5f4188ca83d8c345aa754a75531c7b8d0f5c05e23e28c7ee1bd385a9e7d1ec8c

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
16/11/2023, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2600051b2b33d4df95d13eaee3fc0130.exe
Size

81KB
MD5

2600051b2b33d4df95d13eaee3fc0130
SHA1

8f590fd88c2636f22e186d948e7d80c821a1d532
SHA256

5f4188ca83d8c345aa754a75531c7b8d0f5c05e23e28c7ee1bd385a9e7d1ec8c
SHA512

9b49d568bedfcc7385cb5ff7f000a31b945df091ab9ee4998b0c54f20bf69c23dfedab83f02909306400f6d8db8c39d6c909490119b3e0bbd46c73b47eece395
SSDEEP

768:2pQNwC3BESe4Vqth+0V5vKmyLylze70wi3BEm17:2eT7BVwxfvEFwjRp

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2924	backup.exe
1672	backup.exe
2216	backup.exe
5096	backup.exe
612	backup.exe
4784	backup.exe
440	backup.exe
4640	backup.exe
4052	backup.exe
4344	backup.exe
4980	backup.exe
1812	backup.exe
4104	backup.exe
960	backup.exe
1968	backup.exe
3524	backup.exe
816	backup.exe
1124	backup.exe
4524	backup.exe
3732	backup.exe
2836	backup.exe
1276	backup.exe
2936	backup.exe
1632	backup.exe
4376	backup.exe
548	backup.exe
4976	backup.exe
4708	backup.exe
2652	backup.exe
3536	backup.exe
1844	backup.exe
4656	backup.exe
536	backup.exe
5064	backup.exe
4776	backup.exe
1528	backup.exe
4204	backup.exe
4928	backup.exe
5012	backup.exe
1148	backup.exe
1672	backup.exe
3044	backup.exe
3208	backup.exe
1236	update.exe
2004	backup.exe
1420	backup.exe
4736	backup.exe
4024	backup.exe
4644	backup.exe
4396	backup.exe
2932	backup.exe
692	backup.exe
4880	backup.exe
4116	backup.exe
1544	backup.exe
4104	backup.exe
1196	backup.exe
1472	System Restore.exe
3760	backup.exe
3040	backup.exe
4212	backup.exe
948	backup.exe
3252	backup.exe
4092	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3276-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022d5f-6.dat	upx
behavioral2/files/0x0007000000022d5f-7.dat	upx
behavioral2/files/0x0006000000022d7f-12.dat	upx
behavioral2/files/0x0006000000022d7f-11.dat	upx
behavioral2/files/0x0006000000022d7f-13.dat	upx
behavioral2/files/0x0009000000022d5a-18.dat	upx
behavioral2/memory/1672-19-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0009000000022d5a-20.dat	upx
behavioral2/files/0x0006000000022d80-25.dat	upx
behavioral2/files/0x0006000000022d80-26.dat	upx
behavioral2/memory/5096-30-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022d81-32.dat	upx
behavioral2/files/0x0007000000022d81-33.dat	upx
behavioral2/files/0x0006000000022d82-38.dat	upx
behavioral2/files/0x0006000000022d82-39.dat	upx
behavioral2/files/0x0006000000022d83-43.dat	upx
behavioral2/memory/440-44-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0006000000022d83-42.dat	upx
behavioral2/files/0x0007000000022d85-53.dat	upx
behavioral2/memory/4784-51-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0006000000022d86-57.dat	upx
behavioral2/files/0x0006000000022d86-56.dat	upx
behavioral2/files/0x0007000000022d85-55.dat	upx
behavioral2/memory/4052-65-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4640-64-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3276-69-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022d87-68.dat	upx
behavioral2/files/0x0007000000022d88-72.dat	upx
behavioral2/memory/2924-73-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022d88-71.dat	upx
behavioral2/files/0x0007000000022d87-70.dat	upx
behavioral2/memory/4344-81-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4980-80-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022d89-84.dat	upx
behavioral2/files/0x0007000000022d89-85.dat	upx
behavioral2/files/0x0007000000022d8a-87.dat	upx
behavioral2/files/0x0007000000022d8a-86.dat	upx
behavioral2/files/0x0006000000022d8c-95.dat	upx
behavioral2/memory/2216-96-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0006000000022d8f-98.dat	upx
behavioral2/files/0x0006000000022d8c-100.dat	upx
behavioral2/files/0x0006000000022d8f-99.dat	upx
behavioral2/files/0x0006000000022d92-108.dat	upx
behavioral2/files/0x0006000000022d92-109.dat	upx
behavioral2/files/0x0006000000022d93-113.dat	upx
behavioral2/files/0x0006000000022d93-111.dat	upx
behavioral2/memory/612-112-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022d91-123.dat	upx
behavioral2/memory/816-119-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1968-127-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/960-126-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3524-125-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4104-129-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022d91-122.dat	upx
behavioral2/memory/440-128-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022d8d-130.dat	upx
behavioral2/files/0x0007000000022d8d-132.dat	upx
behavioral2/files/0x0007000000022d94-137.dat	upx
behavioral2/files/0x0007000000022d94-139.dat	upx
behavioral2/files/0x0006000000022d97-144.dat	upx
behavioral2/files/0x0006000000022d97-146.dat	upx
behavioral2/memory/3732-147-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022d96-149.dat	upx

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe
2924	backup.exe
1672	backup.exe
2216	backup.exe
5096	backup.exe
612	backup.exe
440	backup.exe
4784	backup.exe
4640	backup.exe
4052	backup.exe
4980	backup.exe
4344	backup.exe
1812	backup.exe
4104	backup.exe
1968	backup.exe
960	backup.exe
3524	backup.exe
816	backup.exe
1124	backup.exe
4524	backup.exe
3732	backup.exe
2836	backup.exe
1276	backup.exe
2936	backup.exe
1632	backup.exe
4376	backup.exe
548	backup.exe
4976	backup.exe
4708	backup.exe
2652	backup.exe
3536	backup.exe
1844	backup.exe
4656	backup.exe
536	backup.exe
5064	backup.exe
4776	backup.exe
1528	backup.exe
4204	backup.exe
5012	backup.exe
4928	backup.exe
1148	backup.exe
1672	backup.exe
3208	backup.exe
3044	backup.exe
1236	update.exe
2004	backup.exe
1420	backup.exe
4736	backup.exe
4024	backup.exe
4644	backup.exe
4396	backup.exe
2932	backup.exe
692	backup.exe
4880	backup.exe
4116	backup.exe
1544	backup.exe
4104	backup.exe
1196	backup.exe
1472	System Restore.exe
3760	backup.exe
3040	backup.exe
4212	backup.exe
948	backup.exe
3252	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 2924	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	84
PID 3276 wrote to memory of 2924	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	84
PID 3276 wrote to memory of 2924	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	84
PID 3276 wrote to memory of 1672	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	85
PID 3276 wrote to memory of 1672	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	85
PID 3276 wrote to memory of 1672	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	85
PID 3276 wrote to memory of 2216	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	86
PID 3276 wrote to memory of 2216	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	86
PID 3276 wrote to memory of 2216	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	86
PID 3276 wrote to memory of 5096	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	87
PID 3276 wrote to memory of 5096	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	87
PID 3276 wrote to memory of 5096	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	87
PID 3276 wrote to memory of 612	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	88
PID 3276 wrote to memory of 612	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	88
PID 3276 wrote to memory of 612	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	88
PID 3276 wrote to memory of 4784	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	89
PID 3276 wrote to memory of 4784	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	89
PID 3276 wrote to memory of 4784	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	89
PID 2924 wrote to memory of 440	2924	backup.exe	90
PID 2924 wrote to memory of 440	2924	backup.exe	90
PID 2924 wrote to memory of 440	2924	backup.exe	90
PID 3276 wrote to memory of 4640	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	92
PID 3276 wrote to memory of 4640	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	92
PID 3276 wrote to memory of 4640	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	92
PID 440 wrote to memory of 4052	440	backup.exe	91
PID 440 wrote to memory of 4052	440	backup.exe	91
PID 440 wrote to memory of 4052	440	backup.exe	91
PID 440 wrote to memory of 4980	440	backup.exe	94
PID 440 wrote to memory of 4980	440	backup.exe	94
PID 440 wrote to memory of 4980	440	backup.exe	94
PID 3276 wrote to memory of 4344	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	93
PID 3276 wrote to memory of 4344	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	93
PID 3276 wrote to memory of 4344	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	93
PID 440 wrote to memory of 1812	440	backup.exe	96
PID 440 wrote to memory of 1812	440	backup.exe	96
PID 440 wrote to memory of 1812	440	backup.exe	96
PID 3276 wrote to memory of 4104	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	95
PID 3276 wrote to memory of 4104	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	95
PID 3276 wrote to memory of 4104	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	95
PID 1812 wrote to memory of 960	1812	backup.exe	97
PID 1812 wrote to memory of 960	1812	backup.exe	97
PID 1812 wrote to memory of 960	1812	backup.exe	97
PID 4104 wrote to memory of 1968	4104	backup.exe	98
PID 4104 wrote to memory of 1968	4104	backup.exe	98
PID 4104 wrote to memory of 1968	4104	backup.exe	98
PID 1968 wrote to memory of 3524	1968	backup.exe	99
PID 1968 wrote to memory of 3524	1968	backup.exe	99
PID 1968 wrote to memory of 3524	1968	backup.exe	99
PID 960 wrote to memory of 816	960	backup.exe	100
PID 960 wrote to memory of 816	960	backup.exe	100
PID 960 wrote to memory of 816	960	backup.exe	100
PID 1812 wrote to memory of 1124	1812	backup.exe	101
PID 1812 wrote to memory of 1124	1812	backup.exe	101
PID 1812 wrote to memory of 1124	1812	backup.exe	101
PID 3276 wrote to memory of 4524	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	102
PID 3276 wrote to memory of 4524	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	102
PID 3276 wrote to memory of 4524	3276	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	102
PID 1124 wrote to memory of 3732	1124	backup.exe	103
PID 1124 wrote to memory of 3732	1124	backup.exe	103
PID 1124 wrote to memory of 3732	1124	backup.exe	103
PID 4524 wrote to memory of 2836	4524	backup.exe	104
PID 4524 wrote to memory of 2836	4524	backup.exe	104
PID 4524 wrote to memory of 2836	4524	backup.exe	104
PID 1124 wrote to memory of 1276	1124	backup.exe	105

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.2600051b2b33d4df95d13eaee3fc0130.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2600051b2b33d4df95d13eaee3fc0130.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Users\Admin\AppData\Local\Temp\{ADB61D77-99F4-41E2-B8E6-A5B939354786}\backup.exe
  C:\Users\Admin\AppData\Local\Temp\{ADB61D77-99F4-41E2-B8E6-A5B939354786}\backup.exe C:\Users\Admin\AppData\Local\Temp\{ADB61D77-99F4-41E2-B8E6-A5B939354786}\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2924
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:440
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4052
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4980
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1812
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:960
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:816
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1124
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3732
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1276
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1632
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:548
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4708
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1844
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:536
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4776
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4204
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5012
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1148
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3044
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4736
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4644
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        
        PID:4396
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        
        PID:692
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        
        PID:4116
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4104
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        
        PID:1472
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        
        PID:3040
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        
        PID:948
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        
        PID:4092
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        
        PID:3488
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        System policy modification
        
        PID:4392
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        System policy modification
        
        PID:2576
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        
        PID:1092
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:2332
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2352
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        
        PID:2008
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        
        PID:624
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        
        PID:3096
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:2436
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        
        PID:2424
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        
        PID:3328
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        
        PID:4768
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        
        PID:1472
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        
        PID:2404
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        
        PID:928
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        
        PID:412
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        
        PID:3208
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        
        PID:1160
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        
        PID:3852
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\update.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        
        PID:4176
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        
        PID:4824
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        8⤵
        
        PID:4660
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3208
        
        C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
        8⤵
        
        PID:1932
        
        C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
        8⤵
        
        PID:4460
        
        C:\Program Files\Common Files\microsoft shared\ink\sv-SE\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\data.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
        8⤵
        
        PID:4344
        
        C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        9⤵
        
        PID:3524
        
        C:\Windows\appcompat\encapsulation\data.exe
        
        C:\Windows\appcompat\encapsulation\data.exe C:\Windows\appcompat\encapsulation\
        9⤵
        
        PID:3264
        
        C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        9⤵
        
        PID:5096
        
        C:\Program Files\Common Files\microsoft shared\ink\th-TH\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\th-TH\update.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
        8⤵
        
        PID:2612
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\
        9⤵
        
        PID:3272
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1472
        
        C:\Program Files\Common Files\microsoft shared\ink\tr-TR\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\data.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
        8⤵
        
        PID:1932
        
        C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
        8⤵
        
        PID:1584
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\
        8⤵
        
        PID:3240
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1928
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        
        PID:2840
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        
        PID:460
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        
        PID:2964
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        
        PID:2088
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        
        PID:2316
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        
        PID:640
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\update.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3488
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        
        PID:5028
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:1292
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:5008
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:1160
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:3656
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:4680
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:4888
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:536
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        
        PID:3556
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        
        PID:3192
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:3852
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        
        PID:2300
        
        C:\Program Files\Java\jdk-1.8\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\win32\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\
        8⤵
        
        PID:3852
        
        C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\bridge\
        9⤵
        
        PID:2304
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:4092
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:452
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:2184
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1532
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:3668
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1004
        
        C:\Program Files\Common Files\System\ado\fr-FR\update.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\update.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:3516
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:824
        
        C:\Program Files\Common Files\System\ado\ja-JP\update.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\update.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1236
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:4364
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:4728
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:4292
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:384
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:4376
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1304
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:4076
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:676
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:3160
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:260
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:1292
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:776
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\System Restore.exe
        
        "C:\Windows\assembly\GAC_32\CustomMarshalers\System Restore.exe" C:\Windows\assembly\GAC_32\CustomMarshalers\
        9⤵
        
        PID:1068
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        10⤵
        
        PID:4680
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:844
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:3236
    - - C:\Program Files\Google\data.exe
        
        "C:\Program Files\Google\data.exe" C:\Program Files\Google\
        5⤵
        
        PID:2072
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:4684
        
        C:\Program Files\Google\Chrome\Application\update.exe
        
        "C:\Program Files\Google\Chrome\Application\update.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:2360
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        
        PID:1460
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\update.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\update.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        9⤵
        
        PID:5112
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:692
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
        9⤵
        
        PID:4656
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
        9⤵
        
        PID:2040
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
        9⤵
        
        PID:1432
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
        9⤵
        
        PID:2712
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\
        10⤵
        
        PID:4708
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:3344
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:4240
        
        C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\
        7⤵
        
        PID:2372
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2040
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:4660
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:3976
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:412
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:4788
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:2844
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:636
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:5104
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:2416
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\
        6⤵
        
        PID:3252
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2372
      - C:\Program Files\Java\jre-1.8\backup.exe
        
        "C:\Program Files\Java\jre-1.8\backup.exe" C:\Program Files\Java\jre-1.8\
        6⤵
        
        PID:2016
        
        C:\Program Files\Java\jre-1.8\bin\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\backup.exe" C:\Program Files\Java\jre-1.8\bin\
        7⤵
        
        PID:392
        
        C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe" C:\Program Files\Java\jre-1.8\bin\dtplugin\
        8⤵
        
        PID:3976
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\
        9⤵
        
        PID:2408
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\
        10⤵
        
        PID:4856
        
        C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe" C:\Program Files\Java\jre-1.8\bin\plugin2\
        8⤵
        
        PID:3844
        
        C:\Program Files\Java\jre-1.8\bin\server\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\server\backup.exe" C:\Program Files\Java\jre-1.8\bin\server\
        8⤵
        
        PID:4396
        
        C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:824
        
        C:\Program Files\Java\jre-1.8\legal\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\backup.exe" C:\Program Files\Java\jre-1.8\legal\
        7⤵
        
        PID:2008
        
        C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jre-1.8\legal\javafx\
        8⤵
        
        PID:3712
        
        C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jre-1.8\legal\jdk\
        8⤵
        
        PID:2244
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\
        8⤵
        
        PID:4332
        
        C:\Program Files\Java\jre-1.8\lib\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\backup.exe" C:\Program Files\Java\jre-1.8\lib\
        7⤵
        
        PID:4484
        
        C:\Program Files\Java\jre-1.8\lib\amd64\update.exe
        
        "C:\Program Files\Java\jre-1.8\lib\amd64\update.exe" C:\Program Files\Java\jre-1.8\lib\amd64\
        8⤵
        
        PID:4920
        
        C:\Program Files\Java\jre-1.8\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\fonts\backup.exe" C:\Program Files\Java\jre-1.8\lib\fonts\
        8⤵
        
        PID:3272
        
        C:\Program Files\Java\jre-1.8\lib\ext\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\ext\backup.exe" C:\Program Files\Java\jre-1.8\lib\ext\
        8⤵
        
        PID:2408
        
        C:\Program Files\Java\jre-1.8\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\deploy\backup.exe" C:\Program Files\Java\jre-1.8\lib\deploy\
        8⤵
        
        PID:4524
        
        C:\Program Files\Java\jre-1.8\lib\images\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\images\backup.exe" C:\Program Files\Java\jre-1.8\lib\images\
        8⤵
        
        PID:816
        
        C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe" C:\Program Files\Java\jre-1.8\lib\images\cursors\
        9⤵
        
        PID:4956
        
        C:\Program Files\Java\jre-1.8\lib\jfr\data.exe
        
        "C:\Program Files\Java\jre-1.8\lib\jfr\data.exe" C:\Program Files\Java\jre-1.8\lib\jfr\
        8⤵
        
        PID:4860
        
        C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe" C:\Program Files\Java\jre-1.8\lib\cmm\
        8⤵
        
        PID:4280
        
        C:\Program Files\Java\jre-1.8\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\applet\backup.exe" C:\Program Files\Java\jre-1.8\lib\applet\
        8⤵
        
        PID:4436
        
        C:\Program Files\Java\jre-1.8\lib\management\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\management\backup.exe" C:\Program Files\Java\jre-1.8\lib\management\
        8⤵
        
        PID:1248
        
        C:\Program Files\Java\jre-1.8\lib\security\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\
        8⤵
        
        PID:1632
        
        C:\Program Files\Java\jre-1.8\lib\security\policy\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\policy\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\
        9⤵
        
        PID:1304
        
        C:\Program Files\Java\jre-1.8\lib\security\policy\limited\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\policy\limited\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\limited\
        10⤵
        
        PID:4728
        
        C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\
        10⤵
        
        PID:1160
        
        C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\
        9⤵
        
        PID:420
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2004
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        
        PID:1004
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        
        PID:2916
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        
        PID:2148
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        
        PID:4000
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        
        PID:4756
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        
        PID:3588
        
        C:\Program Files\Microsoft Office\root\fre\backup.exe
        
        "C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
        7⤵
        
        PID:2216
        
        C:\Program Files\Microsoft Office\root\Integration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
        7⤵
        
        PID:4856
        
        C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
        8⤵
        
        PID:4468
        
        C:\Program Files\Microsoft Office\root\Licenses\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses\backup.exe" C:\Program Files\Microsoft Office\root\Licenses\
        7⤵
        
        PID:1588
        
        C:\Program Files\Microsoft Office\root\Licenses16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\
        7⤵
        
        PID:4640
        
        C:\Program Files\Microsoft Office\root\Office15\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office15\backup.exe" C:\Program Files\Microsoft Office\root\Office15\
        7⤵
        
        PID:4412
        
        C:\Program Files\Microsoft Office\root\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\
        7⤵
        
        PID:232
        
        C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\
        8⤵
        
        PID:1088
        
        C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\update.exe" C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\
        9⤵
        
        PID:2992
        
        C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1036\
        8⤵
        
        PID:3128
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2332
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\
        9⤵
        
        PID:4760
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\
        9⤵
        
        PID:1968
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\
        10⤵
        
        PID:4772
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\
        9⤵
        
        PID:2300
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\
        9⤵
        
        PID:4176
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\
        9⤵
        
        PID:1504
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\
        10⤵
        
        PID:4640
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\
        10⤵
        
        PID:3380
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\
        11⤵
        
        PID:1108
        
        C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe" C:\Program Files\Microsoft Office\root\Office16\3082\
        8⤵
        
        PID:4532
        
        C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe" C:\Program Files\Microsoft Office\root\Office16\AugLoop\
        8⤵
        
        PID:4436
        
        C:\Program Files\Microsoft Office\root\Office16\Bibliography\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\
        8⤵
        
        PID:4836
        
        C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\data.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\data.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\
        9⤵
        
        PID:5116
        
        C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\update.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\
        9⤵
        
        PID:4076
        
        C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\
        8⤵
        
        PID:1168
        
        C:\Program Files\Microsoft Office\root\Office16\Configuration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Configuration\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Configuration\
        8⤵
        
        PID:2844
        
        C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\BORDERS\
        8⤵
        
        PID:4888
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f14\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f14\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f14\
        8⤵
        
        PID:2372
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f2\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f2\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f2\
        8⤵
        
        PID:664
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f3\data.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f3\data.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f3\
        8⤵
        
        PID:532
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f33\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f33\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f33\
        8⤵
        
        PID:1160
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f4\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f4\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f4\
        8⤵
        
        PID:5040
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f7\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f7\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f7\
        8⤵
        
        PID:2260
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\
        8⤵
        
        PID:4364
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\
        8⤵
        
        PID:2388
        
        C:\Program Files\Microsoft Office\root\loc\backup.exe
        
        "C:\Program Files\Microsoft Office\root\loc\backup.exe" C:\Program Files\Microsoft Office\root\loc\
        7⤵
        
        PID:2556
        
        C:\Program Files\Microsoft Office\root\rsod\backup.exe
        
        "C:\Program Files\Microsoft Office\root\rsod\backup.exe" C:\Program Files\Microsoft Office\root\rsod\
        7⤵
        
        PID:816
        
        C:\Program Files\Microsoft Office\root\Templates\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\backup.exe" C:\Program Files\Microsoft Office\root\Templates\
        7⤵
        
        PID:4968
        
        C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\
        8⤵
        
        PID:4292
        
        C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\
        9⤵
        
        PID:452
        
        C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\
        9⤵
        
        PID:928
        
        C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\
        10⤵
        
        PID:4280
        
        C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\
        11⤵
        
        PID:3280
        
        C:\Program Files\VideoLAN\VLC\lua\extensions\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\extensions\backup.exe" C:\Program Files\VideoLAN\VLC\lua\extensions\
        12⤵
        
        PID:3272
        
        C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\backup.exe" C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\
        8⤵
        
        PID:2372
        
        C:\Program Files\Microsoft Office\root\vfs\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\System Restore.exe" C:\Program Files\Microsoft Office\root\vfs\
        7⤵
        
        PID:1232
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\
        8⤵
        
        PID:1788
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\
        9⤵
        
        PID:4344
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\
        10⤵
        
        PID:1944
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\
        11⤵
        
        PID:4760
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\
        9⤵
        
        PID:664
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\
        8⤵
        
        PID:4472
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\
        9⤵
        
        PID:5040
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\
        9⤵
        
        PID:3380
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\
        10⤵
        
        PID:816
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\
        10⤵
        
        PID:4932
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\
        11⤵
        
        PID:2472
        
        C:\Program Files\Microsoft Office\root\vfs\Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Fonts\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Fonts\
        8⤵
        
        PID:2216
        
        C:\Program Files\Microsoft Office\root\vreg\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vreg\backup.exe" C:\Program Files\Microsoft Office\root\vreg\
        7⤵
        
        PID:4968
    - - C:\Program Files\Microsoft Office 15\update.exe
        
        "C:\Program Files\Microsoft Office 15\update.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        
        PID:1632
      - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        
        PID:5012
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:3128
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:4292
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:4044
      - C:\Program Files\Mozilla Firefox\uninstall\backup.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
        6⤵
        
        PID:1124
      - C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
        6⤵
        
        PID:3684
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:5088
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\root\vfs\Windows\assembly\GAC_MSIL\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\root\vfs\Windows\assembly\GAC_MSIL\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\root\vfs\Windows\assembly\GAC_MSIL\
        7⤵
        
        PID:3268
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\
        8⤵
        
        PID:4888
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\data.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\data.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\
        9⤵
        
        PID:1312
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:4844
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1788
      - C:\Program Files\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
        6⤵
        
        PID:2120
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
        7⤵
        
        PID:4540
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
        8⤵
        
        PID:4628
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\
        9⤵
        
        PID:2116
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\
        9⤵
        
        PID:408
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\
        9⤵
        
        PID:1088
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\
        9⤵
        
        PID:5040
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\
        9⤵
        
        PID:3732
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
        9⤵
        
        PID:5040
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\
        8⤵
        
        PID:1956
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\
        9⤵
        
        PID:2312
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\
        9⤵
        
        PID:2828
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\
        9⤵
        
        PID:1596
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\data.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\data.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\
        9⤵
        
        PID:4336
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\
        9⤵
        
        PID:5112
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\
        9⤵
        
        PID:5064
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\data.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\data.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\
        8⤵
        
        PID:2264
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\3526cd5a741d8cbdf5fa48b7f6fe88d3\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\3526cd5a741d8cbdf5fa48b7f6fe88d3\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\3526cd5a741d8cbdf5fa48b7f6fe88d3\
        9⤵
        
        PID:4508
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:3120
      - C:\Program Files\VideoLAN\VLC\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\
        6⤵
        
        PID:4620
        
        C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe" C:\Program Files\VideoLAN\VLC\hrtfs\
        7⤵
        
        PID:4888
        
        C:\Program Files\VideoLAN\VLC\locale\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\backup.exe" C:\Program Files\VideoLAN\VLC\locale\
        7⤵
        
        PID:4248
        
        C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\
        8⤵
        
        PID:2972
        
        C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\
        9⤵
        
        PID:752
        
        C:\Program Files\VideoLAN\VLC\locale\af\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\
        8⤵
        
        PID:3212
        
        C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\
        9⤵
        
        PID:4672
        
        C:\Program Files\VideoLAN\VLC\locale\am\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\
        8⤵
        
        PID:1772
        
        C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\
        9⤵
        
        PID:3864
        
        C:\Program Files\VideoLAN\VLC\locale\an\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\an\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\
        8⤵
        
        PID:4396
        
        C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\
        9⤵
        
        PID:676
        
        C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\
        8⤵
        
        PID:4376
        
        C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\
        9⤵
        
        PID:928
        
        C:\Program Files\VideoLAN\VLC\locale\as_IN\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\as_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\
        8⤵
        
        PID:3212
        
        C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\
        9⤵
        
        PID:2836
        
        C:\Program Files\VideoLAN\VLC\lua\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\backup.exe" C:\Program Files\VideoLAN\VLC\lua\
        7⤵
        
        PID:3280
        
        C:\Program Files\VideoLAN\VLC\lua\http\data.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\data.exe" C:\Program Files\VideoLAN\VLC\lua\http\
        8⤵
        
        PID:1956
        
        C:\Program Files\VideoLAN\VLC\lua\http\css\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\css\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\css\
        9⤵
        
        PID:4476
        
        C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\
        10⤵
        
        PID:3552
        
        C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\
        11⤵
        
        PID:1788
        
        C:\Program Files\VideoLAN\VLC\lua\http\dialogs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\dialogs\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\dialogs\
        9⤵
        
        PID:4820
        
        C:\Program Files\VideoLAN\VLC\lua\http\images\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\images\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\images\
        9⤵
        
        PID:2016
        
        C:\Program Files\VideoLAN\VLC\lua\http\js\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\js\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\js\
        9⤵
        
        PID:5064
        
        C:\Program Files\VideoLAN\VLC\lua\http\requests\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\requests\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\requests\
        9⤵
        
        PID:392
        
        C:\Program Files\VideoLAN\VLC\plugins\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\
        7⤵
        
        PID:2300
        
        C:\Program Files\VideoLAN\VLC\plugins\access\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\access\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\access\
        8⤵
        
        PID:1352
        
        C:\Program Files\VideoLAN\VLC\plugins\access_output\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\access_output\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\access_output\
        8⤵
        
        PID:2020
        
        C:\Program Files\VideoLAN\VLC\plugins\audio_filter\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\audio_filter\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\audio_filter\
        8⤵
        
        PID:2576
    - - C:\Program Files\Windows Defender\backup.exe
        
        "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
        5⤵
        
        PID:1632
      - C:\Program Files\Windows Defender\fr-FR\backup.exe
        
        "C:\Program Files\Windows Defender\fr-FR\backup.exe" C:\Program Files\Windows Defender\fr-FR\
        6⤵
        
        PID:3552
      - C:\Program Files\Windows Defender\ja-JP\backup.exe
        
        "C:\Program Files\Windows Defender\ja-JP\backup.exe" C:\Program Files\Windows Defender\ja-JP\
        6⤵
        
        PID:4836
      - C:\Program Files\Windows Defender\it-IT\backup.exe
        
        "C:\Program Files\Windows Defender\it-IT\backup.exe" C:\Program Files\Windows Defender\it-IT\
        6⤵
        
        PID:260
      - C:\Program Files\Windows Defender\es-ES\backup.exe
        
        "C:\Program Files\Windows Defender\es-ES\backup.exe" C:\Program Files\Windows Defender\es-ES\
        6⤵
        
        PID:4924
      - C:\Program Files\Windows Defender\de-DE\backup.exe
        
        "C:\Program Files\Windows Defender\de-DE\backup.exe" C:\Program Files\Windows Defender\de-DE\
        6⤵
        
        PID:3552
    - - C:\Program Files\Windows Mail\backup.exe
        
        "C:\Program Files\Windows Mail\backup.exe" C:\Program Files\Windows Mail\
        5⤵
        
        PID:3056
    - - C:\Program Files\Windows Media Player\backup.exe
        
        "C:\Program Files\Windows Media Player\backup.exe" C:\Program Files\Windows Media Player\
        5⤵
        
        PID:1308
      - C:\Program Files\Windows Media Player\es-ES\backup.exe
        
        "C:\Program Files\Windows Media Player\es-ES\backup.exe" C:\Program Files\Windows Media Player\es-ES\
        6⤵
        
        PID:4220
      - C:\Program Files\Windows Media Player\fr-FR\backup.exe
        
        "C:\Program Files\Windows Media Player\fr-FR\backup.exe" C:\Program Files\Windows Media Player\fr-FR\
        6⤵
        
        PID:548
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      PID:2188
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:540
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        
        PID:3380
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        
        PID:4396
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        
        PID:816
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        
        PID:4068
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        
        PID:320
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        
        PID:3128
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        
        PID:1804
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        
        PID:4436
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        
        PID:4888
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        
        PID:4212
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        
        PID:4952
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        
        PID:4320
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:4844
        
        C:\Program Files\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
        9⤵
        
        PID:2116
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
        10⤵
        
        PID:2932
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        11⤵
        
        PID:1304
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        11⤵
        
        PID:1588
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        
        PID:4908
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        
        PID:3160
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        
        PID:2332
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        
        PID:2568
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:4648
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:332
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\System Restore.exe
        
        "C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\System Restore.exe" C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
        11⤵
        
        PID:4340
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        
        PID:4168
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:1108
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:5008
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:3212
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        
        PID:540
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        
        PID:2124
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        
        PID:1488
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        
        PID:1692
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        
        PID:4292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
        8⤵
        
        PID:1924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
        9⤵
        
        PID:2568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
        10⤵
        
        PID:2652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
        10⤵
        
        PID:4600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\
        11⤵
        
        PID:228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\
        10⤵
        
        PID:4324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\
        10⤵
        
        PID:1588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\data.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\data.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\
        10⤵
        
        PID:2000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\
        10⤵
        
        PID:3260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\
        10⤵
        
        PID:3416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\
        10⤵
        
        PID:4560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\
        10⤵
        
        PID:3264
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\
        11⤵
        
        PID:2424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\
        12⤵
        
        PID:3556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\
        10⤵
        
        PID:1316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\
        11⤵
        
        PID:3872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\
        11⤵
        
        PID:1924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\
        11⤵
        
        PID:5048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\
        11⤵
        
        PID:4088
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\
        11⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\
        11⤵
        
        PID:2488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\
        11⤵
        
        PID:4504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\
        12⤵
        
        PID:3384
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\
        13⤵
        
        PID:2116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\
        12⤵
        
        PID:1528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\
        11⤵
        
        PID:1592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\
        11⤵
        
        PID:1308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\
        12⤵
        
        PID:3836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\
        13⤵
        
        PID:4104
        
        C:\Program Files\Windows Media Player\de-DE\update.exe
        
        "C:\Program Files\Windows Media Player\de-DE\update.exe" C:\Program Files\Windows Media Player\de-DE\
        12⤵
        
        PID:4856
        
        C:\Program Files\Windows Media Player\en-US\backup.exe
        
        "C:\Program Files\Windows Media Player\en-US\backup.exe" C:\Program Files\Windows Media Player\en-US\
        12⤵
        
        PID:3764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\
        10⤵
        
        PID:2828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\
        10⤵
        
        PID:2284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\
        11⤵
        
        PID:3128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\
        11⤵
        
        PID:1168
        
        C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\
        12⤵
        
        PID:4176
        
        C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\
        13⤵
        
        PID:948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\
        10⤵
        
        PID:4044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\System Restore.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\
        10⤵
        
        PID:2040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\
        9⤵
        
        PID:4856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        
        PID:1488
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        
        PID:2488
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:5048
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:4908
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        
        PID:2712
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:4016
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:5032
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4396
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:4340
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:1364
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:3056
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
        8⤵
        
        PID:4600
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        
        PID:1356
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:3008
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1032
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:3552
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:3384
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        
        PID:4336
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3536
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        
        PID:1456
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\update.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        
        PID:4724
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        
        PID:2912
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        
        PID:392
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        
        PID:2436
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4928
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        
        PID:868
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        11⤵
        
        PID:4876
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        12⤵
        
        PID:4296
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
        13⤵
        
        PID:1592
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
        14⤵
        
        PID:2388
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
        14⤵
        
        PID:2408
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
        14⤵
        
        PID:1460
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
        13⤵
        
        PID:4192
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
        14⤵
        
        PID:820
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\
        14⤵
        
        PID:5088
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\
        14⤵
        
        PID:1592
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
        13⤵
        
        PID:3696
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
        11⤵
        
        PID:3452
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        
        PID:1808
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:1088
        
        C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\
        8⤵
        
        PID:3852
        
        C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\data.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\data.exe" C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\
        8⤵
        
        PID:1352
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        
        PID:4772
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        
        PID:676
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        
        PID:2072
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2512
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        
        PID:4708
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:3524
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:1236
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\update.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:3556
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        7⤵
        
        PID:3272
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:2436
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:4920
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:868
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:4272
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:3436
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:3452
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:4924
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:1692
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\
        8⤵
        
        PID:2440
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\
        9⤵
        
        PID:5112
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\
        9⤵
        
        PID:1248
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\
        9⤵
        
        PID:332
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\
        9⤵
        
        PID:1364
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\
        8⤵
        
        PID:2008
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:4648
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:2348
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\
        7⤵
        
        PID:4924
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:3976
      - C:\Program Files (x86)\Common Files\Oracle\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\backup.exe" C:\Program Files (x86)\Common Files\Oracle\
        6⤵
        
        PID:1924
        
        C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\
        7⤵
        
        PID:2368
        
        C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\javapath\
        8⤵
        
        PID:3480
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:3836
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2768
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        
        PID:3384
        
        C:\Program Files (x86)\Common Files\System\ado\de-DE\update.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\de-DE\update.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
        8⤵
        
        PID:4800
        
        C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
        8⤵
        
        PID:4176
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        
        PID:4044
        
        C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
        9⤵
        
        PID:3436
        
        C:\Program Files (x86)\Common Files\System\ado\it-IT\data.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\it-IT\data.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
        8⤵
        
        PID:844
        
        C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:3904
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:1684
        
        C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
        7⤵
        
        PID:4968
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\
        8⤵
        
        PID:1592
        
        C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
        7⤵
        
        PID:1124
        
        C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        
        PID:4756
        
        C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\
        7⤵
        
        PID:4376
        
        C:\Program Files (x86)\Common Files\System\msadc\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\
        7⤵
        
        PID:2004
        
        C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:312
        
        C:\Program Files\Microsoft Office\Updates\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
        8⤵
        
        PID:3280
        
        C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\en-US\
        8⤵
        
        PID:4116
        
        C:\Program Files (x86)\Common Files\System\msadc\es-ES\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\es-ES\System Restore.exe" C:\Program Files (x86)\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:4464
        
        C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:5112
        
        C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:1956
        
        C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:1584
        
        C:\Windows\Globalization\ICU\data.exe
        
        C:\Windows\Globalization\ICU\data.exe C:\Windows\Globalization\ICU\
        8⤵
        
        PID:3836
        
        C:\Windows\Globalization\ELS\backup.exe
        
        C:\Windows\Globalization\ELS\backup.exe C:\Windows\Globalization\ELS\
        8⤵
        
        PID:2592
        
        C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        7⤵
        
        PID:1540
        
        C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\
        7⤵
        
        PID:1944
        
        C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:3984
        
        C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:2016
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:4344
        
        C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:624
        
        C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:3976
        
        C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:4680
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:4968
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:4956
      - C:\Program Files (x86)\Google\Update\data.exe
        
        "C:\Program Files (x86)\Google\Update\data.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:3052
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:3344
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1544
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:4796
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:928
      - C:\Program Files (x86)\Internet Explorer\images\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        
        PID:1712
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:1796
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:3552
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:4348
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:1824
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:4812
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:3732
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        
        PID:3268
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\
        6⤵
        
        PID:1328
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        
        PID:816
      - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\
        6⤵
        
        PID:3984
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\
        7⤵
        
        PID:2712
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\
        7⤵
        
        PID:1316
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{698BCA89-33FA-47F4-8015-933217D46338}\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{698BCA89-33FA-47F4-8015-933217D46338}\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{698BCA89-33FA-47F4-8015-933217D46338}\
        8⤵
        
        PID:4640
      - C:\Program Files (x86)\Microsoft\Temp\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\backup.exe" C:\Program Files (x86)\Microsoft\Temp\
        6⤵
        
        PID:2472
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:2184
      - C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe" C:\Program Files (x86)\Microsoft.NET\RedistList\
        6⤵
        
        PID:4932
      - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\
        6⤵
        
        PID:3684
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
        7⤵
        
        PID:1364
    - - C:\Program Files (x86)\MSBuild\backup.exe
        
        "C:\Program Files (x86)\MSBuild\backup.exe" C:\Program Files (x86)\MSBuild\
        5⤵
        
        PID:3904
      - C:\Program Files (x86)\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\
        6⤵
        
        PID:624
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        
        PID:1392
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        8⤵
        
        PID:1544
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        8⤵
        
        PID:3040
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\System\c6927e14e1fbf4feae9cd67df04eaabe\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\System\c6927e14e1fbf4feae9cd67df04eaabe\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\System\c6927e14e1fbf4feae9cd67df04eaabe\
        8⤵
        
        PID:1408
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:4764
    - - C:\Program Files (x86)\Reference Assemblies\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\backup.exe" C:\Program Files (x86)\Reference Assemblies\
        5⤵
        
        PID:2072
      - C:\Program Files (x86)\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\
        6⤵
        
        PID:2916
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\
        7⤵
        
        PID:4240
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\
        8⤵
        
        PID:3008
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\
        9⤵
        
        PID:1540
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\
        9⤵
        
        PID:4212
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\
        9⤵
        
        PID:3552
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\
        9⤵
        
        PID:3556
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\
        9⤵
        
        PID:184
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
        9⤵
        
        PID:2008
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\
        9⤵
        
        PID:1588
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\
        8⤵
        
        PID:2440
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\data.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\data.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\
        9⤵
        
        PID:824
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\
        9⤵
        
        PID:4876
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\
        9⤵
        
        PID:2280
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System Restore.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System Restore.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\
        9⤵
        
        PID:2828
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System Restore.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System Restore.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\
        9⤵
        
        PID:1248
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\
        9⤵
        
        PID:4968
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\
        9⤵
        
        PID:2172
    - - C:\Program Files (x86)\Windows Defender\update.exe
        
        "C:\Program Files (x86)\Windows Defender\update.exe" C:\Program Files (x86)\Windows Defender\
        5⤵
        
        PID:1712
      - C:\Program Files (x86)\Windows Defender\de-DE\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\de-DE\backup.exe" C:\Program Files (x86)\Windows Defender\de-DE\
        6⤵
        
        PID:3364
      - C:\Program Files (x86)\Windows Defender\es-ES\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\backup.exe" C:\Program Files (x86)\Windows Defender\es-ES\
        6⤵
        
        PID:4476
      - C:\Program Files (x86)\Windows Defender\fr-FR\data.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\data.exe" C:\Program Files (x86)\Windows Defender\fr-FR\
        6⤵
        
        PID:4356
      - C:\Program Files (x86)\Windows Defender\it-IT\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\backup.exe" C:\Program Files (x86)\Windows Defender\it-IT\
        6⤵
        
        PID:1464
      - C:\Program Files (x86)\Windows Defender\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\backup.exe" C:\Program Files (x86)\Windows Defender\ja-JP\
        6⤵
        
        PID:3328
    - - C:\Program Files (x86)\Windows Mail\backup.exe
        
        "C:\Program Files (x86)\Windows Mail\backup.exe" C:\Program Files (x86)\Windows Mail\
        5⤵
        
        PID:1488
    - - C:\Program Files (x86)\Windows Media Player\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\backup.exe" C:\Program Files (x86)\Windows Media Player\
        5⤵
        
        PID:1604
      - C:\Program Files (x86)\Windows Media Player\en-US\data.exe
        
        "C:\Program Files (x86)\Windows Media Player\en-US\data.exe" C:\Program Files (x86)\Windows Media Player\en-US\
        6⤵
        
        PID:3684
      - C:\Program Files (x86)\Windows Media Player\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\fr-FR\backup.exe" C:\Program Files (x86)\Windows Media Player\fr-FR\
        6⤵
        
        PID:2960
      - C:\Program Files (x86)\Windows Media Player\es-ES\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\es-ES\backup.exe" C:\Program Files (x86)\Windows Media Player\es-ES\
        6⤵
        
        PID:4372
      - C:\Program Files (x86)\Windows Media Player\it-IT\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\it-IT\backup.exe" C:\Program Files (x86)\Windows Media Player\it-IT\
        6⤵
        
        PID:2040
      - C:\Program Files (x86)\Windows Media Player\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\ja-JP\backup.exe" C:\Program Files (x86)\Windows Media Player\ja-JP\
        6⤵
        
        PID:4628
      - C:\Program Files (x86)\Windows Media Player\Media Renderer\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\Media Renderer\backup.exe" C:\Program Files (x86)\Windows Media Player\Media Renderer\
        6⤵
        
        PID:4800
    - - C:\Program Files (x86)\Windows Multimedia Platform\System Restore.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\System Restore.exe" C:\Program Files (x86)\Windows Multimedia Platform\
        5⤵
        
        PID:3768
    - - C:\Program Files (x86)\Windows NT\backup.exe
        
        "C:\Program Files (x86)\Windows NT\backup.exe" C:\Program Files (x86)\Windows NT\
        5⤵
        
        PID:4044
      - C:\Program Files (x86)\Windows NT\Accessories\update.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\update.exe" C:\Program Files (x86)\Windows NT\Accessories\
        6⤵
        
        PID:3684
        
        C:\Program Files (x86)\Windows NT\Accessories\en-US\backup.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\en-US\backup.exe" C:\Program Files (x86)\Windows NT\Accessories\en-US\
        7⤵
        
        PID:1328
      - C:\Program Files (x86)\Windows NT\TableTextService\backup.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\backup.exe" C:\Program Files (x86)\Windows NT\TableTextService\
        6⤵
        
        PID:1288
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:3548
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:4124
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        
        PID:4272
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:3812
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:4796
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4212
        
        C:\Users\Admin\Documents\OneNote Notebooks\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\
        7⤵
        
        PID:3828
        
        C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\
        8⤵
        
        PID:3384
      - C:\Users\Admin\Favorites\data.exe
        
        C:\Users\Admin\Favorites\data.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:4952
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2520
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:2408
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:928
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:4200
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:3384
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        
        PID:3832
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        
        PID:3696
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\
        8⤵
        
        PID:3344
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\
        8⤵
        
        PID:2836
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\
        8⤵
        
        PID:1616
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:3084
      - C:\Users\Admin\Searches\data.exe
        
        C:\Users\Admin\Searches\data.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:636
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:3276
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:4540
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:3300
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:4784
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:4836
        
        C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\
        7⤵
        
        PID:4044
        
        C:\Program Files\Java\jdk-1.8\jre\legal\jdk\update.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\jdk\update.exe" C:\Program Files\Java\jdk-1.8\jre\legal\jdk\
        8⤵
        
        PID:5012
        
        C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\
        7⤵
        
        PID:2124
        
        C:\Program Files\Java\jdk-1.8\jre\lib\amd64\data.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\amd64\data.exe" C:\Program Files\Java\jdk-1.8\jre\lib\amd64\
        8⤵
        
        PID:1364
        
        C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\applet\
        8⤵
        
        PID:2368
        
        C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\cmm\
        8⤵
        
        PID:100
        
        C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\deploy\
        8⤵
        
        PID:1592
        
        C:\Program Files\Java\jdk-1.8\jre\lib\ext\System Restore.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\ext\System Restore.exe" C:\Program Files\Java\jdk-1.8\jre\lib\ext\
        8⤵
        
        PID:3892
        
        C:\Program Files\Java\jdk-1.8\jre\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\fonts\
        8⤵
        
        PID:2892
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\
        9⤵
        
        PID:4508
        
        C:\Program Files\Java\jdk-1.8\jre\lib\images\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\images\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\images\
        8⤵
        
        PID:3936
        
        C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\
        9⤵
        
        PID:4800
        
        C:\Program Files\Java\jdk-1.8\jre\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\jfr\
        8⤵
        
        PID:3264
        
        C:\Program Files\Java\jdk-1.8\jre\lib\management\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\management\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\management\
        8⤵
        
        PID:4956
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\
        8⤵
        
        PID:4748
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:3012
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:1248
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:3016
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:5116
      - C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\
        6⤵
        
        PID:2316
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        
        PID:4972
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        
        PID:1632
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        
        PID:4076
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        
        PID:3764
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        7⤵
        
        PID:2768
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        
        PID:2148
      - C:\Windows\apppatch\de-DE\System Restore.exe
        
        "C:\Windows\apppatch\de-DE\System Restore.exe" C:\Windows\apppatch\de-DE\
        6⤵
        
        PID:2364
      - C:\Windows\apppatch\fr-FR\backup.exe
        
        C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\fr-FR\
        6⤵
        
        PID:4908
      - C:\Windows\apppatch\es-ES\update.exe
        
        C:\Windows\apppatch\es-ES\update.exe C:\Windows\apppatch\es-ES\
        6⤵
        
        PID:400
      - C:\Windows\apppatch\it-IT\backup.exe
        
        C:\Windows\apppatch\it-IT\backup.exe C:\Windows\apppatch\it-IT\
        6⤵
        
        PID:4448
      - C:\Windows\apppatch\ja-JP\backup.exe
        
        C:\Windows\apppatch\ja-JP\backup.exe C:\Windows\apppatch\ja-JP\
        6⤵
        
        PID:4076
      - C:\Windows\apppatch\en-US\backup.exe
        
        C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
        6⤵
        
        PID:3212
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        
        PID:4344
    - - C:\Windows\AppReadiness\System Restore.exe
        
        "C:\Windows\AppReadiness\System Restore.exe" C:\Windows\AppReadiness\
        5⤵
        
        PID:4648
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:3276
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        
        PID:4652
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        
        PID:5032
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1616
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        
        PID:5040
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3832
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        7⤵
        
        PID:1240
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4784
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\
        7⤵
        
        PID:2960
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\
        8⤵
        
        PID:4088
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\
        7⤵
        
        PID:2120
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4600
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        
        PID:332
        
        C:\Windows\assembly\GAC\stdole\backup.exe
        
        C:\Windows\assembly\GAC\stdole\backup.exe C:\Windows\assembly\GAC\stdole\
        7⤵
        
        PID:1540
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4212
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        
        PID:776
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\
        7⤵
        
        PID:3696
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:928
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\
        7⤵
        
        PID:2592
        
        C:\Windows\Globalization\ELS\Transliteration\backup.exe
        
        C:\Windows\Globalization\ELS\Transliteration\backup.exe C:\Windows\Globalization\ELS\Transliteration\
        8⤵
        
        PID:3120
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\
        7⤵
        
        PID:1124
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:4628
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\System Restore.exe
        
        "C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\System Restore.exe" C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\
        7⤵
        
        PID:3328
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3292
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3416
        
        C:\Windows\assembly\GAC_32\MSBuild\backup.exe
        
        C:\Windows\assembly\GAC_32\MSBuild\backup.exe C:\Windows\assembly\GAC_32\MSBuild\
        7⤵
        
        PID:1472
        
        C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4500
        
        C:\Windows\assembly\GAC_32\PresentationCore\backup.exe
        
        C:\Windows\assembly\GAC_32\PresentationCore\backup.exe C:\Windows\assembly\GAC_32\PresentationCore\
        7⤵
        
        PID:1196
        
        C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:1108
        
        C:\Windows\assembly\GAC_32\mscorlib\backup.exe
        
        C:\Windows\assembly\GAC_32\mscorlib\backup.exe C:\Windows\assembly\GAC_32\mscorlib\
        7⤵
        
        PID:1632
        
        C:\Windows\assembly\GAC_32\srmlib\backup.exe
        
        C:\Windows\assembly\GAC_32\srmlib\backup.exe C:\Windows\assembly\GAC_32\srmlib\
        7⤵
        
        PID:2904
        
        C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:5088
        
        C:\Windows\assembly\GAC_32\System.Data\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data\backup.exe C:\Windows\assembly\GAC_32\System.Data\
        7⤵
        
        PID:3444
        
        C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:3380
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\backup.exe C:\Windows\assembly\GAC_32\System.Data.OracleClient\
        7⤵
        
        PID:3984
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:3892
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\backup.exe
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\backup.exe C:\Windows\assembly\GAC_32\System.EnterpriseServices\
        7⤵
        
        PID:4820
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:516
        
        C:\Windows\assembly\GAC_32\System.Printing\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Printing\backup.exe C:\Windows\assembly\GAC_32\System.Printing\
        7⤵
        
        PID:3900
        
        C:\Windows\assembly\GAC_32\System.Transactions\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Transactions\backup.exe C:\Windows\assembly\GAC_32\System.Transactions\
        7⤵
        
        PID:4396
        
        C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:4844
        
        C:\Windows\assembly\GAC_32\System.Web\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Web\backup.exe C:\Windows\assembly\GAC_32\System.Web\
        7⤵
        
        PID:4212
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3772
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        
        PID:4796
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\
        7⤵
        
        PID:4876
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3512
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\
        7⤵
        
        PID:1176
        
        C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4436
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Ink\
        7⤵
        
        PID:3852
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:1304
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\
        7⤵
        
        PID:3548
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\System Restore.exe
        
        "C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\System Restore.exe" C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2932
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\
        7⤵
        
        PID:4728
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\data.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\data.exe C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2088
        
        C:\Windows\assembly\GAC_64\MSBuild\backup.exe
        
        C:\Windows\assembly\GAC_64\MSBuild\backup.exe C:\Windows\assembly\GAC_64\MSBuild\
        7⤵
        
        PID:928
        
        C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1248
        
        C:\Windows\assembly\GAC_64\mscorlib\update.exe
        
        C:\Windows\assembly\GAC_64\mscorlib\update.exe C:\Windows\assembly\GAC_64\mscorlib\
        7⤵
        
        PID:4856
        
        C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\update.exe
        
        C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\update.exe C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:5080
        
        C:\Windows\assembly\GAC_64\srmlib\update.exe
        
        C:\Windows\assembly\GAC_64\srmlib\update.exe C:\Windows\assembly\GAC_64\srmlib\
        7⤵
        
        PID:4760
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:664
        
        C:\Windows\assembly\GAC_64\PresentationCore\backup.exe
        
        C:\Windows\assembly\GAC_64\PresentationCore\backup.exe C:\Windows\assembly\GAC_64\PresentationCore\
        7⤵
        
        PID:4684
        
        C:\Windows\assembly\GAC_64\System.Data\backup.exe
        
        C:\Windows\assembly\GAC_64\System.Data\backup.exe C:\Windows\assembly\GAC_64\System.Data\
        7⤵
        
        PID:2936
        
        C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:1328
        
        C:\Windows\assembly\GAC_64\System.Data.OracleClient\backup.exe
        
        C:\Windows\assembly\GAC_64\System.Data.OracleClient\backup.exe C:\Windows\assembly\GAC_64\System.Data.OracleClient\
        7⤵
        
        PID:4176
        
        C:\Windows\assembly\GAC_64\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_64\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_64\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:3068
      - C:\Windows\assembly\GAC_MSIL\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\backup.exe C:\Windows\assembly\GAC_MSIL\
        6⤵
        
        PID:4300
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\backup.exe C:\Windows\assembly\GAC_MSIL\Accessibility\
        7⤵
        
        PID:2348
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3268
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\
        7⤵
        
        PID:3328
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\
        7⤵
        
        PID:4916
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_de_b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_de_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_de_b03f5f7f11d50a3a\
        8⤵
        
        PID:2436
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_es_b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_es_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_es_b03f5f7f11d50a3a\
        8⤵
        
        PID:816
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_it_b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_it_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_it_b03f5f7f11d50a3a\
        8⤵
        
        PID:3068
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\
        8⤵
        
        PID:4652
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\
        8⤵
        
        PID:3160
        
        C:\Windows\assembly\GAC_MSIL\cscompmgd\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\cscompmgd\backup.exe C:\Windows\assembly\GAC_MSIL\cscompmgd\
        7⤵
        
        PID:1124
        
        C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1408
        
        C:\Windows\assembly\GAC_MSIL\ComSvcConfig\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\ComSvcConfig\backup.exe C:\Windows\assembly\GAC_MSIL\ComSvcConfig\
        7⤵
        
        PID:2172
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\update.exe
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\update.exe C:\Windows\assembly\GAC_MSIL\dfsvc\
        7⤵
        
        PID:3384
        
        C:\Windows\assembly\GAC_MSIL\IEExecRemote\data.exe
        
        C:\Windows\assembly\GAC_MSIL\IEExecRemote\data.exe C:\Windows\assembly\GAC_MSIL\IEExecRemote\
        7⤵
        
        PID:2948
        
        C:\Windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1592
        
        C:\Windows\assembly\GAC_MSIL\IEHost\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\IEHost\backup.exe C:\Windows\assembly\GAC_MSIL\IEHost\
        7⤵
        
        PID:3460
        
        C:\Windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:868
      - C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\
        6⤵
        
        PID:2932
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\
        7⤵
        
        PID:4800
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\
        8⤵
        
        PID:4104
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0c5c095df94f2312c1107726858cffe2\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0c5c095df94f2312c1107726858cffe2\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0c5c095df94f2312c1107726858cffe2\
        8⤵
        
        PID:3040
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0db851c73d11018ad4b5a4d0d4be2e36\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0db851c73d11018ad4b5a4d0d4be2e36\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0db851c73d11018ad4b5a4d0d4be2e36\
        8⤵
        
        PID:948
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f18ff42b17aa9990ee61ad0c4aea9b1c\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f18ff42b17aa9990ee61ad0c4aea9b1c\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f18ff42b17aa9990ee61ad0c4aea9b1c\
        8⤵
        
        PID:4044
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\a3a54d1c0d022e4ccf266b954fe01230\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\a3a54d1c0d022e4ccf266b954fe01230\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\a3a54d1c0d022e4ccf266b954fe01230\
        8⤵
        
        PID:2124
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\
        7⤵
        
        PID:312
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\73c6ae4303a31ae701dd97dcdda2523d\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\73c6ae4303a31ae701dd97dcdda2523d\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\73c6ae4303a31ae701dd97dcdda2523d\
        8⤵
        
        PID:676
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\
        7⤵
        
        PID:2124
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\0c596f320c82d9ea5d0b5a6362a0750a\update.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\0c596f320c82d9ea5d0b5a6362a0750a\update.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\0c596f320c82d9ea5d0b5a6362a0750a\
        8⤵
        
        PID:928
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\
        7⤵
        
        PID:4728
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\
        8⤵
        
        PID:420
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\srmlib\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\srmlib\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\srmlib\
        7⤵
        
        PID:1500
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\srmlib\e7a3b638f7646fc8439936218d34b2b7\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\srmlib\e7a3b638f7646fc8439936218d34b2b7\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\srmlib\e7a3b638f7646fc8439936218d34b2b7\
        8⤵
        
        PID:1488
      - C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\
        6⤵
        
        PID:4540
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\
        7⤵
        
        PID:5060
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\47e786300d57b2248515da5569427c4e\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\47e786300d57b2248515da5569427c4e\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\47e786300d57b2248515da5569427c4e\
        8⤵
        
        PID:1832
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\291910c52afc6a4c83bd042f709c7e57\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\291910c52afc6a4c83bd042f709c7e57\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\291910c52afc6a4c83bd042f709c7e57\
        8⤵
        
        PID:3404
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\83a3b8af1eee54050fa565ab6fc8e5d9\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\83a3b8af1eee54050fa565ab6fc8e5d9\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\83a3b8af1eee54050fa565ab6fc8e5d9\
        8⤵
        
        PID:2088
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b78cfccbd1eab27ca35b2ac67d102907\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b78cfccbd1eab27ca35b2ac67d102907\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b78cfccbd1eab27ca35b2ac67d102907\
        8⤵
        
        PID:1076
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\f334dca9ae9dc06224e9b43875b3aa90\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\f334dca9ae9dc06224e9b43875b3aa90\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\f334dca9ae9dc06224e9b43875b3aa90\
        8⤵
        
        PID:3400
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\
        7⤵
        
        PID:1124
      - C:\Windows\assembly\NativeImages_v4.0.30319_32\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\
        6⤵
        
        PID:1240
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\
        7⤵
        
        PID:2184
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\00194bf840ef92b2565b539f29704dc8\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\00194bf840ef92b2565b539f29704dc8\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\00194bf840ef92b2565b539f29704dc8\
        8⤵
        
        PID:4992
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\
        7⤵
        
        PID:3060
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\c4e350255dfdcb7457109e297b572b31\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\c4e350255dfdcb7457109e297b572b31\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\c4e350255dfdcb7457109e297b572b31\
        8⤵
        
        PID:5104
      - C:\Windows\assembly\NativeImages_v4.0.30319_64\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_64\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\
        6⤵
        
        PID:4960
    - - C:\Windows\Branding\update.exe
        
        C:\Windows\Branding\update.exe C:\Windows\Branding\
        5⤵
        
        PID:2844
      - C:\Windows\Branding\Basebrd\backup.exe
        
        C:\Windows\Branding\Basebrd\backup.exe C:\Windows\Branding\Basebrd\
        6⤵
        
        PID:4024
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe C:\Windows\Branding\Basebrd\es-ES\
        7⤵
        
        PID:4600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
        8⤵
        
        PID:3236
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe C:\Windows\Branding\Basebrd\en-US\
        7⤵
        
        PID:4640
        
        C:\Windows\Branding\Basebrd\fr-FR\backup.exe
        
        C:\Windows\Branding\Basebrd\fr-FR\backup.exe C:\Windows\Branding\Basebrd\fr-FR\
        7⤵
        
        PID:4296
        
        C:\Windows\Branding\Basebrd\it-IT\backup.exe
        
        C:\Windows\Branding\Basebrd\it-IT\backup.exe C:\Windows\Branding\Basebrd\it-IT\
        7⤵
        
        PID:4356
        
        C:\Windows\Branding\Basebrd\ja-JP\update.exe
        
        C:\Windows\Branding\Basebrd\ja-JP\update.exe C:\Windows\Branding\Basebrd\ja-JP\
        7⤵
        
        PID:3712
      - C:\Windows\Branding\shellbrd\backup.exe
        
        C:\Windows\Branding\shellbrd\backup.exe C:\Windows\Branding\shellbrd\
        6⤵
        
        PID:3212
    - - C:\Windows\bcastdvr\backup.exe
        
        C:\Windows\bcastdvr\backup.exe C:\Windows\bcastdvr\
        5⤵
        
        PID:3916
    - - C:\Windows\Containers\backup.exe
        
        C:\Windows\Containers\backup.exe C:\Windows\Containers\
        5⤵
        
        PID:3120
      - C:\Windows\Containers\serviced\backup.exe
        
        C:\Windows\Containers\serviced\backup.exe C:\Windows\Containers\serviced\
        6⤵
        
        PID:1684
    - - C:\Windows\CbsTemp\backup.exe
        
        C:\Windows\CbsTemp\backup.exe C:\Windows\CbsTemp\
        5⤵
        
        PID:228
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:1248
    - - C:\Windows\debug\backup.exe
        
        C:\Windows\debug\backup.exe C:\Windows\debug\
        5⤵
        
        PID:260
    - - C:\Windows\de-DE\backup.exe
        
        C:\Windows\de-DE\backup.exe C:\Windows\de-DE\
        5⤵
        
        PID:5040
    - - C:\Windows\DiagTrack\backup.exe
        
        C:\Windows\DiagTrack\backup.exe C:\Windows\DiagTrack\
        5⤵
        
        PID:752
      - C:\Windows\DiagTrack\Settings\backup.exe
        
        C:\Windows\DiagTrack\Settings\backup.exe C:\Windows\DiagTrack\Settings\
        6⤵
        
        PID:3732
    - - C:\Windows\DigitalLocker\backup.exe
        
        C:\Windows\DigitalLocker\backup.exe C:\Windows\DigitalLocker\
        5⤵
        
        PID:4764
      - C:\Windows\DigitalLocker\en-US\backup.exe
        
        C:\Windows\DigitalLocker\en-US\backup.exe C:\Windows\DigitalLocker\en-US\
        6⤵
        
        PID:1604
        
        C:\Program Files (x86)\Windows Media Player\de-DE\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\de-DE\backup.exe" C:\Program Files (x86)\Windows Media Player\de-DE\
        7⤵
        
        PID:1824
    - - C:\Windows\en-US\backup.exe
        
        C:\Windows\en-US\backup.exe C:\Windows\en-US\
        5⤵
        
        PID:3668
    - - C:\Windows\es-ES\backup.exe
        
        C:\Windows\es-ES\backup.exe C:\Windows\es-ES\
        5⤵
        
        PID:3068
    - - C:\Windows\Fonts\backup.exe
        
        C:\Windows\Fonts\backup.exe C:\Windows\Fonts\
        5⤵
        
        PID:3328
    - - C:\Windows\fr-FR\backup.exe
        
        C:\Windows\fr-FR\backup.exe C:\Windows\fr-FR\
        5⤵
        
        PID:2916
    - - C:\Windows\GameBarPresenceWriter\backup.exe
        
        C:\Windows\GameBarPresenceWriter\backup.exe C:\Windows\GameBarPresenceWriter\
        5⤵
        
        PID:1088
    - - C:\Windows\Globalization\backup.exe
        
        C:\Windows\Globalization\backup.exe C:\Windows\Globalization\
        5⤵
        
        PID:2004
      - C:\Windows\Globalization\Sorting\backup.exe
        
        C:\Windows\Globalization\Sorting\backup.exe C:\Windows\Globalization\Sorting\
        6⤵
        
        PID:4044
      - C:\Windows\Globalization\Time Zone\update.exe
        
        "C:\Windows\Globalization\Time Zone\update.exe" C:\Windows\Globalization\Time Zone\
        6⤵
        
        PID:4960
    - - C:\Windows\Help\backup.exe
        
        C:\Windows\Help\backup.exe C:\Windows\Help\
        5⤵
        
        PID:4760
      - C:\Windows\Help\Corporate\backup.exe
        
        C:\Windows\Help\Corporate\backup.exe C:\Windows\Help\Corporate\
        6⤵
        
        PID:624
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\Data Sources\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\Data Sources\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\Data Sources\
        7⤵
        
        PID:2712
      - C:\Windows\Help\en-US\backup.exe
        
        C:\Windows\Help\en-US\backup.exe C:\Windows\Help\en-US\
        6⤵
        
        PID:3008
      - C:\Windows\Help\Help\backup.exe
        
        C:\Windows\Help\Help\backup.exe C:\Windows\Help\Help\
        6⤵
        
        PID:3488
      - C:\Windows\Help\mui\backup.exe
        
        C:\Windows\Help\mui\backup.exe C:\Windows\Help\mui\
        6⤵
        
        PID:3832
        
        C:\Windows\Help\mui\0409\backup.exe
        
        C:\Windows\Help\mui\0409\backup.exe C:\Windows\Help\mui\0409\
        7⤵
        
        PID:1700
    - - C:\Windows\IdentityCRL\backup.exe
        
        C:\Windows\IdentityCRL\backup.exe C:\Windows\IdentityCRL\
        5⤵
        
        PID:4436
- C:\Users\Admin\AppData\Local\Temp\777349981\backup.exe
  C:\Users\Admin\AppData\Local\Temp\777349981\backup.exe C:\Users\Admin\AppData\Local\Temp\777349981\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1672
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2216
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5096
- - C:\Windows\appcompat\appraiser\Telemetry\backup.exe
    C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
    3⤵
    PID:1068
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:612
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4784
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4640
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4344
- C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe
  C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4104
- - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe
    C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe
      C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3524
- C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\backup.exe
    C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\backup.exe
      C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2936
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\af\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\af\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\af\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4376
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\am\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\am\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\am\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4976
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ar\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ar\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ar\
        5⤵
        
        PID:2652
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\az\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\az\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\az\
        5⤵
        
        PID:3536
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\be\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\be\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\be\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4656
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\bg\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\bg\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\bg\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5064
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\bn\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\bn\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\bn\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1528
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ca\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ca\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ca\
        5⤵
        Executes dropped EXE
        
        PID:4928
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\cs\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\cs\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\cs\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1672
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\cy\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\cy\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\cy\
        5⤵
        
        PID:3208
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\da\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\da\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\da\
        5⤵
        
        PID:1236
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\de\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\de\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\de\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1420
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\el\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\el\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\el\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4024
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\en\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\en\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\en\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2932
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\en_CA\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\en_CA\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\en_CA\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4880
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\en_GB\System Restore.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\en_GB\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\en_GB\
        5⤵
        
        PID:1544
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\en_US\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\en_US\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\en_US\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1196
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\es\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\es\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\es\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3760
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\es_419\update.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\es_419\update.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\es_419\
        5⤵
        
        PID:4212
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\et\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\et\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\et\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3252
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\
        6⤵
        
        PID:4888
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\eu\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\eu\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\eu\
        5⤵
        
        PID:4124
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\fa\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\fa\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\fa\
        5⤵
        
        PID:1928
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\fi\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\fi\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\fi\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2652
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\fil\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\fil\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\fil\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3536
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\fr\System Restore.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\fr\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\fr\
        5⤵
        
        PID:2512
      - C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        6⤵
        
        PID:4824
      - C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        6⤵
        
        PID:1924
      - C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
        6⤵
        
        PID:2712
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\System Restore.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\
        7⤵
        
        PID:1672
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.177.11\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.177.11\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.177.11\
        8⤵
        
        PID:2316
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\fr_CA\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\fr_CA\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\fr_CA\
        5⤵
        
        PID:1692
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\gl\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\gl\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\gl\
        5⤵
        
        PID:4468
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\gu\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\gu\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\gu\
        5⤵
        
        PID:3444
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\hi\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\hi\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\hi\
        5⤵
        
        PID:4436
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\hr\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\hr\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\hr\
        5⤵
        
        PID:3208
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\hu\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\hu\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\hu\
        5⤵
        
        PID:4404
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\hy\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\hy\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\hy\
        5⤵
        
        PID:1412
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\id\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\id\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\id\
        5⤵
        
        PID:3524
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\is\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\is\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\is\
        5⤵
        
        PID:332
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\it\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\it\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\it\
        5⤵
        
        PID:3872
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\iw\update.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\iw\update.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\iw\
        5⤵
        
        PID:2556
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ja\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ja\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ja\
        5⤵
        
        PID:4968
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ka\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ka\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ka\
        5⤵
        
        PID:4196
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\kk\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\kk\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\kk\
        5⤵
        
        PID:4944
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\km\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\km\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\km\
        5⤵
        
        PID:4248
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\kn\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\kn\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\kn\
        5⤵
        
        PID:1968
      - C:\Program Files\Java\jdk-1.8\jre\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\backup.exe" C:\Program Files\Java\jdk-1.8\jre\
        6⤵
        
        PID:4836
        
        C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\
        7⤵
        
        PID:2008
        
        C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\
        8⤵
        
        PID:2652
        
        C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\update.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\update.exe" C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\
        8⤵
        
        PID:4288
        
        C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\server\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1544
      - C:\Program Files\Java\jdk-1.8\include\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\backup.exe" C:\Program Files\Java\jdk-1.8\include\
        6⤵
        
        PID:2300
      - C:\Program Files\Java\jdk-1.8\bin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\bin\backup.exe" C:\Program Files\Java\jdk-1.8\bin\
        6⤵
        
        PID:5116
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ko\System Restore.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ko\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ko\
        5⤵
        
        PID:332
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\lo\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\lo\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\lo\
        5⤵
        
        PID:1776
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\lt\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\lt\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\lt\
        5⤵
        
        PID:4240
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\lv\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\lv\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\lv\
        5⤵
        
        PID:3512
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ml\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ml\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ml\
        5⤵
        
        PID:2000
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\mn\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\mn\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\mn\
        5⤵
        
        PID:3732
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\mr\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\mr\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\mr\
        5⤵
        
        PID:2404
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ms\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ms\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ms\
        5⤵
        
        PID:5060
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\my\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\my\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\my\
        5⤵
        
        PID:4136
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ne\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ne\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ne\
        5⤵
        
        PID:3460
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\nl\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\nl\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\nl\
        5⤵
        
        PID:260
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\no\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\no\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\no\
        5⤵
        
        PID:4280
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\pa\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\pa\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\pa\
        5⤵
        
        PID:4748
      - C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\update.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\update.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\
        6⤵
        
        PID:4540
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\
        7⤵
        
        PID:3384
        
        C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1532
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\
        7⤵
        
        PID:3872
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\pl\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\pl\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\pl\
        5⤵
        
        PID:4296
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\pt_BR\data.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\pt_BR\data.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\pt_BR\
        5⤵
        
        PID:4944
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\pt_PT\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\pt_PT\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\pt_PT\
        5⤵
        
        PID:3256
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ro\System Restore.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ro\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ro\
        5⤵
        
        PID:676
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\si\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\si\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\si\
        5⤵
        
        PID:3496
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\sk\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\sk\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\sk\
        5⤵
        
        PID:624
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\sl\System Restore.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\sl\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\sl\
        5⤵
        
        PID:312
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\sw\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\sw\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\sw\
        5⤵
        
        PID:4168
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ta\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ta\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ta\
        5⤵
        
        PID:4756
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\sv\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\sv\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\sv\
        5⤵
        
        PID:4004
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\sr\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\sr\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\sr\
        5⤵
        
        PID:1248
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ru\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ru\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ru\
        5⤵
        
        PID:4288
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\te\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\te\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\te\
        5⤵
        
        PID:2556
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\uk\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\uk\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\uk\
        5⤵
        
        PID:4652
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\vi\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\vi\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\vi\
        5⤵
        
        PID:2652
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ur\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ur\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ur\
        5⤵
        
        PID:1108
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\zh_CN\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\zh_CN\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\zh_CN\
        5⤵
        
        PID:4956
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\tr\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\tr\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\tr\
        5⤵
        
        PID:4000
      - C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        6⤵
        
        PID:824
      - C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\data.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\data.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        6⤵
        
        PID:4356
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\th\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\th\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\th\
        5⤵
        
        PID:2488
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\
        6⤵
        
        PID:1392
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\
        7⤵
        
        PID:4764
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\
        8⤵
        
        PID:5104
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\logs\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3040
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\
        6⤵
        
        PID:4968
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\
        6⤵
        
        PID:5080
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\
        7⤵
        
        PID:1236
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\
        8⤵
        
        PID:2348
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\
        6⤵
        
        PID:5060
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\
        7⤵
        
        PID:1532
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\
        8⤵
        
        PID:4324
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\
        6⤵
        
        PID:1356
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\zh_HK\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\zh_HK\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\zh_HK\
        5⤵
        
        PID:400
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\zh_TW\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\zh_TW\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\zh_TW\
        5⤵
        
        PID:1408
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\zu\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\zu\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\zu\
        5⤵
        
        PID:2304
- C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1778761978\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1778761978\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1778761978\
  2⤵
  PID:3260
- - C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1778761978\CRX_INSTALL\backup.exe
    C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1778761978\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1778761978\CRX_INSTALL\
    3⤵
    PID:4124

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
1⤵
PID:2416

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
"C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
1⤵
PID:3496
- C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
  "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
  2⤵
  PID:4116

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
1⤵
PID:3696

C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
"C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
1⤵
PID:1796

C:\Program Files (x86)\Google\Update\Download\backup.exe
"C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
1⤵
PID:2088
- C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
  "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
  2⤵
  PID:5116

C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
"C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
1⤵
PID:4412

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
1⤵
PID:1040
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
  2⤵
  PID:1640
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\
    3⤵
    PID:3268
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\
    3⤵
    PID:4288
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\
      4⤵
      PID:4460
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\
        5⤵
        
        PID:440
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\
        5⤵
        
        PID:4484
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\
    3⤵
    PID:3100
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\
  2⤵
  PID:2488
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\
  2⤵
  PID:2892
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\
    3⤵
    PID:4088
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\
      4⤵
      PID:1088
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\update.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\
    3⤵
    PID:1960
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\
      4⤵
      Modifies visibility of file extensions in Explorer
      System policy modification
      PID:4124
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\
        5⤵
        
        PID:3604
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\
        6⤵
        
        PID:4008
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\
        6⤵
        
        PID:1956
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\
        6⤵
        
        PID:752
        
        C:\Windows\DiagTrack\Scenarios\data.exe
        
        C:\Windows\DiagTrack\Scenarios\data.exe C:\Windows\DiagTrack\Scenarios\
        7⤵
        
        PID:5104
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\
        6⤵
        
        PID:4720
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\
        6⤵
        
        PID:1588
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\
        6⤵
        
        PID:4940
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\
        6⤵
        
        PID:4972
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\
        6⤵
        
        PID:4212
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\
        6⤵
        
        PID:4344
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\
        6⤵
        
        PID:2364
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\
        6⤵
        
        PID:3008
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\
        6⤵
        
        PID:4476
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\
        6⤵
        
        PID:4628
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\
        6⤵
        
        PID:5088
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\
        6⤵
        
        PID:4860
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\
        6⤵
        
        PID:1772
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\
        6⤵
        
        PID:1168
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\
        6⤵
        
        PID:1924
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\
    3⤵
    PID:2712
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\
      4⤵
      PID:4932
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\
        5⤵
        
        PID:4696
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\
        6⤵
        
        PID:3436
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\
        6⤵
        
        PID:408
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\
        6⤵
        
        PID:1240
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\
        6⤵
        
        PID:4120
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\
        6⤵
        
        PID:640
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\
        6⤵
        
        PID:1240
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\
        6⤵
        
        PID:2860
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\
        6⤵
        
        PID:1380
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\
        6⤵
        
        PID:2844
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\
        6⤵
        
        PID:2408
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\
        6⤵
        
        PID:1788
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\
    3⤵
    PID:4912
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\
    3⤵
    PID:2488
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\
    3⤵
    PID:4508
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\
      4⤵
      PID:4104
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\
        5⤵
        
        PID:3160
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\
        5⤵
        
        PID:1532
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\
        5⤵
        
        PID:2216

C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
"C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
1⤵
PID:4292
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
  2⤵
  PID:4780

C:\Program Files (x86)\Google\Update\Install\backup.exe
"C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
1⤵
PID:4908
- C:\Program Files (x86)\Google\Update\Install\{CC33CE5D-25A0-4A19-8BF1-AA9F080685BC}\backup.exe
  "C:\Program Files (x86)\Google\Update\Install\{CC33CE5D-25A0-4A19-8BF1-AA9F080685BC}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{CC33CE5D-25A0-4A19-8BF1-AA9F080685BC}\
  2⤵
  PID:4216

C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
"C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
1⤵
PID:3512

C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
"C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
1⤵
PID:4300

C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
"C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4116

C:\Program Files\Java\jdk-1.8\backup.exe
"C:\Program Files\Java\jdk-1.8\backup.exe" C:\Program Files\Java\jdk-1.8\
1⤵
PID:1968
- C:\Program Files\Java\jdk-1.8\legal\backup.exe
  "C:\Program Files\Java\jdk-1.8\legal\backup.exe" C:\Program Files\Java\jdk-1.8\legal\
  2⤵
  PID:1140
- - C:\Program Files\Java\jdk-1.8\legal\javafx\backup.exe
    "C:\Program Files\Java\jdk-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\legal\javafx\
    3⤵
    PID:5088
  - - C:\Program Files\Mozilla Firefox\browser\features\backup.exe
      "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
      4⤵
      PID:2216
    - - C:\Program Files\Microsoft Office\root\vfs\Fonts\private\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Fonts\private\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Fonts\private\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2008
  - - C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
      "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
      4⤵
      PID:4620
- - C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe
    "C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\legal\jdk\
    3⤵
    PID:4024
  - - C:\Windows\Branding\Basebrd\de-DE\backup.exe
      C:\Windows\Branding\Basebrd\de-DE\backup.exe C:\Windows\Branding\Basebrd\de-DE\
      4⤵
      PID:4160
- C:\Program Files\Java\jdk-1.8\lib\backup.exe
  "C:\Program Files\Java\jdk-1.8\lib\backup.exe" C:\Program Files\Java\jdk-1.8\lib\
  2⤵
  PID:2332

C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe
"C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\javafx\
1⤵
PID:1472

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\
1⤵
PID:2304

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\
1⤵
PID:4460

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\
1⤵
PID:1504
- C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\backup.exe
  "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\
  2⤵
  PID:408

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\data.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\
1⤵
PID:2300
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\
  2⤵
  PID:2592
- - C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
    C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
    3⤵
    PID:3264
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\
  2⤵
  PID:2000

C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
"C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
1⤵
PID:1796
- C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe
  "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
  2⤵
  PID:4516
- - C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\backup.exe
    "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\
    3⤵
    PID:2364

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.177.11\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.177.11\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.177.11\
1⤵
PID:3712

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\
1⤵
PID:3668
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\
  2⤵
  PID:2612
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\
    3⤵
    PID:2008
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\
    3⤵
    PID:3548
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\
    3⤵
    PID:2440
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\
    3⤵
    PID:4640
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\
    3⤵
    PID:5116
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\
    3⤵
    PID:4764
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - System policy modification
    PID:4468
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\
    3⤵
    PID:5048
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\
    3⤵
    PID:5032
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\
    3⤵
    PID:4348
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\
    3⤵
    PID:260
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\
    3⤵
    PID:5112
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\
    3⤵
    PID:4640
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\
    3⤵
    PID:184
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\
    3⤵
    PID:3768
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\
    3⤵
    PID:2408
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\
    3⤵
    PID:2116
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\data.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\
    3⤵
    PID:5040
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\
    3⤵
    PID:1712
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\
    3⤵
    PID:260
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\update.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\
    3⤵
    PID:4844
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\
    3⤵
    PID:4800
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\
    3⤵
    PID:2904
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\
    3⤵
    PID:4376

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe
"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\
1⤵
PID:2388
- C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\backup.exe
  "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\
  2⤵
  PID:872

C:\Program Files\Microsoft Office\Updates\Download\backup.exe
"C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\
1⤵
PID:3604

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\root\backup.exe
"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\root\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\root\
1⤵
PID:4620
- C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\root\vfs\backup.exe
  "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\root\vfs\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\root\vfs\
  2⤵
  PID:1140
- - C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\root\vfs\Windows\backup.exe
    "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\root\vfs\Windows\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\root\vfs\Windows\
    3⤵
    PID:3272
  - - C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\root\vfs\Windows\assembly\backup.exe
      "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\root\vfs\Windows\assembly\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5EACB2E5-D5C2-4CC7-9CA1-8C84813F2E7D\root\vfs\Windows\assembly\
      4⤵
      PID:5088

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\
1⤵
PID:4456
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\data.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\
  2⤵
  PID:816

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\
1⤵
PID:3520
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\
  2⤵
  PID:3436

C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\
1⤵
PID:1092

C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\
1⤵
PID:4628

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\
1⤵
PID:4684
- C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\backup.exe
  "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\
  2⤵
  PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
81KB

MD5
176f80b01ece1199d697d6514492cc44

SHA1
88c9498e7cdc2b3d616b309bf13851f3f3aca20f

SHA256
0b8781dec3d4c371a73489f8627e022caaafe5829ae8e0837b252a9d1d30aeff

SHA512
76515222e09c2597830dd1399efe009853255da5f741202033e30a9f863e0b3ecc9e8a5021d8ceb7d722f0f4737647a733534f137dbb79a7a8b83721df756114

Download Submit
C:\PerfLogs\backup.exe

Filesize
81KB

MD5
176f80b01ece1199d697d6514492cc44

SHA1
88c9498e7cdc2b3d616b309bf13851f3f3aca20f

SHA256
0b8781dec3d4c371a73489f8627e022caaafe5829ae8e0837b252a9d1d30aeff

SHA512
76515222e09c2597830dd1399efe009853255da5f741202033e30a9f863e0b3ecc9e8a5021d8ceb7d722f0f4737647a733534f137dbb79a7a8b83721df756114

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
81KB

MD5
3fb72a906454030552fe9d1cf6d47b1c

SHA1
ed6dcdbee9904791cd64f4f16c75c40e0ad03344

SHA256
a6b2a4494409a89ebab59e4aa1a01bc06e411126230971b5246faa10c94b94cf

SHA512
1138f7f8b4f5292fcfad799de21eceb3ddf813450a0bb34cc8b41b505e01b1fe360f59c529ecf294e01ba9a44e45073f7e299d3230a025970dcfd1c1c9bd5a3a

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
81KB

MD5
3fb72a906454030552fe9d1cf6d47b1c

SHA1
ed6dcdbee9904791cd64f4f16c75c40e0ad03344

SHA256
a6b2a4494409a89ebab59e4aa1a01bc06e411126230971b5246faa10c94b94cf

SHA512
1138f7f8b4f5292fcfad799de21eceb3ddf813450a0bb34cc8b41b505e01b1fe360f59c529ecf294e01ba9a44e45073f7e299d3230a025970dcfd1c1c9bd5a3a

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
81KB

MD5
88d271603c35df97a21c581ba456c1ee

SHA1
ed1068bfa5ada38d37a17ad4d2940c345823d444

SHA256
28747aec74ad31899b113f034f84353a46d952ed25644ff6599f7f107d972c4b

SHA512
7ef3530c2302f83a58f1a076606f52a03d131a89f9b923343e141443d2f213d5df79f52e933e5af1162babf5052ed84e4c23354f22eaa740551e9089d8884d4e

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
81KB

MD5
88d271603c35df97a21c581ba456c1ee

SHA1
ed1068bfa5ada38d37a17ad4d2940c345823d444

SHA256
28747aec74ad31899b113f034f84353a46d952ed25644ff6599f7f107d972c4b

SHA512
7ef3530c2302f83a58f1a076606f52a03d131a89f9b923343e141443d2f213d5df79f52e933e5af1162babf5052ed84e4c23354f22eaa740551e9089d8884d4e

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
81KB

MD5
4a032063487e67b34033f1d73abf100a

SHA1
f64697757432c969a103bd77c9bd531766d224b2

SHA256
6e311ae32229be47a006a751941b4315dd947bd482ed559add70e478075d3268

SHA512
3ff2c18bb5644f2f49fc03e112c9234290e9b64c8d1a2ffbe49b0a41c08b589972214198527e453a0ecded1b23f19e6b3fd4f6d4cb1b33e9a9b81fb5045be972

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
81KB

MD5
4a032063487e67b34033f1d73abf100a

SHA1
f64697757432c969a103bd77c9bd531766d224b2

SHA256
6e311ae32229be47a006a751941b4315dd947bd482ed559add70e478075d3268

SHA512
3ff2c18bb5644f2f49fc03e112c9234290e9b64c8d1a2ffbe49b0a41c08b589972214198527e453a0ecded1b23f19e6b3fd4f6d4cb1b33e9a9b81fb5045be972

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
81KB

MD5
ba54ea8f6b718fc0d17d2ec0c5ffa764

SHA1
78be5950406068f00a0501ad3706189c19d620fb

SHA256
1733bd23efb000c74ef685ad95dfc841ec80a22d5e1637f5df1af03fc1a19150

SHA512
14796f6cbc81444395572b1b27a5e0f04e8e2ae39b4138b3259cf0b5b8d65e7e7c0f36f26edb677df519d58c9142946c57d6ca5311b17204d9c08de88b32f19e

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
81KB

MD5
ba54ea8f6b718fc0d17d2ec0c5ffa764

SHA1
78be5950406068f00a0501ad3706189c19d620fb

SHA256
1733bd23efb000c74ef685ad95dfc841ec80a22d5e1637f5df1af03fc1a19150

SHA512
14796f6cbc81444395572b1b27a5e0f04e8e2ae39b4138b3259cf0b5b8d65e7e7c0f36f26edb677df519d58c9142946c57d6ca5311b17204d9c08de88b32f19e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
81KB

MD5
0aa114329c4b1824ca2a4a9bed6b2400

SHA1
20ea228bda176dd850e1e499dad574eb0ca282b1

SHA256
a208a1cfe79b74b54351f697e9e6898d951519b772f82681388ef0b404329715

SHA512
921acb47d8e4cb0c0e0f4e9d796c5027d562667626db431059039156afb838a4321cb8d07dd1af1cd3fd6750d7f58f358597e6cb0672f1c37eb91114dc42e25b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
81KB

MD5
0aa114329c4b1824ca2a4a9bed6b2400

SHA1
20ea228bda176dd850e1e499dad574eb0ca282b1

SHA256
a208a1cfe79b74b54351f697e9e6898d951519b772f82681388ef0b404329715

SHA512
921acb47d8e4cb0c0e0f4e9d796c5027d562667626db431059039156afb838a4321cb8d07dd1af1cd3fd6750d7f58f358597e6cb0672f1c37eb91114dc42e25b

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
81KB

MD5
4a032063487e67b34033f1d73abf100a

SHA1
f64697757432c969a103bd77c9bd531766d224b2

SHA256
6e311ae32229be47a006a751941b4315dd947bd482ed559add70e478075d3268

SHA512
3ff2c18bb5644f2f49fc03e112c9234290e9b64c8d1a2ffbe49b0a41c08b589972214198527e453a0ecded1b23f19e6b3fd4f6d4cb1b33e9a9b81fb5045be972

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
81KB

MD5
4a032063487e67b34033f1d73abf100a

SHA1
f64697757432c969a103bd77c9bd531766d224b2

SHA256
6e311ae32229be47a006a751941b4315dd947bd482ed559add70e478075d3268

SHA512
3ff2c18bb5644f2f49fc03e112c9234290e9b64c8d1a2ffbe49b0a41c08b589972214198527e453a0ecded1b23f19e6b3fd4f6d4cb1b33e9a9b81fb5045be972

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
81KB

MD5
ac672a34ebc24207f47c0264fc963698

SHA1
aa7d64d509937c75fbe5d0cf2f980fe04e441166

SHA256
b29a959bbfab7492aeea6dad739885bd9209965435a7750ce253ac5ed0f8b935

SHA512
5e9d71379ee5eaedd8577efd2478625812f906d48aa004a372ac25d0c1f43d7a6e6a2ed89f5be942c2265207816bffd17f8e7e2e9406d2d3645f4e73ec70fb57

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
81KB

MD5
ac672a34ebc24207f47c0264fc963698

SHA1
aa7d64d509937c75fbe5d0cf2f980fe04e441166

SHA256
b29a959bbfab7492aeea6dad739885bd9209965435a7750ce253ac5ed0f8b935

SHA512
5e9d71379ee5eaedd8577efd2478625812f906d48aa004a372ac25d0c1f43d7a6e6a2ed89f5be942c2265207816bffd17f8e7e2e9406d2d3645f4e73ec70fb57

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
81KB

MD5
0aa114329c4b1824ca2a4a9bed6b2400

SHA1
20ea228bda176dd850e1e499dad574eb0ca282b1

SHA256
a208a1cfe79b74b54351f697e9e6898d951519b772f82681388ef0b404329715

SHA512
921acb47d8e4cb0c0e0f4e9d796c5027d562667626db431059039156afb838a4321cb8d07dd1af1cd3fd6750d7f58f358597e6cb0672f1c37eb91114dc42e25b

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
81KB

MD5
0aa114329c4b1824ca2a4a9bed6b2400

SHA1
20ea228bda176dd850e1e499dad574eb0ca282b1

SHA256
a208a1cfe79b74b54351f697e9e6898d951519b772f82681388ef0b404329715

SHA512
921acb47d8e4cb0c0e0f4e9d796c5027d562667626db431059039156afb838a4321cb8d07dd1af1cd3fd6750d7f58f358597e6cb0672f1c37eb91114dc42e25b

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
81KB

MD5
d8349111f977932d6ab150746861f582

SHA1
99e8792938869447a1fbdc1e3974b59a33d1c1ce

SHA256
354d59aaaf2883a2b8407c34afe482ec4949d1e5dff41b10dada821426ae3c33

SHA512
1576ce44b6b9af4c75f5a93e3038872e30b99a8284c27b2e9fbe810712fda5f977c161d0173e2b1fdcc323cc0407f0834ee222d7ab16d940dfff98d669128551

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
81KB

MD5
d8349111f977932d6ab150746861f582

SHA1
99e8792938869447a1fbdc1e3974b59a33d1c1ce

SHA256
354d59aaaf2883a2b8407c34afe482ec4949d1e5dff41b10dada821426ae3c33

SHA512
1576ce44b6b9af4c75f5a93e3038872e30b99a8284c27b2e9fbe810712fda5f977c161d0173e2b1fdcc323cc0407f0834ee222d7ab16d940dfff98d669128551

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
81KB

MD5
d8349111f977932d6ab150746861f582

SHA1
99e8792938869447a1fbdc1e3974b59a33d1c1ce

SHA256
354d59aaaf2883a2b8407c34afe482ec4949d1e5dff41b10dada821426ae3c33

SHA512
1576ce44b6b9af4c75f5a93e3038872e30b99a8284c27b2e9fbe810712fda5f977c161d0173e2b1fdcc323cc0407f0834ee222d7ab16d940dfff98d669128551

Download Submit
C:\Program Files\backup.exe

Filesize
81KB

MD5
708efa6e590e170f47b79c78d0439f24

SHA1
3c710dcca0a6f6b3f4f4f01049eb0559c838a194

SHA256
34e6a99b676fc7ed5f46e7a4c212d78b975fd89c33554ee1fcc80d980dbbfacd

SHA512
16d2fd94cfd5662bff5f9f57758375383fdf33b13e76e31a222cebde574ebdf23fdb74cc6342f4a87e156d50e5caafbfd77b895225b86763fd93a1c02b9c200c

Download Submit
C:\Program Files\backup.exe

Filesize
81KB

MD5
708efa6e590e170f47b79c78d0439f24

SHA1
3c710dcca0a6f6b3f4f4f01049eb0559c838a194

SHA256
34e6a99b676fc7ed5f46e7a4c212d78b975fd89c33554ee1fcc80d980dbbfacd

SHA512
16d2fd94cfd5662bff5f9f57758375383fdf33b13e76e31a222cebde574ebdf23fdb74cc6342f4a87e156d50e5caafbfd77b895225b86763fd93a1c02b9c200c

Download Submit
C:\Users\Admin\AppData\Local\Temp\777349981\backup.exe

Filesize
81KB

MD5
6f7cb2b2562b7134bdd70c2b9eba0b84

SHA1
461185ca9d920952bcb830322a6254ed8469a4da

SHA256
e6b2bb26d76f5922a8e4a4bfa758133a807ff95f5aba4926771e8391d00615fc

SHA512
f48fd66b20e310892ca9b7be4d2de443561e4b2c7f6d0e23e91fd37ca373e2dcd58ecee98fcca20be5d1ce3d662b8dfbbfb2f98168090739fe07d2f931c61d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\777349981\backup.exe

Filesize
81KB

MD5
6f7cb2b2562b7134bdd70c2b9eba0b84

SHA1
461185ca9d920952bcb830322a6254ed8469a4da

SHA256
e6b2bb26d76f5922a8e4a4bfa758133a807ff95f5aba4926771e8391d00615fc

SHA512
f48fd66b20e310892ca9b7be4d2de443561e4b2c7f6d0e23e91fd37ca373e2dcd58ecee98fcca20be5d1ce3d662b8dfbbfb2f98168090739fe07d2f931c61d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\777349981\backup.exe

Filesize
81KB

MD5
6f7cb2b2562b7134bdd70c2b9eba0b84

SHA1
461185ca9d920952bcb830322a6254ed8469a4da

SHA256
e6b2bb26d76f5922a8e4a4bfa758133a807ff95f5aba4926771e8391d00615fc

SHA512
f48fd66b20e310892ca9b7be4d2de443561e4b2c7f6d0e23e91fd37ca373e2dcd58ecee98fcca20be5d1ce3d662b8dfbbfb2f98168090739fe07d2f931c61d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
81KB

MD5
6f7cb2b2562b7134bdd70c2b9eba0b84

SHA1
461185ca9d920952bcb830322a6254ed8469a4da

SHA256
e6b2bb26d76f5922a8e4a4bfa758133a807ff95f5aba4926771e8391d00615fc

SHA512
f48fd66b20e310892ca9b7be4d2de443561e4b2c7f6d0e23e91fd37ca373e2dcd58ecee98fcca20be5d1ce3d662b8dfbbfb2f98168090739fe07d2f931c61d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
81KB

MD5
6f7cb2b2562b7134bdd70c2b9eba0b84

SHA1
461185ca9d920952bcb830322a6254ed8469a4da

SHA256
e6b2bb26d76f5922a8e4a4bfa758133a807ff95f5aba4926771e8391d00615fc

SHA512
f48fd66b20e310892ca9b7be4d2de443561e4b2c7f6d0e23e91fd37ca373e2dcd58ecee98fcca20be5d1ce3d662b8dfbbfb2f98168090739fe07d2f931c61d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
81KB

MD5
42466bd741a73efe2044a895308cdf19

SHA1
385d77f2aa912afb47188b44d986962ed8e99945

SHA256
fee679659c657fc0b7ec151f471c1a06f17853cbdb681a2eba3c350f94543482

SHA512
c7599bbb8d83bdc0e1e03430a3734400446a01a0233f197ff6c3926a878b3d955e3470d20357d1a5cbb80d5028abf47a75e7c98c1691bffa52ab98eb9f3185e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
81KB

MD5
42466bd741a73efe2044a895308cdf19

SHA1
385d77f2aa912afb47188b44d986962ed8e99945

SHA256
fee679659c657fc0b7ec151f471c1a06f17853cbdb681a2eba3c350f94543482

SHA512
c7599bbb8d83bdc0e1e03430a3734400446a01a0233f197ff6c3926a878b3d955e3470d20357d1a5cbb80d5028abf47a75e7c98c1691bffa52ab98eb9f3185e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
81KB

MD5
42466bd741a73efe2044a895308cdf19

SHA1
385d77f2aa912afb47188b44d986962ed8e99945

SHA256
fee679659c657fc0b7ec151f471c1a06f17853cbdb681a2eba3c350f94543482

SHA512
c7599bbb8d83bdc0e1e03430a3734400446a01a0233f197ff6c3926a878b3d955e3470d20357d1a5cbb80d5028abf47a75e7c98c1691bffa52ab98eb9f3185e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
81KB

MD5
42466bd741a73efe2044a895308cdf19

SHA1
385d77f2aa912afb47188b44d986962ed8e99945

SHA256
fee679659c657fc0b7ec151f471c1a06f17853cbdb681a2eba3c350f94543482

SHA512
c7599bbb8d83bdc0e1e03430a3734400446a01a0233f197ff6c3926a878b3d955e3470d20357d1a5cbb80d5028abf47a75e7c98c1691bffa52ab98eb9f3185e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
81KB

MD5
87ccc6bf4c067363765c9405c554444d

SHA1
0dea7583b164bc8d04cf7266e15b85ea54380d18

SHA256
93dbee49ba05267827bec6648bb7e5c30212d181beb9d2dee6fc7c29d4841443

SHA512
eb1cfcfe147b4f7eec841116123210d01919038481723d17dbc22c4155cd7d4d9a5cb15fc1b550802d9dbf6d4aa34d1bd68dd7661ed8dd6fbbe5cea31d7cd40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
81KB

MD5
87ccc6bf4c067363765c9405c554444d

SHA1
0dea7583b164bc8d04cf7266e15b85ea54380d18

SHA256
93dbee49ba05267827bec6648bb7e5c30212d181beb9d2dee6fc7c29d4841443

SHA512
eb1cfcfe147b4f7eec841116123210d01919038481723d17dbc22c4155cd7d4d9a5cb15fc1b550802d9dbf6d4aa34d1bd68dd7661ed8dd6fbbe5cea31d7cd40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
81KB

MD5
42dfe6d4965298fcbb3c1f67dca58e89

SHA1
89be00cec2eb84e2cc304f7a3f0109950a407480

SHA256
2bd2269a7358d5ef8d1fd73a30a26efc9a9fb6a7102099ff28f44e3449fe6322

SHA512
d20d49a2ba3016564a86cd008e5397ca3035af1523509eaad425f4a301fd42c51807fffb9d1d23df619a5c35c8d8e6b91c0e64d5c89c0e19c5f3a7f938ac2d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
81KB

MD5
42dfe6d4965298fcbb3c1f67dca58e89

SHA1
89be00cec2eb84e2cc304f7a3f0109950a407480

SHA256
2bd2269a7358d5ef8d1fd73a30a26efc9a9fb6a7102099ff28f44e3449fe6322

SHA512
d20d49a2ba3016564a86cd008e5397ca3035af1523509eaad425f4a301fd42c51807fffb9d1d23df619a5c35c8d8e6b91c0e64d5c89c0e19c5f3a7f938ac2d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
81KB

MD5
ceef44176b811440f341f4f511d806ef

SHA1
b34e64419e91f65aecbfa2991e4c9229158166d7

SHA256
bd536993c40f78be6023b6844b5dc571b9b9db6b37e01ed1c9f20fbfb7a848e1

SHA512
7e660f3a746c7db6c78599bbce8c2f11dc377e5c7239970a030aefe415b2171aa4745f5f4150fd99fe0f5d4c82245e866e5e116eef7410c9a2c06272f662a08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
81KB

MD5
ceef44176b811440f341f4f511d806ef

SHA1
b34e64419e91f65aecbfa2991e4c9229158166d7

SHA256
bd536993c40f78be6023b6844b5dc571b9b9db6b37e01ed1c9f20fbfb7a848e1

SHA512
7e660f3a746c7db6c78599bbce8c2f11dc377e5c7239970a030aefe415b2171aa4745f5f4150fd99fe0f5d4c82245e866e5e116eef7410c9a2c06272f662a08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
81KB

MD5
6f7cb2b2562b7134bdd70c2b9eba0b84

SHA1
461185ca9d920952bcb830322a6254ed8469a4da

SHA256
e6b2bb26d76f5922a8e4a4bfa758133a807ff95f5aba4926771e8391d00615fc

SHA512
f48fd66b20e310892ca9b7be4d2de443561e4b2c7f6d0e23e91fd37ca373e2dcd58ecee98fcca20be5d1ce3d662b8dfbbfb2f98168090739fe07d2f931c61d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
81KB

MD5
6f7cb2b2562b7134bdd70c2b9eba0b84

SHA1
461185ca9d920952bcb830322a6254ed8469a4da

SHA256
e6b2bb26d76f5922a8e4a4bfa758133a807ff95f5aba4926771e8391d00615fc

SHA512
f48fd66b20e310892ca9b7be4d2de443561e4b2c7f6d0e23e91fd37ca373e2dcd58ecee98fcca20be5d1ce3d662b8dfbbfb2f98168090739fe07d2f931c61d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
81KB

MD5
6f7cb2b2562b7134bdd70c2b9eba0b84

SHA1
461185ca9d920952bcb830322a6254ed8469a4da

SHA256
e6b2bb26d76f5922a8e4a4bfa758133a807ff95f5aba4926771e8391d00615fc

SHA512
f48fd66b20e310892ca9b7be4d2de443561e4b2c7f6d0e23e91fd37ca373e2dcd58ecee98fcca20be5d1ce3d662b8dfbbfb2f98168090739fe07d2f931c61d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
81KB

MD5
6f7cb2b2562b7134bdd70c2b9eba0b84

SHA1
461185ca9d920952bcb830322a6254ed8469a4da

SHA256
e6b2bb26d76f5922a8e4a4bfa758133a807ff95f5aba4926771e8391d00615fc

SHA512
f48fd66b20e310892ca9b7be4d2de443561e4b2c7f6d0e23e91fd37ca373e2dcd58ecee98fcca20be5d1ce3d662b8dfbbfb2f98168090739fe07d2f931c61d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
81KB

MD5
42466bd741a73efe2044a895308cdf19

SHA1
385d77f2aa912afb47188b44d986962ed8e99945

SHA256
fee679659c657fc0b7ec151f471c1a06f17853cbdb681a2eba3c350f94543482

SHA512
c7599bbb8d83bdc0e1e03430a3734400446a01a0233f197ff6c3926a878b3d955e3470d20357d1a5cbb80d5028abf47a75e7c98c1691bffa52ab98eb9f3185e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
81KB

MD5
42466bd741a73efe2044a895308cdf19

SHA1
385d77f2aa912afb47188b44d986962ed8e99945

SHA256
fee679659c657fc0b7ec151f471c1a06f17853cbdb681a2eba3c350f94543482

SHA512
c7599bbb8d83bdc0e1e03430a3734400446a01a0233f197ff6c3926a878b3d955e3470d20357d1a5cbb80d5028abf47a75e7c98c1691bffa52ab98eb9f3185e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\af\backup.exe

Filesize
81KB

MD5
a06a3a81f04b2e11f88e76529ff023aa

SHA1
d55a40cde0c17cc9818aa778ada8b0cdff38e189

SHA256
2ec0c138c9f14f9ce0c446a51a5c0b3cc1ced96050c138b9287686dedd00e9ba

SHA512
ca42edba46d41d695742e7d6b8a4da7011ce33c97e309116284a7183a0953fae68e381493ecf1fdce5d80c738860688f1ad1ed6c826aa59cd474ed43ec641890

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\af\backup.exe

Filesize
81KB

MD5
a06a3a81f04b2e11f88e76529ff023aa

SHA1
d55a40cde0c17cc9818aa778ada8b0cdff38e189

SHA256
2ec0c138c9f14f9ce0c446a51a5c0b3cc1ced96050c138b9287686dedd00e9ba

SHA512
ca42edba46d41d695742e7d6b8a4da7011ce33c97e309116284a7183a0953fae68e381493ecf1fdce5d80c738860688f1ad1ed6c826aa59cd474ed43ec641890

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\am\backup.exe

Filesize
81KB

MD5
a06a3a81f04b2e11f88e76529ff023aa

SHA1
d55a40cde0c17cc9818aa778ada8b0cdff38e189

SHA256
2ec0c138c9f14f9ce0c446a51a5c0b3cc1ced96050c138b9287686dedd00e9ba

SHA512
ca42edba46d41d695742e7d6b8a4da7011ce33c97e309116284a7183a0953fae68e381493ecf1fdce5d80c738860688f1ad1ed6c826aa59cd474ed43ec641890

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\am\backup.exe

Filesize
81KB

MD5
a06a3a81f04b2e11f88e76529ff023aa

SHA1
d55a40cde0c17cc9818aa778ada8b0cdff38e189

SHA256
2ec0c138c9f14f9ce0c446a51a5c0b3cc1ced96050c138b9287686dedd00e9ba

SHA512
ca42edba46d41d695742e7d6b8a4da7011ce33c97e309116284a7183a0953fae68e381493ecf1fdce5d80c738860688f1ad1ed6c826aa59cd474ed43ec641890

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ar\backup.exe

Filesize
81KB

MD5
a06a3a81f04b2e11f88e76529ff023aa

SHA1
d55a40cde0c17cc9818aa778ada8b0cdff38e189

SHA256
2ec0c138c9f14f9ce0c446a51a5c0b3cc1ced96050c138b9287686dedd00e9ba

SHA512
ca42edba46d41d695742e7d6b8a4da7011ce33c97e309116284a7183a0953fae68e381493ecf1fdce5d80c738860688f1ad1ed6c826aa59cd474ed43ec641890

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\ar\backup.exe

Filesize
81KB

MD5
a06a3a81f04b2e11f88e76529ff023aa

SHA1
d55a40cde0c17cc9818aa778ada8b0cdff38e189

SHA256
2ec0c138c9f14f9ce0c446a51a5c0b3cc1ced96050c138b9287686dedd00e9ba

SHA512
ca42edba46d41d695742e7d6b8a4da7011ce33c97e309116284a7183a0953fae68e381493ecf1fdce5d80c738860688f1ad1ed6c826aa59cd474ed43ec641890

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\az\backup.exe

Filesize
81KB

MD5
a1945c7a2f3edbfb7a9f75e87de75c27

SHA1
4b0d73a198603d3e0abd59f77a15eee96afaeb05

SHA256
a148498d6134c90be11dfc7e8228c4c69f118ed6dbf266ba1e9809856b9437b3

SHA512
87fdbe0edffe9ef791e4446a2bfbbf4243dad01673e76c8a2ee7e97c9f29afcd56ab5429c60e7abad2eb1cff07bf1b47c083c25728f879cee0de0c6ccc57db16

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\az\backup.exe

Filesize
81KB

MD5
a1945c7a2f3edbfb7a9f75e87de75c27

SHA1
4b0d73a198603d3e0abd59f77a15eee96afaeb05

SHA256
a148498d6134c90be11dfc7e8228c4c69f118ed6dbf266ba1e9809856b9437b3

SHA512
87fdbe0edffe9ef791e4446a2bfbbf4243dad01673e76c8a2ee7e97c9f29afcd56ab5429c60e7abad2eb1cff07bf1b47c083c25728f879cee0de0c6ccc57db16

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\backup.exe

Filesize
81KB

MD5
2082f25c9ca933e6640362617892f54a

SHA1
7591b326156582a8bdcfc5943d623614de0bf1ba

SHA256
ba23305233df1c84e201f8debceb106e9b841fcdb5dad758bade43c7cef651d8

SHA512
ab3e1024fff68e57f402d7e536108b4276fb8bd6fe2815bebbbe33e42743dfecfeff1041ae056e3b5a54e8c7cca07280f99fe8c7f8b3f26342e2a68d3d54f4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\backup.exe

Filesize
81KB

MD5
2082f25c9ca933e6640362617892f54a

SHA1
7591b326156582a8bdcfc5943d623614de0bf1ba

SHA256
ba23305233df1c84e201f8debceb106e9b841fcdb5dad758bade43c7cef651d8

SHA512
ab3e1024fff68e57f402d7e536108b4276fb8bd6fe2815bebbbe33e42743dfecfeff1041ae056e3b5a54e8c7cca07280f99fe8c7f8b3f26342e2a68d3d54f4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\_locales\be\backup.exe

Filesize
81KB

MD5
a1945c7a2f3edbfb7a9f75e87de75c27

SHA1
4b0d73a198603d3e0abd59f77a15eee96afaeb05

SHA256
a148498d6134c90be11dfc7e8228c4c69f118ed6dbf266ba1e9809856b9437b3

SHA512
87fdbe0edffe9ef791e4446a2bfbbf4243dad01673e76c8a2ee7e97c9f29afcd56ab5429c60e7abad2eb1cff07bf1b47c083c25728f879cee0de0c6ccc57db16

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\backup.exe

Filesize
81KB

MD5
7e4940f85c6b85dc2b42b30cffe4f334

SHA1
096cc204547b972010122a46f6687e35bb59b197

SHA256
7997387cd6f19c600d34d7cba5f34339204a7fbafd0363e05b1535165a2191f0

SHA512
fd107b5ccb6e061108fe278955223aa2c45c8680de988136f9243a176e2d847764795c0c48f72d2f14d0b693a2a5a80fc412323c9dbd8e170fa47dc11635e710

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\CRX_INSTALL\backup.exe

Filesize
81KB

MD5
7e4940f85c6b85dc2b42b30cffe4f334

SHA1
096cc204547b972010122a46f6687e35bb59b197

SHA256
7997387cd6f19c600d34d7cba5f34339204a7fbafd0363e05b1535165a2191f0

SHA512
fd107b5ccb6e061108fe278955223aa2c45c8680de988136f9243a176e2d847764795c0c48f72d2f14d0b693a2a5a80fc412323c9dbd8e170fa47dc11635e710

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\backup.exe

Filesize
81KB

MD5
af2b85f743ede25e7f9955cd09b947e9

SHA1
fffc139355a03a0f8ecb0199a2c30cc83b475f4b

SHA256
09d2ed8e577e5db057ad260279f2ac3a89c3e770dea640afe3938b233248f368

SHA512
d25ffba8ecc381553c9b1f002c6418118dc7e7a52b87dc463f0a0aa2cec584af1a80d1ac58cfde83603ae0d4cbc2561bd32e6d37dff4964fbf7594ac2ccad4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1844_1388668570\backup.exe

Filesize
81KB

MD5
af2b85f743ede25e7f9955cd09b947e9

SHA1
fffc139355a03a0f8ecb0199a2c30cc83b475f4b

SHA256
09d2ed8e577e5db057ad260279f2ac3a89c3e770dea640afe3938b233248f368

SHA512
d25ffba8ecc381553c9b1f002c6418118dc7e7a52b87dc463f0a0aa2cec584af1a80d1ac58cfde83603ae0d4cbc2561bd32e6d37dff4964fbf7594ac2ccad4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
30KB

MD5
9fb8d4d685e27d406df4efbf82cd2447

SHA1
2c47f7b1525cec88a1d1af2b4b6c8e4b521f5a57

SHA256
c2399dce20922150a47497d9a7bf3d9f243aeb33dea42cfa2312efd10e6b05d5

SHA512
8176a67ab9dd14596531ef995d61cafdbe2b64e03326f6435a8ff478ac2c6d72fb040585ce4c91a23b70964c8fd14f33eb72fdf605ef7d271362802c69f5671a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ADB61D77-99F4-41E2-B8E6-A5B939354786}\backup.exe

Filesize
81KB

MD5
6f7cb2b2562b7134bdd70c2b9eba0b84

SHA1
461185ca9d920952bcb830322a6254ed8469a4da

SHA256
e6b2bb26d76f5922a8e4a4bfa758133a807ff95f5aba4926771e8391d00615fc

SHA512
f48fd66b20e310892ca9b7be4d2de443561e4b2c7f6d0e23e91fd37ca373e2dcd58ecee98fcca20be5d1ce3d662b8dfbbfb2f98168090739fe07d2f931c61d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ADB61D77-99F4-41E2-B8E6-A5B939354786}\backup.exe

Filesize
81KB

MD5
6f7cb2b2562b7134bdd70c2b9eba0b84

SHA1
461185ca9d920952bcb830322a6254ed8469a4da

SHA256
e6b2bb26d76f5922a8e4a4bfa758133a807ff95f5aba4926771e8391d00615fc

SHA512
f48fd66b20e310892ca9b7be4d2de443561e4b2c7f6d0e23e91fd37ca373e2dcd58ecee98fcca20be5d1ce3d662b8dfbbfb2f98168090739fe07d2f931c61d36

Download Submit
C:\backup.exe

Filesize
81KB

MD5
fae9cf533d8c59b64fc00feab6fe9011

SHA1
1f6f7f39d4cb1fbedd4a5a6bd5b076a0cdbe4786

SHA256
3e8936845f2027629c75f1500f738088c476f37a914af9b21f5679a050dc9440

SHA512
4611640f9e3531fc353b7ce97dc02d454f221d8af869a9bf6b7b2d4727258672b93887f6795aaf2af50d4f6d832d3af43476061c4215683e5f7d6252de0ba2ee

Download Submit
C:\backup.exe

Filesize
81KB

MD5
fae9cf533d8c59b64fc00feab6fe9011

SHA1
1f6f7f39d4cb1fbedd4a5a6bd5b076a0cdbe4786

SHA256
3e8936845f2027629c75f1500f738088c476f37a914af9b21f5679a050dc9440

SHA512
4611640f9e3531fc353b7ce97dc02d454f221d8af869a9bf6b7b2d4727258672b93887f6795aaf2af50d4f6d832d3af43476061c4215683e5f7d6252de0ba2ee

Download Submit
C:\odt\backup.exe

Filesize
81KB

MD5
176f80b01ece1199d697d6514492cc44

SHA1
88c9498e7cdc2b3d616b309bf13851f3f3aca20f

SHA256
0b8781dec3d4c371a73489f8627e022caaafe5829ae8e0837b252a9d1d30aeff

SHA512
76515222e09c2597830dd1399efe009853255da5f741202033e30a9f863e0b3ecc9e8a5021d8ceb7d722f0f4737647a733534f137dbb79a7a8b83721df756114

Download Submit
C:\odt\backup.exe

Filesize
81KB

MD5
176f80b01ece1199d697d6514492cc44

SHA1
88c9498e7cdc2b3d616b309bf13851f3f3aca20f

SHA256
0b8781dec3d4c371a73489f8627e022caaafe5829ae8e0837b252a9d1d30aeff

SHA512
76515222e09c2597830dd1399efe009853255da5f741202033e30a9f863e0b3ecc9e8a5021d8ceb7d722f0f4737647a733534f137dbb79a7a8b83721df756114

Download Submit
memory/440-44-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/440-128-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/536-238-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/548-250-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/612-112-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/612-195-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/692-336-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/816-119-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/960-126-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1124-193-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1148-275-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1196-358-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1236-296-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1276-227-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1420-305-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1472-366-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1528-256-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1544-348-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1632-174-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1672-19-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1672-279-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1812-160-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1844-224-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1968-127-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2004-300-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2216-96-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2652-210-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2836-223-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2924-73-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2932-329-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2936-236-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3040-376-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3044-287-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3208-285-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3276-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3276-69-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3524-125-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3536-219-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3732-147-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3760-368-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4024-319-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4052-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4104-129-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4116-346-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4204-259-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4212-378-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4344-81-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4376-181-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4396-328-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4524-197-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4640-64-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4644-318-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4656-234-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4708-211-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4736-309-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4776-248-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4784-51-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4880-339-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4928-270-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4976-198-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4980-80-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5012-266-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5064-246-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5096-30-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads