b01b29dc53dac3a207985d6df0dedd61d61631c760047d54db54198c373865

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
450KB

MD5
159705cc11f986f090b30e9cb52c587c

SHA1
68b5f9b39859945fc4f17724d87aeecd727c250e

SHA256
608b1e334a282a5847a8bea726b4e56e3b25942403eb0242eedbfb6692effac9

SHA512
042e644a474c4a8642407d91b7a0af8a4b04ddc670fedd7735620aaaf19892956de9fb96a91bc5e105be47fd6b4b61821c132a9308ed16a147230e2d4f195c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
450KB

MD5
159705cc11f986f090b30e9cb52c587c

SHA1
68b5f9b39859945fc4f17724d87aeecd727c250e

SHA256
608b1e334a282a5847a8bea726b4e56e3b25942403eb0242eedbfb6692effac9

SHA512
042e644a474c4a8642407d91b7a0af8a4b04ddc670fedd7735620aaaf19892956de9fb96a91bc5e105be47fd6b4b61821c132a9308ed16a147230e2d4f195c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
450KB

MD5
cc2b698e1ff2c1970989fa7c97cdec16

SHA1
9d4a28fe4f1a34361468bb6bc6bf577b00feacca

SHA256
d980f9acbedda1e920b04c927c38de46e435fa355c8ff5eff8ca343c1bfe97a0

SHA512
8a830f657192ffc45352ed004d471237cf5905346f5824ffe4fc8caa95322870994b45adab97c8e975f63b1b61687d04cd4635f3322c3b606478b80a5dbceb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
450KB

MD5
cc2b698e1ff2c1970989fa7c97cdec16

SHA1
9d4a28fe4f1a34361468bb6bc6bf577b00feacca

SHA256
d980f9acbedda1e920b04c927c38de46e435fa355c8ff5eff8ca343c1bfe97a0

SHA512
8a830f657192ffc45352ed004d471237cf5905346f5824ffe4fc8caa95322870994b45adab97c8e975f63b1b61687d04cd4635f3322c3b606478b80a5dbceb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
450KB

MD5
8d61c4d58ad10191ed62d3a426eb6e98

SHA1
cec8738d1903fce950b19a65b5f70455ebeb1080

SHA256
e4e4083d971f2b6ed607765261bfb99180780d5d826e8e955fc5ba1f38342d00

SHA512
898acaef3bfeca8ece7ec5e08b75a94a4744e736bf6f3f95927c28067ecdb63f516c3780291c75ad5d6dd1ebf606e5eec345bea765160360ee4fd06aabe42d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
450KB

MD5
8d61c4d58ad10191ed62d3a426eb6e98

SHA1
cec8738d1903fce950b19a65b5f70455ebeb1080

SHA256
e4e4083d971f2b6ed607765261bfb99180780d5d826e8e955fc5ba1f38342d00

SHA512
898acaef3bfeca8ece7ec5e08b75a94a4744e736bf6f3f95927c28067ecdb63f516c3780291c75ad5d6dd1ebf606e5eec345bea765160360ee4fd06aabe42d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
450KB

MD5
8d61c4d58ad10191ed62d3a426eb6e98

SHA1
cec8738d1903fce950b19a65b5f70455ebeb1080

SHA256
e4e4083d971f2b6ed607765261bfb99180780d5d826e8e955fc5ba1f38342d00

SHA512
898acaef3bfeca8ece7ec5e08b75a94a4744e736bf6f3f95927c28067ecdb63f516c3780291c75ad5d6dd1ebf606e5eec345bea765160360ee4fd06aabe42d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
450KB

MD5
8d61c4d58ad10191ed62d3a426eb6e98

SHA1
cec8738d1903fce950b19a65b5f70455ebeb1080

SHA256
e4e4083d971f2b6ed607765261bfb99180780d5d826e8e955fc5ba1f38342d00

SHA512
898acaef3bfeca8ece7ec5e08b75a94a4744e736bf6f3f95927c28067ecdb63f516c3780291c75ad5d6dd1ebf606e5eec345bea765160360ee4fd06aabe42d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
450KB

MD5
cc2b698e1ff2c1970989fa7c97cdec16

SHA1
9d4a28fe4f1a34361468bb6bc6bf577b00feacca

SHA256
d980f9acbedda1e920b04c927c38de46e435fa355c8ff5eff8ca343c1bfe97a0

SHA512
8a830f657192ffc45352ed004d471237cf5905346f5824ffe4fc8caa95322870994b45adab97c8e975f63b1b61687d04cd4635f3322c3b606478b80a5dbceb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
450KB

MD5
cc2b698e1ff2c1970989fa7c97cdec16

SHA1
9d4a28fe4f1a34361468bb6bc6bf577b00feacca

SHA256
d980f9acbedda1e920b04c927c38de46e435fa355c8ff5eff8ca343c1bfe97a0

SHA512
8a830f657192ffc45352ed004d471237cf5905346f5824ffe4fc8caa95322870994b45adab97c8e975f63b1b61687d04cd4635f3322c3b606478b80a5dbceb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\backup.exe

Filesize
450KB

MD5
fd0706dbc1ab8ddce82636420e0bd7dd

SHA1
88f2b1fe1e312f04afda4b7016f4e6e818146a69

SHA256
2a0e35382e8ecdddc547eec985eaa28652849a38fe937b607e00587fa7b4ee13

SHA512
ad365a6ae32dd5d34a37614b5bbc78871f500b46870441b8ef9d1727644d5ddc34b961f1732d288e07887cbbad25296df43c0e24653d13fd08787445889b179a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\backup.exe

Filesize
450KB

MD5
fd0706dbc1ab8ddce82636420e0bd7dd

SHA1
88f2b1fe1e312f04afda4b7016f4e6e818146a69

SHA256
2a0e35382e8ecdddc547eec985eaa28652849a38fe937b607e00587fa7b4ee13

SHA512
ad365a6ae32dd5d34a37614b5bbc78871f500b46870441b8ef9d1727644d5ddc34b961f1732d288e07887cbbad25296df43c0e24653d13fd08787445889b179a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\be\backup.exe

Filesize
450KB

MD5
6b5156b808c03c725ef5f8625279f0b0

SHA1
6c793c4a30fcf4af5cd33bd78a8be34841926925

SHA256
ca938d590a8c6aa60955e43ea531a535d45a617d63e2f1deceab0a083b2730ff

SHA512
457d4aaf4998c9d794640b3c8f104c1495ce12492623d1e7268824e5659f86c826395c0657644d736487ca8b75c08a5f13a8431690092c4d9cef1e19a49d81b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\be\backup.exe

Filesize
450KB

MD5
6b5156b808c03c725ef5f8625279f0b0

SHA1
6c793c4a30fcf4af5cd33bd78a8be34841926925

SHA256
ca938d590a8c6aa60955e43ea531a535d45a617d63e2f1deceab0a083b2730ff

SHA512
457d4aaf4998c9d794640b3c8f104c1495ce12492623d1e7268824e5659f86c826395c0657644d736487ca8b75c08a5f13a8431690092c4d9cef1e19a49d81b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\bn\backup.exe

Filesize
450KB

MD5
6b5156b808c03c725ef5f8625279f0b0

SHA1
6c793c4a30fcf4af5cd33bd78a8be34841926925

SHA256
ca938d590a8c6aa60955e43ea531a535d45a617d63e2f1deceab0a083b2730ff

SHA512
457d4aaf4998c9d794640b3c8f104c1495ce12492623d1e7268824e5659f86c826395c0657644d736487ca8b75c08a5f13a8431690092c4d9cef1e19a49d81b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\bn\backup.exe

Filesize
450KB

MD5
6b5156b808c03c725ef5f8625279f0b0

SHA1
6c793c4a30fcf4af5cd33bd78a8be34841926925

SHA256
ca938d590a8c6aa60955e43ea531a535d45a617d63e2f1deceab0a083b2730ff

SHA512
457d4aaf4998c9d794640b3c8f104c1495ce12492623d1e7268824e5659f86c826395c0657644d736487ca8b75c08a5f13a8431690092c4d9cef1e19a49d81b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ca\backup.exe

Filesize
450KB

MD5
6b5156b808c03c725ef5f8625279f0b0

SHA1
6c793c4a30fcf4af5cd33bd78a8be34841926925

SHA256
ca938d590a8c6aa60955e43ea531a535d45a617d63e2f1deceab0a083b2730ff

SHA512
457d4aaf4998c9d794640b3c8f104c1495ce12492623d1e7268824e5659f86c826395c0657644d736487ca8b75c08a5f13a8431690092c4d9cef1e19a49d81b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ca\backup.exe

Filesize
450KB

MD5
6b5156b808c03c725ef5f8625279f0b0

SHA1
6c793c4a30fcf4af5cd33bd78a8be34841926925

SHA256
ca938d590a8c6aa60955e43ea531a535d45a617d63e2f1deceab0a083b2730ff

SHA512
457d4aaf4998c9d794640b3c8f104c1495ce12492623d1e7268824e5659f86c826395c0657644d736487ca8b75c08a5f13a8431690092c4d9cef1e19a49d81b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\cy\backup.exe

Filesize
450KB

MD5
c74ef6c36aac436aeedc7279b486992f

SHA1
f56a831f857973206b931f38838324c4c3e481d4

SHA256
c0004b973bfecfbd2a40f36203486f1769e629d4282428cc9054c43082fc43c1

SHA512
f7ad7fe0cb3a3b21517f5452a97cf4488625ca3bf9b53db462781f42ee103872e6bb9380fdf76b85e6ede45ef3de224b979098dd20505916dd729d895376759b

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\cy\backup.exe

Filesize
450KB

MD5
c74ef6c36aac436aeedc7279b486992f

SHA1
f56a831f857973206b931f38838324c4c3e481d4

SHA256
c0004b973bfecfbd2a40f36203486f1769e629d4282428cc9054c43082fc43c1

SHA512
f7ad7fe0cb3a3b21517f5452a97cf4488625ca3bf9b53db462781f42ee103872e6bb9380fdf76b85e6ede45ef3de224b979098dd20505916dd729d895376759b

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\da\backup.exe

Filesize
450KB

MD5
c74ef6c36aac436aeedc7279b486992f

SHA1
f56a831f857973206b931f38838324c4c3e481d4

SHA256
c0004b973bfecfbd2a40f36203486f1769e629d4282428cc9054c43082fc43c1

SHA512
f7ad7fe0cb3a3b21517f5452a97cf4488625ca3bf9b53db462781f42ee103872e6bb9380fdf76b85e6ede45ef3de224b979098dd20505916dd729d895376759b

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\da\backup.exe

Filesize
450KB

MD5
c74ef6c36aac436aeedc7279b486992f

SHA1
f56a831f857973206b931f38838324c4c3e481d4

SHA256
c0004b973bfecfbd2a40f36203486f1769e629d4282428cc9054c43082fc43c1

SHA512
f7ad7fe0cb3a3b21517f5452a97cf4488625ca3bf9b53db462781f42ee103872e6bb9380fdf76b85e6ede45ef3de224b979098dd20505916dd729d895376759b

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\backup.exe

Filesize
450KB

MD5
b759cdf8e59cabbf509ab11e56805b10

SHA1
19bc7b88cb711993945c388a2abe873a8271965a

SHA256
616f2d8a6cc7c57173e16face0ca369f13f11d062d8f2b1902be6c90a1951019

SHA512
38ec273722402f6682eb063535c751d1ef1b8d46ee48d1b142d677842debfdec7bca46d9462a4b9b13fd2a4a5b3e1e7a636428e44767cbedc677415d2cf8ea3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\backup.exe

Filesize
450KB

MD5
b759cdf8e59cabbf509ab11e56805b10

SHA1
19bc7b88cb711993945c388a2abe873a8271965a

SHA256
616f2d8a6cc7c57173e16face0ca369f13f11d062d8f2b1902be6c90a1951019

SHA512
38ec273722402f6682eb063535c751d1ef1b8d46ee48d1b142d677842debfdec7bca46d9462a4b9b13fd2a4a5b3e1e7a636428e44767cbedc677415d2cf8ea3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\backup.exe

Filesize
450KB

MD5
5e31a0d1b959106e684b0314c955fe55

SHA1
8605e0bf3b4f0f10426d7e26c00b3c074d10f301

SHA256
39474f5507a013823e75da91e364dde84b69d8bb9ec3e2a2573f84e5beb7400b

SHA512
37f4d5ba7ae0b7244fde5a318ccefd37d3c6e3d94d694936a99c29d7d9729cd6eab05e4acf58244de40042a51f241d1974a84ede754fd33b57a1d5962e256c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\backup.exe

Filesize
450KB

MD5
5e31a0d1b959106e684b0314c955fe55

SHA1
8605e0bf3b4f0f10426d7e26c00b3c074d10f301

SHA256
39474f5507a013823e75da91e364dde84b69d8bb9ec3e2a2573f84e5beb7400b

SHA512
37f4d5ba7ae0b7244fde5a318ccefd37d3c6e3d94d694936a99c29d7d9729cd6eab05e4acf58244de40042a51f241d1974a84ede754fd33b57a1d5962e256c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
34KB

MD5
c7ecb10558008ef122a7138c5b24311f

SHA1
56f4d092f42c98c1c368c7a71a9832d52290b47c

SHA256
0346ecae836a98df4de8cbc22997fabf4819b593cf8b4fd652f9c0fe0717f765

SHA512
d4c163a4e5359b37738df1c6d7b8d90f8ecc0834202da8e36a6d773fa1e825c4fe9eed394b1d3d7461de65c23d79c636e8c999fe16ce7d3d7e7de7067ab1870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C7FF5EA3-2F2B-4DAC-B5DA-E57ED8655118}\backup.exe

Filesize
450KB

MD5
ad5d3e2a703fac2b95d72e7c9f24bce5

SHA1
9497117c9c42c13881f746b391d1c700193cbba7

SHA256
27881f85a14844f42059fc22dd79b92116bd9e70b8e0389aa9bc04b118a2c76b

SHA512
f3b6ffb473a8beb4926c8b172f1d0c60445bdadf63ac0b78bf517d4cfaf1c581604412448f33c305b3d900b311d3a4c60b34cb6fea913723d21235afb2a0c8cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C7FF5EA3-2F2B-4DAC-B5DA-E57ED8655118}\backup.exe

Filesize
450KB

MD5
ad5d3e2a703fac2b95d72e7c9f24bce5

SHA1
9497117c9c42c13881f746b391d1c700193cbba7

SHA256
27881f85a14844f42059fc22dd79b92116bd9e70b8e0389aa9bc04b118a2c76b

SHA512
f3b6ffb473a8beb4926c8b172f1d0c60445bdadf63ac0b78bf517d4cfaf1c581604412448f33c305b3d900b311d3a4c60b34cb6fea913723d21235afb2a0c8cb

Download Submit
C:\backup.exe

Filesize
450KB

MD5
233f929f80ee16145e0fb1354848be6b

SHA1
1707b9e74e023919d00dbc627e67ed5015f24b48

SHA256
b5eabe9537d8fc923deae65a69b0f3085c3ea93647d5fc5356f251de99f99c57

SHA512
7707700370a8a86f0188d79ee25586fb19d714670511c7708b9cebb1388c7d75cae1f65fd5d6c8c1d7db6f0f695f1d60fb2e2c9211751ee61bc9c08b073da3d6

Download Submit
C:\backup.exe

Filesize
450KB

MD5
233f929f80ee16145e0fb1354848be6b

SHA1
1707b9e74e023919d00dbc627e67ed5015f24b48

SHA256
b5eabe9537d8fc923deae65a69b0f3085c3ea93647d5fc5356f251de99f99c57

SHA512
7707700370a8a86f0188d79ee25586fb19d714670511c7708b9cebb1388c7d75cae1f65fd5d6c8c1d7db6f0f695f1d60fb2e2c9211751ee61bc9c08b073da3d6

Download Submit
C:\odt\backup.exe

Filesize
450KB

MD5
e6a01ea56097e2009ea848a0273f9e1e

SHA1
3a40e4b50683cf5698e08d8a7969c6f83e40fb3f

SHA256
ea7b57a795e8956ad17673588dc14ef2e60ac0aa261cfa584e52692556182622

SHA512
de1b349973e68ec01f8f69186f27768ed476521fefbfd1383c090c9a97b7926ba6f01c9b52443838dda12de6170095d6c4f980fbb89c800708d20a8bbf6f6e8a

Download Submit
C:\odt\backup.exe

Filesize
450KB

MD5
e6a01ea56097e2009ea848a0273f9e1e

SHA1
3a40e4b50683cf5698e08d8a7969c6f83e40fb3f

SHA256
ea7b57a795e8956ad17673588dc14ef2e60ac0aa261cfa584e52692556182622

SHA512
de1b349973e68ec01f8f69186f27768ed476521fefbfd1383c090c9a97b7926ba6f01c9b52443838dda12de6170095d6c4f980fbb89c800708d20a8bbf6f6e8a

Download Submit
memory/60-198-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/388-359-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/644-289-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/852-369-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/856-339-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/980-127-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1040-349-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1048-329-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1152-64-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1200-319-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1348-177-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1416-221-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1420-237-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1492-128-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1660-102-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1688-162-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1688-34-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1688-97-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1772-199-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1884-256-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2036-80-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2052-238-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2068-269-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2072-151-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2116-193-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2128-129-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2172-285-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2220-206-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2324-309-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2332-261-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2364-276-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2496-366-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2500-247-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2544-155-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2624-71-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2664-346-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2684-228-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2764-54-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2764-279-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2816-19-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2896-182-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3056-119-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3116-32-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3324-69-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3332-211-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3396-213-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3440-246-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3672-299-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3748-87-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3752-318-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3860-266-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3908-375-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4008-338-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4084-328-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4224-83-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4224-340-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4332-225-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4352-298-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4536-250-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4788-306-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4920-227-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4972-121-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4976-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4976-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads