3b26930dd7416671423d4b218166f9a8220a403ecb819d8f3b900a66e069d3c6

Resubmissions

09/05/2024, 20:57

240509-zrkvsaec5t 10

09/05/2024, 20:44

240509-zjh18adg3y 10

09/05/2024, 20:42

240509-zg8tvsgg74 7

09/05/2024, 17:33

240509-v48edsdh6y 10

Analysis

max time kernel
40s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
09/05/2024, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe
Size

212KB
MD5

a9da1a582f7b12f9a61551f6d2d4d620
SHA1

1a02868b8191db7363fbbf91b1f8bd368aaa4c63
SHA256

3b26930dd7416671423d4b218166f9a8220a403ecb819d8f3b900a66e069d3c6
SHA512

6942886ad04bbbf315067d16d87b46cdf91d797426ebfa914bc05c8f9fade0dfb0038a3f654f5cd6158e9bfdc3869ec19a8de9824748baa506a3e3a203489341
SSDEEP

1536:qeT7BVwxfvEFwjRCeT75eT7BVwxfUtwxfUF3hPrBHfofga45J7p+XZ:qmVwRKCC6mVwRUtwRU/rrP7YJ

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1752	backup.exe
2104	backup.exe
4496	backup.exe
4512	System Restore.exe
4704	backup.exe
4592	backup.exe
1020	update.exe
1068	backup.exe
2172	backup.exe
3952	backup.exe
3220	backup.exe
2796	backup.exe
4264	backup.exe
4252	System Restore.exe
420	backup.exe
2020	backup.exe
3812	backup.exe
4600	data.exe
4872	data.exe
4712	backup.exe
400	backup.exe
1868	backup.exe
1212	backup.exe
792	backup.exe
3576	backup.exe
340	backup.exe
3144	backup.exe
916	backup.exe
3596	backup.exe
2124	backup.exe
2112	backup.exe
1240	backup.exe
4396	System Restore.exe
1292	backup.exe
4776	backup.exe
404	backup.exe
4084	backup.exe
3780	backup.exe
4768	backup.exe
3200	System Restore.exe
2788	backup.exe
1556	backup.exe
4320	backup.exe
2100	backup.exe
1380	backup.exe
4664	backup.exe
4988	backup.exe
1960	data.exe
1592	data.exe
3340	backup.exe
4160	backup.exe
2892	backup.exe
2912	backup.exe
896	backup.exe
2288	backup.exe
3632	backup.exe
3916	backup.exe
3320	backup.exe
1868	backup.exe
4744	backup.exe
2044	backup.exe
2064	backup.exe
1692	backup.exe
2400	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/336-0-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/files/0x000200000002a9d5-6.dat	upx
behavioral1/memory/1752-8-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/2104-14-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/4496-23-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/2104-19-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/4512-32-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/4704-37-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/4512-36-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/4592-45-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/1020-57-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/1068-65-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/files/0x000100000002a9e0-74.dat	upx
behavioral1/memory/3952-77-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/files/0x000100000002a9e2-82.dat	upx
behavioral1/memory/3220-85-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/3952-90-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/2172-91-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/3220-88-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/1752-84-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/336-76-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/2172-71-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/1068-63-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/1020-53-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/4592-51-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/2796-111-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/files/0x000700000002a9b6-110.dat	upx
behavioral1/memory/4264-119-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/files/0x000100000002a9e4-118.dat	upx
behavioral1/memory/4496-117-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/4264-125-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/4252-127-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/files/0x000100000002a9e7-132.dat	upx
behavioral1/memory/420-135-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/2020-143-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/files/0x000100000002a9e9-141.dat	upx
behavioral1/memory/4600-158-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/4872-166-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/files/0x000100000002a9ee-171.dat	upx
behavioral1/memory/4712-173-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/400-181-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/1868-189-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/files/0x000100000002a9f1-188.dat	upx
behavioral1/memory/1212-197-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/1212-201-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/792-210-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/3576-214-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/792-206-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/3144-230-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/3812-229-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/340-226-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/files/0x000200000002a9f8-244.dat	upx
behavioral1/memory/916-242-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/3596-247-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/2124-257-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/2112-264-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/2112-268-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/1240-275-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/1292-287-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/4776-289-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/4776-293-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/4084-302-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/4768-312-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/4768-317-0x0000000000400000-0x0000000000440000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\backup.exe	update.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\backup.exe	Process not Found
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\backup.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\Notifications\backup.exe	Process not Found
File opened for modification	C:\Program Files\Windows NT\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\backup.exe	Process not Found
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\MEIPreload\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\backup.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\update.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\VisualElements\backup.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\win_x64\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\backup.exe	update.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe	update.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\Trust Protection Lists\Mu\update.exe	Process not Found

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\encapsulation\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe	Process not Found
File opened for modification	C:\Windows\Containers\serviced\System Restore.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.OneNote\System Restore.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC\MSDATASRC\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\mscorlib\System Restore.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\System.Printing\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\System.Web\2.0.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\System.EnterpriseServices\System Restore.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_MSIL\backup.exe	update.exe
File opened for modification	C:\Windows\CbsTemp\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Access.Dao\backup.exe	Process not Found
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	update.exe
File opened for modification	C:\Windows\assembly\GAC\stdole\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_32\backup.exe	update.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.Data.OracleClient\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_MSIL\IIEHost\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\srmlib\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\System.Transactions\backup.exe	Process not Found
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\backup.exe	update.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\debug\update.exe	backup.exe
File opened for modification	C:\Windows\Cursors\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\3.5.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\Containers\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\System Restore.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_MSIL\IEHost\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.v3.5\backup.exe	Process not Found
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\update.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\mscorlib\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\MSBuild\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_en_31bf3856ad364e35\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\update.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Conversion.v3.5\data.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Data.OracleClient\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe
1752	backup.exe
2104	backup.exe
4496	backup.exe
4512	System Restore.exe
4704	backup.exe
4592	backup.exe
1020	update.exe
1068	backup.exe
2172	backup.exe
3952	backup.exe
3220	backup.exe
2796	backup.exe
4264	backup.exe
4252	System Restore.exe
420	backup.exe
2020	backup.exe
3812	backup.exe
4600	data.exe
4872	data.exe
4712	backup.exe
400	backup.exe
1868	backup.exe
1212	backup.exe
792	backup.exe
3576	backup.exe
340	backup.exe
3144	backup.exe
916	backup.exe
3596	backup.exe
2124	backup.exe
2112	backup.exe
1240	backup.exe
4396	System Restore.exe
1292	backup.exe
4776	backup.exe
404	backup.exe
4084	backup.exe
3780	backup.exe
4768	backup.exe
3200	System Restore.exe
2788	backup.exe
1556	backup.exe
4320	backup.exe
2100	backup.exe
1380	backup.exe
4664	backup.exe
4988	backup.exe
1960	data.exe
1592	data.exe
3340	backup.exe
4160	backup.exe
2892	backup.exe
2912	backup.exe
896	backup.exe
2288	backup.exe
3632	backup.exe
3916	backup.exe
3320	backup.exe
1868	backup.exe
4744	backup.exe
2044	backup.exe
2064	backup.exe
1692	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 1752	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	78
PID 336 wrote to memory of 1752	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	78
PID 336 wrote to memory of 1752	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	78
PID 336 wrote to memory of 2104	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	79
PID 336 wrote to memory of 2104	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	79
PID 336 wrote to memory of 2104	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	79
PID 336 wrote to memory of 4496	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	80
PID 336 wrote to memory of 4496	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	80
PID 336 wrote to memory of 4496	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	80
PID 336 wrote to memory of 4512	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	81
PID 336 wrote to memory of 4512	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	81
PID 336 wrote to memory of 4512	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	81
PID 336 wrote to memory of 4704	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	82
PID 336 wrote to memory of 4704	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	82
PID 336 wrote to memory of 4704	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	82
PID 336 wrote to memory of 4592	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	83
PID 336 wrote to memory of 4592	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	83
PID 336 wrote to memory of 4592	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	83
PID 336 wrote to memory of 1020	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	84
PID 336 wrote to memory of 1020	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	84
PID 336 wrote to memory of 1020	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	84
PID 336 wrote to memory of 1068	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	85
PID 336 wrote to memory of 1068	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	85
PID 336 wrote to memory of 1068	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	85
PID 336 wrote to memory of 2172	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	161
PID 336 wrote to memory of 2172	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	161
PID 336 wrote to memory of 2172	336	a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe	161
PID 2172 wrote to memory of 3952	2172	backup.exe	87
PID 2172 wrote to memory of 3952	2172	backup.exe	87
PID 2172 wrote to memory of 3952	2172	backup.exe	87
PID 3952 wrote to memory of 3220	3952	backup.exe	88
PID 3952 wrote to memory of 3220	3952	backup.exe	88
PID 3952 wrote to memory of 3220	3952	backup.exe	88
PID 1752 wrote to memory of 2796	1752	backup.exe	89
PID 1752 wrote to memory of 2796	1752	backup.exe	89
PID 1752 wrote to memory of 2796	1752	backup.exe	89
PID 2796 wrote to memory of 4264	2796	backup.exe	167
PID 2796 wrote to memory of 4264	2796	backup.exe	167
PID 2796 wrote to memory of 4264	2796	backup.exe	167
PID 2796 wrote to memory of 4252	2796	backup.exe	91
PID 2796 wrote to memory of 4252	2796	backup.exe	91
PID 2796 wrote to memory of 4252	2796	backup.exe	91
PID 4252 wrote to memory of 420	4252	System Restore.exe	92
PID 4252 wrote to memory of 420	4252	System Restore.exe	92
PID 4252 wrote to memory of 420	4252	System Restore.exe	92
PID 420 wrote to memory of 2020	420	backup.exe	93
PID 420 wrote to memory of 2020	420	backup.exe	93
PID 420 wrote to memory of 2020	420	backup.exe	93
PID 4252 wrote to memory of 3812	4252	System Restore.exe	94
PID 4252 wrote to memory of 3812	4252	System Restore.exe	94
PID 4252 wrote to memory of 3812	4252	System Restore.exe	94
PID 3812 wrote to memory of 4600	3812	backup.exe	95
PID 3812 wrote to memory of 4600	3812	backup.exe	95
PID 3812 wrote to memory of 4600	3812	backup.exe	95
PID 3812 wrote to memory of 4872	3812	backup.exe	96
PID 3812 wrote to memory of 4872	3812	backup.exe	96
PID 3812 wrote to memory of 4872	3812	backup.exe	96
PID 4872 wrote to memory of 4712	4872	data.exe	97
PID 4872 wrote to memory of 4712	4872	data.exe	97
PID 4872 wrote to memory of 4712	4872	data.exe	97
PID 4872 wrote to memory of 400	4872	data.exe	98
PID 4872 wrote to memory of 400	4872	data.exe	98
PID 4872 wrote to memory of 400	4872	data.exe	98
PID 400 wrote to memory of 1868	400	backup.exe	99

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a9da1a582f7b12f9a61551f6d2d4d620_NeikiAnalytics.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:336
- C:\Users\Admin\AppData\Local\Temp\{376A4112-0355-489B-8978-24D90645E0E0}\backup.exe
  C:\Users\Admin\AppData\Local\Temp\{376A4112-0355-489B-8978-24D90645E0E0}\backup.exe C:\Users\Admin\AppData\Local\Temp\{376A4112-0355-489B-8978-24D90645E0E0}\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4264
  - - C:\Program Files\System Restore.exe
      "C:\Program Files\System Restore.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4252
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:420
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2020
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3812
      - C:\Program Files\Common Files\DESIGNER\data.exe
        
        "C:\Program Files\Common Files\DESIGNER\data.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4600
      - C:\Program Files\Common Files\microsoft shared\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\data.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4712
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1868
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1212
        
        C:\Program Files\Common Files\microsoft shared\ink\ca-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ca-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ca-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:792
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3576
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:340
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3144
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:916
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3596
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2112
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1240
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4396
        
        C:\Program Files\Common Files\microsoft shared\ink\eu-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\eu-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\eu-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1292
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4776
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:404
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4084
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3780
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4768
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3200
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4320
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1380
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4664
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4988
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Program Files\Common Files\microsoft shared\ink\gl-ES\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\gl-ES\data.exe" C:\Program Files\Common Files\microsoft shared\ink\gl-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3340
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4160
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Program Files\Common Files\microsoft shared\ink\id-ID\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\id-ID\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\id-ID\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:896
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3632
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3916
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3320
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1868
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4744
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        Executes dropped EXE
        
        PID:2400
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2884
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\data.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        
        PID:2944
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\update.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        8⤵
        
        PID:1864
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        8⤵
        
        PID:4740
        
        C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
        8⤵
        
        PID:2112
        
        C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
        8⤵
        
        PID:1240
        
        C:\Program Files\Common Files\microsoft shared\ink\sv-SE\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\update.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
        8⤵
        
        PID:2436
        
        C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
        8⤵
        
        PID:1444
        
        C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2236
        
        C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
        8⤵
        
        PID:1480
        
        C:\Program Files\Common Files\microsoft shared\ink\vi-VN\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\vi-VN\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\vi-VN\
        8⤵
        
        PID:4816
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\
        8⤵
        
        PID:3656
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-TW\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-TW\data.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\
        8⤵
        
        PID:4904
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        
        PID:2312
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        
        PID:4588
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        
        PID:2300
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:3176
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1356
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:4216
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        
        PID:2172
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:652
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        
        PID:4092
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        
        PID:1788
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        
        PID:1560
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3148
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:4264
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:4916
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2892
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:1484
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:2180
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:4648
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        System policy modification
        
        PID:756
    - - C:\Program Files\dotnet\backup.exe
        
        "C:\Program Files\dotnet\backup.exe" C:\Program Files\dotnet\
        5⤵
        
        PID:3632
      - C:\Program Files\dotnet\host\backup.exe
        
        "C:\Program Files\dotnet\host\backup.exe" C:\Program Files\dotnet\host\
        6⤵
        
        PID:3916
        
        C:\Program Files\dotnet\host\fxr\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\backup.exe" C:\Program Files\dotnet\host\fxr\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2232
        
        C:\Program Files\dotnet\host\fxr\6.0.27\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\6.0.27\backup.exe" C:\Program Files\dotnet\host\fxr\6.0.27\
        8⤵
        
        PID:3976
        
        C:\Program Files\dotnet\host\fxr\7.0.16\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\7.0.16\backup.exe" C:\Program Files\dotnet\host\fxr\7.0.16\
        8⤵
        
        PID:4992
        
        C:\Program Files\dotnet\host\fxr\8.0.2\update.exe
        
        "C:\Program Files\dotnet\host\fxr\8.0.2\update.exe" C:\Program Files\dotnet\host\fxr\8.0.2\
        8⤵
        
        PID:4884
      - C:\Program Files\dotnet\shared\backup.exe
        
        "C:\Program Files\dotnet\shared\backup.exe" C:\Program Files\dotnet\shared\
        6⤵
        
        PID:3052
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\
        7⤵
        
        PID:1908
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\
        8⤵
        System policy modification
        
        PID:1464
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\data.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\data.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\
        8⤵
        
        PID:2456
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\
        8⤵
        
        PID:4920
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\
        7⤵
        
        PID:864
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\
        8⤵
        System policy modification
        
        PID:564
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\
        9⤵
        
        PID:416
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\
        9⤵
        System policy modification
        
        PID:1880
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\
        9⤵
        
        PID:4024
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\
        9⤵
        
        PID:3464
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\
        9⤵
        
        PID:3620
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\
        9⤵
        
        PID:3680
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\
        9⤵
        
        PID:4352
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\
        9⤵
        
        PID:2608
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\
        9⤵
        
        PID:4592
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\
        9⤵
        
        PID:5028
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\
        9⤵
        
        PID:1588
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\
        9⤵
        
        PID:2312
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\
        9⤵
        
        PID:4832
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\
        8⤵
        
        PID:1576
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\update.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\update.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\
        9⤵
        
        PID:1964
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\
        9⤵
        
        PID:4664
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\
        9⤵
        
        PID:4224
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\
        9⤵
        
        PID:652
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\
        9⤵
        
        PID:3352
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\
        9⤵
        
        PID:1592
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\
        9⤵
        
        PID:4228
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\
        9⤵
        
        PID:996
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\
        9⤵
        
        PID:4932
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\
        9⤵
        
        PID:3744
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\
        9⤵
        
        PID:2892
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\
        9⤵
        
        PID:3924
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\
        9⤵
        
        PID:2472
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\
        8⤵
        Drops file in Program Files directory
        
        PID:3048
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\
        9⤵
        
        PID:2352
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\
        9⤵
        
        PID:2132
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\
        9⤵
        
        PID:3320
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\
        9⤵
        
        PID:3216
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\
        9⤵
        
        PID:2336
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\
        9⤵
        
        PID:940
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\
        9⤵
        
        PID:1180
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\
        9⤵
        
        PID:1060
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\
        9⤵
        
        PID:1392
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System Restore.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System Restore.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\
        9⤵
        
        PID:3364
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\
        9⤵
        
        PID:1952
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\
        9⤵
        
        PID:1440
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\
        9⤵
        
        PID:3584
      - C:\Program Files\dotnet\swidtag\backup.exe
        
        "C:\Program Files\dotnet\swidtag\backup.exe" C:\Program Files\dotnet\swidtag\
        6⤵
        
        PID:1572
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        System policy modification
        
        PID:2028
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        System policy modification
        
        PID:4268
        
        C:\Program Files\Google\Chrome\Application\update.exe
        
        "C:\Program Files\Google\Chrome\Application\update.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Drops file in Program Files directory
        
        PID:4364
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\backup.exe" C:\Program Files\Google\Chrome\Application\110.0.5481.104\
        8⤵
        Drops file in Program Files directory
        
        PID:4984
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\110.0.5481.104\default_apps\
        9⤵
        
        PID:2836
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\Extensions\update.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Extensions\update.exe" C:\Program Files\Google\Chrome\Application\110.0.5481.104\Extensions\
        9⤵
        
        PID:696
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\
        9⤵
        
        PID:4044
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\
        9⤵
        
        PID:4592
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\MEIPreload\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\MEIPreload\System Restore.exe" C:\Program Files\Google\Chrome\Application\110.0.5481.104\MEIPreload\
        9⤵
        
        PID:1020
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\
        9⤵
        
        PID:1600
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\
        9⤵
        
        PID:4408
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\
        10⤵
        Drops file in Program Files directory
        
        PID:3176
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:3952
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\data.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\data.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1964
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:4964
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:3884
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:3468
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:4248
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:4872
      - C:\Program Files\Java\jdk-1.8\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\backup.exe" C:\Program Files\Java\jdk-1.8\
        6⤵
        Drops file in Program Files directory
        
        PID:1448
        
        C:\Program Files\Java\jdk-1.8\bin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\bin\backup.exe" C:\Program Files\Java\jdk-1.8\bin\
        7⤵
        
        PID:3060
        
        C:\Program Files\Java\jdk-1.8\include\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\backup.exe" C:\Program Files\Java\jdk-1.8\include\
        7⤵
        
        PID:2220
        
        C:\Program Files\Java\jdk-1.8\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\win32\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\
        8⤵
        
        PID:2820
        
        C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\bridge\
        9⤵
        
        PID:4940
        
        C:\Program Files\Java\jdk-1.8\jre\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\backup.exe" C:\Program Files\Java\jdk-1.8\jre\
        7⤵
        Drops file in Program Files directory
        
        PID:1044
        
        C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\
        8⤵
        
        PID:3368
        
        C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\
        9⤵
        
        PID:3148
        
        C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\
        9⤵
        
        PID:4712
        
        C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\server\
        9⤵
        
        PID:2132
        
        C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\
        8⤵
        
        PID:4292
        
        C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\javafx\
        9⤵
        
        PID:3784
        
        C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\jdk\
        9⤵
        System policy modification
        
        PID:792
        
        C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\
        8⤵
        
        PID:2232
        
        C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\amd64\
        9⤵
        
        PID:2320
        
        C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\applet\
        9⤵
        
        PID:1048
        
        C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\cmm\
        9⤵
        
        PID:4068
        
        C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\deploy\
        9⤵
        
        PID:2364
        
        C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\ext\
        9⤵
        
        PID:2976
        
        C:\Program Files\Java\jdk-1.8\jre\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\fonts\
        9⤵
        
        PID:1192
        
        C:\Program Files\Java\jdk-1.8\jre\lib\images\data.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\images\data.exe" C:\Program Files\Java\jdk-1.8\jre\lib\images\
        9⤵
        
        PID:4728
        
        C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\
        10⤵
        
        PID:1100
        
        C:\Program Files\Java\jdk-1.8\jre\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\jfr\
        9⤵
        
        PID:1104
        
        C:\Program Files\Java\jdk-1.8\jre\lib\management\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\management\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\management\
        9⤵
        
        PID:4396
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\
        9⤵
        
        PID:1176
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\
        10⤵
        Drops file in Program Files directory
        
        PID:2236
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\System Restore.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\System Restore.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\
        11⤵
        
        PID:1468
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\
        11⤵
        
        PID:5016
        
        C:\Program Files\Java\jdk-1.8\legal\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\backup.exe" C:\Program Files\Java\jdk-1.8\legal\
        7⤵
        
        PID:696
        
        C:\Program Files\Java\jdk-1.8\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\legal\javafx\
        8⤵
        
        PID:4520
        
        C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\legal\jdk\
        8⤵
        
        PID:4592
        
        C:\Program Files\Java\jdk-1.8\lib\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\lib\backup.exe" C:\Program Files\Java\jdk-1.8\lib\
        7⤵
        System policy modification
        
        PID:1020
      - C:\Program Files\Java\jre-1.8\backup.exe
        
        "C:\Program Files\Java\jre-1.8\backup.exe" C:\Program Files\Java\jre-1.8\
        6⤵
        
        PID:2596
        
        C:\Program Files\Java\jre-1.8\bin\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\backup.exe" C:\Program Files\Java\jre-1.8\bin\
        7⤵
        
        PID:488
        
        C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe" C:\Program Files\Java\jre-1.8\bin\dtplugin\
        8⤵
        
        PID:2616
        
        C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe" C:\Program Files\Java\jre-1.8\bin\plugin2\
        8⤵
        
        PID:3176
        
        C:\Program Files\Java\jre-1.8\bin\server\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\server\backup.exe" C:\Program Files\Java\jre-1.8\bin\server\
        8⤵
        
        PID:2856
        
        C:\Program Files\Java\jre-1.8\legal\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\backup.exe" C:\Program Files\Java\jre-1.8\legal\
        7⤵
        
        PID:1964
        
        C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jre-1.8\legal\javafx\
        8⤵
        System policy modification
        
        PID:4024
        
        C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jre-1.8\legal\jdk\
        8⤵
        
        PID:724
        
        C:\Program Files\Java\jre-1.8\lib\System Restore.exe
        
        "C:\Program Files\Java\jre-1.8\lib\System Restore.exe" C:\Program Files\Java\jre-1.8\lib\
        7⤵
        
        PID:3884
        
        C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe" C:\Program Files\Java\jre-1.8\lib\amd64\
        8⤵
        
        PID:4604
        
        C:\Program Files\Java\jre-1.8\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\applet\backup.exe" C:\Program Files\Java\jre-1.8\lib\applet\
        8⤵
        
        PID:2224
        
        C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe" C:\Program Files\Java\jre-1.8\lib\cmm\
        8⤵
        
        PID:5104
        
        C:\Program Files\Java\jre-1.8\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\deploy\backup.exe" C:\Program Files\Java\jre-1.8\lib\deploy\
        8⤵
        
        PID:2144
        
        C:\Program Files\Java\jre-1.8\lib\ext\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\ext\backup.exe" C:\Program Files\Java\jre-1.8\lib\ext\
        8⤵
        
        PID:2036
        
        C:\Program Files\Java\jre-1.8\lib\fonts\System Restore.exe
        
        "C:\Program Files\Java\jre-1.8\lib\fonts\System Restore.exe" C:\Program Files\Java\jre-1.8\lib\fonts\
        8⤵
        
        PID:2724
        
        C:\Program Files\Java\jre-1.8\lib\images\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\images\backup.exe" C:\Program Files\Java\jre-1.8\lib\images\
        8⤵
        
        PID:2220
        
        C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe" C:\Program Files\Java\jre-1.8\lib\images\cursors\
        9⤵
        
        PID:4600
        
        C:\Program Files\Java\jre-1.8\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\jfr\backup.exe" C:\Program Files\Java\jre-1.8\lib\jfr\
        8⤵
        
        PID:4812
        
        C:\Program Files\Java\jre-1.8\lib\management\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\management\backup.exe" C:\Program Files\Java\jre-1.8\lib\management\
        8⤵
        
        PID:756
        
        C:\Program Files\Java\jre-1.8\lib\security\update.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\update.exe" C:\Program Files\Java\jre-1.8\lib\security\
        8⤵
        
        PID:1700
        
        C:\Program Files\Java\jre-1.8\lib\security\policy\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\policy\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3528
        
        C:\Program Files\Java\jre-1.8\lib\security\policy\limited\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\policy\limited\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\limited\
        10⤵
        
        PID:1624
        
        C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\
        10⤵
        
        PID:2336
      - C:\Program Files\Java\jre8\backup.exe
        
        "C:\Program Files\Java\jre8\backup.exe" C:\Program Files\Java\jre8\
        6⤵
        
        PID:4884
        
        C:\Program Files\Java\jre8\lib\backup.exe
        
        "C:\Program Files\Java\jre8\lib\backup.exe" C:\Program Files\Java\jre8\lib\
        7⤵
        
        PID:4388
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2884
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        
        PID:4172
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4804
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        
        PID:3596
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        
        PID:4088
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        Drops file in Program Files directory
        
        PID:1584
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        
        PID:864
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        8⤵
        
        PID:3464
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        8⤵
        
        PID:228
        
        C:\Program Files\Microsoft Office\root\fre\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\fre\System Restore.exe" C:\Program Files\Microsoft Office\root\fre\
        7⤵
        
        PID:2232
        
        C:\Program Files\Microsoft Office\root\Integration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
        7⤵
        
        PID:4588
        
        C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
        8⤵
        
        PID:1588
        
        C:\Program Files\Microsoft Office\root\Licenses\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses\backup.exe" C:\Program Files\Microsoft Office\root\Licenses\
        7⤵
        
        PID:4084
        
        C:\Program Files\Microsoft Office\root\Licenses16\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses16\System Restore.exe" C:\Program Files\Microsoft Office\root\Licenses16\
        7⤵
        
        PID:1356
        
        C:\Program Files\Microsoft Office\root\loc\backup.exe
        
        "C:\Program Files\Microsoft Office\root\loc\backup.exe" C:\Program Files\Microsoft Office\root\loc\
        7⤵
        
        PID:652
        
        C:\Program Files\Microsoft Office\root\Office15\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office15\backup.exe" C:\Program Files\Microsoft Office\root\Office15\
        7⤵
        
        PID:1560
        
        C:\Program Files\Microsoft Office\root\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\
        7⤵
        Drops file in Program Files directory
        
        PID:4580
        
        C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\
        8⤵
        
        PID:4380
        
        C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\
        9⤵
        
        PID:2440
        
        C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\
        9⤵
        
        PID:4708
        
        C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\
        9⤵
        
        PID:1576
        
        C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1036\
        8⤵
        
        PID:4292
        
        C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe" C:\Program Files\Microsoft Office\root\Office16\3082\
        8⤵
        
        PID:792
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\
        8⤵
        
        PID:2400
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\
        9⤵
        
        PID:916
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\
        9⤵
        
        PID:2868
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\
        10⤵
        
        PID:2012
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\
        9⤵
        
        PID:1280
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\
        9⤵
        
        PID:1176
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\
        9⤵
        System policy modification
        
        PID:3688
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\
        10⤵
        
        PID:1112
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\
        10⤵
        
        PID:4904
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\
        10⤵
        Drops file in Program Files directory
        
        PID:2524
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\
        11⤵
        
        PID:3952
        
        C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe" C:\Program Files\Microsoft Office\root\Office16\AugLoop\
        8⤵
        
        PID:3816
        
        C:\Program Files\Microsoft Office\root\Office16\Bibliography\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\
        8⤵
        
        PID:1964
        
        C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\
        9⤵
        
        PID:2892
        
        C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\
        9⤵
        
        PID:2300
        
        C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\BORDERS\
        8⤵
        
        PID:1524
        
        C:\Program Files\Microsoft Office\root\Office16\Configuration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Configuration\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Configuration\
        8⤵
        
        PID:4708
        
        C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\
        8⤵
        
        PID:1212
        
        C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\
        9⤵
        
        PID:1108
        
        C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\
        10⤵
        
        PID:3408
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f14\data.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f14\data.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f14\
        8⤵
        
        PID:4228
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f2\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f2\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f2\
        8⤵
        
        PID:2032
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f3\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f3\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f3\
        8⤵
        
        PID:4756
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f33\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f33\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f33\
        8⤵
        
        PID:2836
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f4\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f4\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f4\
        8⤵
        
        PID:4656
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f7\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f7\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f7\
        8⤵
        
        PID:2824
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\
        8⤵
        
        PID:696
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\
        8⤵
        
        PID:1588
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\
        8⤵
        
        PID:4664
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\
        8⤵
        
        PID:964
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\
        8⤵
        
        PID:724
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_w1\data.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_w1\data.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_w1\
        8⤵
        
        PID:2812
        
        C:\Program Files\Microsoft Office\root\Office16\Library\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Library\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Library\
        8⤵
        
        PID:5104
        
        C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\
        9⤵
        System policy modification
        
        PID:3340
        
        C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\
        9⤵
        
        PID:3104
        
        C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\backup.exe" C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\
        8⤵
        
        PID:3216
        
        C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\backup.exe" C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\
        9⤵
        
        PID:4380
        
        C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\backup.exe" C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\
        10⤵
        
        PID:1564
        
        C:\Program Files\Microsoft Office\root\Office16\LogoImages\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\LogoImages\backup.exe" C:\Program Files\Microsoft Office\root\Office16\LogoImages\
        8⤵
        
        PID:4236
        
        C:\Program Files\Microsoft Office\root\Office16\MEDIA\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MEDIA\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MEDIA\
        8⤵
        
        PID:3784
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\
        8⤵
        Drops file in Program Files directory
        
        PID:4004
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\data.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\data.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\
        9⤵
        
        PID:540
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1280
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\
        9⤵
        
        PID:2448
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\update.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\
        9⤵
        
        PID:4768
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\data.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\data.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\
        9⤵
        
        PID:2704
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\
        9⤵
        
        PID:1112
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1416
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\
        9⤵
        
        PID:3220
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\
        9⤵
        
        PID:3468
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\
        9⤵
        
        PID:2728
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\
        9⤵
        
        PID:4160
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\
        9⤵
        
        PID:3092
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\
        9⤵
        
        PID:2180
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\
        9⤵
        
        PID:3872
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\
        9⤵
        
        PID:2132
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\
        9⤵
        
        PID:4388
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\
        9⤵
        
        PID:3884
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\
        9⤵
        System policy modification
        
        PID:2844
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\
        9⤵
        
        PID:1536
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\
        9⤵
        
        PID:1240
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\
        9⤵
        
        PID:2056
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\
        9⤵
        
        PID:3656
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\
        9⤵
        
        PID:864
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\
        9⤵
        
        PID:3868
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\
        9⤵
        
        PID:4832
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\
        9⤵
        
        PID:2788
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\
        9⤵
        
        PID:4408
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\
        9⤵
        
        PID:964
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\
        9⤵
        
        PID:5112
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\
        9⤵
        
        PID:2144
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\
        9⤵
        
        PID:2224
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\
        9⤵
        
        PID:2892
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\
        9⤵
        
        PID:780
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\
        9⤵
        
        PID:3196
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\
        9⤵
        
        PID:388
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\
        9⤵
        
        PID:3300
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\
        9⤵
        
        PID:3472
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\update.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\
        9⤵
        System policy modification
        
        PID:4388
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\
        9⤵
        
        PID:3884
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\
        9⤵
        
        PID:3048
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\
        9⤵
        
        PID:2328
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\
        9⤵
        
        PID:1536
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\
        9⤵
        
        PID:3052
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\
        9⤵
        
        PID:2056
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\
        9⤵
        
        PID:3464
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\
        8⤵
        Drops file in Program Files directory
        
        PID:244
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\
        9⤵
        
        PID:2704
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\
        10⤵
        
        PID:3868
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\
        11⤵
        
        PID:1288
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\update.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\
        9⤵
        
        PID:4268
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\
        10⤵
        
        PID:3188
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\
        11⤵
        System policy modification
        
        PID:3204
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\
        11⤵
        
        PID:4224
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\update.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\
        12⤵
        
        PID:4916
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\
        11⤵
        
        PID:1316
        
        C:\Program Files\Microsoft Office\root\Office16\OneNote\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\OneNote\backup.exe" C:\Program Files\Microsoft Office\root\Office16\OneNote\
        8⤵
        
        PID:4568
        
        C:\Program Files\Microsoft Office\root\Office16\osfFPA\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\osfFPA\backup.exe" C:\Program Files\Microsoft Office\root\Office16\osfFPA\
        8⤵
        
        PID:1132
        
        C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\backup.exe" C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\
        8⤵
        
        PID:3212
        
        C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\backup.exe" C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\
        8⤵
        
        PID:4712
        
        C:\Program Files\Microsoft Office\root\Office16\PROOF\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\PROOF\backup.exe" C:\Program Files\Microsoft Office\root\Office16\PROOF\
        8⤵
        
        PID:1564
        
        C:\Program Files\Microsoft Office\root\Office16\QUERIES\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\QUERIES\backup.exe" C:\Program Files\Microsoft Office\root\Office16\QUERIES\
        8⤵
        
        PID:1464
        
        C:\Program Files\Microsoft Office\root\Office16\SAMPLES\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\SAMPLES\backup.exe" C:\Program Files\Microsoft Office\root\Office16\SAMPLES\
        8⤵
        
        PID:4380
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\
        8⤵
        
        PID:3708
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\data.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\data.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\
        9⤵
        
        PID:4672
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\
        10⤵
        
        PID:2004
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\
        11⤵
        
        PID:2384
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\
        12⤵
        
        PID:4140
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\
        13⤵
        
        PID:2592
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\
        9⤵
        
        PID:3656
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\
        10⤵
        
        PID:4244
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\
        11⤵
        
        PID:1480
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\
        9⤵
        
        PID:4664
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\
        10⤵
        
        PID:2536
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\
        11⤵
        
        PID:4924
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\
        12⤵
        
        PID:3556
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\
        9⤵
        
        PID:2144
        
        C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\backup.exe" C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\
        8⤵
        
        PID:4576
        
        C:\Program Files\Microsoft Office\root\Office16\STARTUP\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\STARTUP\update.exe" C:\Program Files\Microsoft Office\root\Office16\STARTUP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3952
        
        C:\Program Files\Microsoft Office\root\Office16\XLSTART\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\XLSTART\backup.exe" C:\Program Files\Microsoft Office\root\Office16\XLSTART\
        8⤵
        
        PID:4928
        
        C:\Program Files\Microsoft Office\root\rsod\backup.exe
        
        "C:\Program Files\Microsoft Office\root\rsod\backup.exe" C:\Program Files\Microsoft Office\root\rsod\
        7⤵
        
        PID:2564
        
        C:\Program Files\Microsoft Office\root\Templates\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\backup.exe" C:\Program Files\Microsoft Office\root\Templates\
        7⤵
        
        PID:5104
        
        C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\
        8⤵
        
        PID:2336
        
        C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\data.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\data.exe" C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\
        9⤵
        
        PID:2368
        
        C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\
        9⤵
        
        PID:1700
        
        C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4804
        
        C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\
        11⤵
        
        PID:464
        
        C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\backup.exe" C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\
        8⤵
        
        PID:2608
        
        C:\Program Files\Microsoft Office\root\vfs\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\backup.exe" C:\Program Files\Microsoft Office\root\vfs\
        7⤵
        Drops file in Program Files directory
        
        PID:692
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\System Restore.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\
        8⤵
        
        PID:2112
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\
        9⤵
        
        PID:928
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\
        10⤵
        
        PID:1572
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\
        11⤵
        
        PID:1172
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\
        9⤵
        
        PID:3236
        
        C:\Program Files\Microsoft Office\root\vfs\Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Fonts\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Fonts\
        8⤵
        
        PID:1112
        
        C:\Program Files\Microsoft Office\root\vfs\Fonts\private\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Fonts\private\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Fonts\private\
        9⤵
        
        PID:2452
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\
        8⤵
        
        PID:4920
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\
        9⤵
        
        PID:740
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\
        9⤵
        Drops file in Program Files directory
        
        PID:2736
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\
        10⤵
        
        PID:5112
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\data.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\data.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\
        10⤵
        
        PID:5064
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\
        11⤵
        
        PID:3340
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\
        10⤵
        
        PID:1068
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\
        10⤵
        
        PID:4268
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\
        10⤵
        
        PID:2788
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\
        10⤵
        
        PID:4992
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\
        10⤵
        
        PID:4712
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\
        11⤵
        
        PID:2660
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\
        11⤵
        
        PID:3364
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\
        11⤵
        
        PID:1900
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\
        12⤵
        
        PID:4948
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\
        12⤵
        
        PID:2296
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\
        13⤵
        
        PID:3172
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\
        11⤵
        
        PID:840
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\
        11⤵
        
        PID:1104
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\
        12⤵
        
        PID:1020
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\data.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\data.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\
        11⤵
        System policy modification
        
        PID:1100
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\
        10⤵
        
        PID:4996
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\
        10⤵
        
        PID:5000
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\
        11⤵
        
        PID:1288
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\
        11⤵
        
        PID:3688
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\
        12⤵
        
        PID:740
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\update.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\update.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\
        10⤵
        
        PID:2968
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3060
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\
        10⤵
        Drops file in Program Files directory
        
        PID:4940
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\
        11⤵
        
        PID:2724
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5016
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\
        11⤵
        
        PID:1132
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\
        11⤵
        
        PID:1180
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\
        11⤵
        
        PID:1084
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\
        11⤵
        
        PID:4256
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\
        11⤵
        
        PID:1056
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\
        11⤵
        
        PID:3216
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\update.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\update.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\
        11⤵
        
        PID:2520
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\
        11⤵
        
        PID:2868
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\
        11⤵
        
        PID:3016
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\
        11⤵
        System policy modification
        
        PID:2592
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\
        11⤵
        
        PID:4632
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\
        11⤵
        
        PID:2004
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\
        11⤵
        
        PID:3176
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\
        11⤵
        
        PID:3524
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\
        11⤵
        
        PID:1600
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\
        11⤵
        
        PID:4404
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\
        11⤵
        
        PID:4760
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\
        11⤵
        
        PID:3732
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\update.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\update.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\
        11⤵
        
        PID:3816
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\data.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\data.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\
        11⤵
        
        PID:4224
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\
        11⤵
        
        PID:1068
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\
        11⤵
        
        PID:3372
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\
        11⤵
        
        PID:3408
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\
        11⤵
        
        PID:3056
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\
        11⤵
        
        PID:1952
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\
        11⤵
        
        PID:3468
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\
        11⤵
        
        PID:1408
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\
        11⤵
        
        PID:2788
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\
        11⤵
        
        PID:4888
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\
        11⤵
        
        PID:1804
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\
        11⤵
        
        PID:1992
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\
        11⤵
        
        PID:996
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\
        11⤵
        
        PID:2892
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\data.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\data.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\
        11⤵
        System policy modification
        
        PID:4708
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2336
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\
        11⤵
        System policy modification
        
        PID:964
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\data.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\data.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\
        11⤵
        
        PID:1788
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\
        11⤵
        
        PID:1992
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\
        11⤵
        
        PID:3688
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\
        11⤵
        
        PID:3136
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\
        11⤵
        
        PID:1112
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\
        11⤵
        
        PID:2384
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\
        11⤵
        
        PID:4552
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\
        10⤵
        Drops file in Program Files directory
        
        PID:3872
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\
        11⤵
        
        PID:1804
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\
        11⤵
        
        PID:4168
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\
        11⤵
        
        PID:336
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\
        11⤵
        
        PID:4396
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\
        10⤵
        
        PID:3308
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\
        11⤵
        
        PID:3148
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\
        12⤵
        
        PID:5000
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\
        10⤵
        
        PID:4956
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\
        11⤵
        
        PID:2616
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\
        12⤵
        Drops file in Program Files directory
        
        PID:2728
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\
        13⤵
        
        PID:4168
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\
        9⤵
        
        PID:428
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\Data Sources\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\Data Sources\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\Data Sources\
        10⤵
        System policy modification
        
        PID:1048
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\
        9⤵
        
        PID:652
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\System Restore.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\
        10⤵
        
        PID:1688
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\
        8⤵
        Drops file in Program Files directory
        
        PID:1416
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\
        9⤵
        
        PID:2892
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\
        10⤵
        
        PID:4656
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\
        10⤵
        
        PID:3708
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\
        11⤵
        
        PID:2876
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\
        11⤵
        System policy modification
        
        PID:2104
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\update.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\update.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\
        11⤵
        System policy modification
        
        PID:3020
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\
        10⤵
        
        PID:3884
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\
        11⤵
        
        PID:228
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\
        10⤵
        
        PID:2360
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\
        11⤵
        
        PID:3148
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\
        11⤵
        
        PID:3016
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\
        12⤵
        System policy modification
        
        PID:4256
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\
        10⤵
        
        PID:3868
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\
        11⤵
        Drops file in Program Files directory
        
        PID:2728
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\
        12⤵
        
        PID:3872
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\
        9⤵
        
        PID:4168
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\
        10⤵
        
        PID:328
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\
        8⤵
        System policy modification
        
        PID:3480
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\
        9⤵
        
        PID:3916
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\
        10⤵
        
        PID:1020
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\data.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\data.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\
        11⤵
        Drops file in Program Files directory
        
        PID:1788
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\
        12⤵
        
        PID:5104
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\
        12⤵
        
        PID:1188
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\
        13⤵
        
        PID:2552
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\
        9⤵
        
        PID:3408
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\
        9⤵
        
        PID:5016
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\
        10⤵
        
        PID:1584
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\
        11⤵
        
        PID:1508
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\
        9⤵
        
        PID:4068
      - C:\Program Files\Microsoft Office\Updates\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
        6⤵
        
        PID:2028
        
        C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
        7⤵
        
        PID:2380
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\update.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\update.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
        8⤵
        
        PID:1160
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\6B40738E-0E24-4EE1-8D04-DD4F2B314499\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\6B40738E-0E24-4EE1-8D04-DD4F2B314499\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\6B40738E-0E24-4EE1-8D04-DD4F2B314499\
        9⤵
        
        PID:1168
        
        C:\Program Files\Microsoft Office\Updates\Download\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\
        7⤵
        
        PID:668
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\
        8⤵
        Drops file in Program Files directory
        
        PID:4408
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\
        9⤵
        
        PID:1416
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\root\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\root\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\root\
        10⤵
        
        PID:1180
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\root\vfs\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\root\vfs\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\root\vfs\
        11⤵
        
        PID:4552
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\root\vfs\Windows\update.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\root\vfs\Windows\update.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\root\vfs\Windows\
        12⤵
        
        PID:2288
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\root\vfs\Windows\assembly\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\root\vfs\Windows\assembly\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\root\vfs\Windows\assembly\
        13⤵
        
        PID:1172
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\root\vfs\Windows\assembly\GAC_MSIL\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\root\vfs\Windows\assembly\GAC_MSIL\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\root\vfs\Windows\assembly\GAC_MSIL\
        14⤵
        
        PID:4676
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\
        15⤵
        
        PID:1316
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\6B40738E-0E24-4EE1-8D04-DD4F2B314499\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2788
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        
        PID:3136
      - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        
        PID:3320
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        Drops file in Program Files directory
        
        PID:4372
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:4496
        
        C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        7⤵
        
        PID:1536
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        7⤵
        System policy modification
        
        PID:1444
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:4036
        
        C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
        7⤵
        
        PID:228
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:3688
      - C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
        6⤵
        
        PID:4708
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\System Restore.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\System Restore.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
        7⤵
        
        PID:3756
      - C:\Program Files\Mozilla Firefox\uninstall\backup.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
        6⤵
        
        PID:2336
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1448
      - C:\Program Files\MSBuild\Microsoft\update.exe
        
        "C:\Program Files\MSBuild\Microsoft\update.exe" C:\Program Files\MSBuild\Microsoft\
        6⤵
        System policy modification
        
        PID:1240
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5000
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        8⤵
        
        PID:1112
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        8⤵
        
        PID:240
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:4872
      - C:\Program Files\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
        6⤵
        
        PID:1020
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
        7⤵
        
        PID:696
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\update.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\update.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3308
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
        9⤵
        
        PID:2172
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\
        8⤵
        
        PID:3144
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\
        9⤵
        
        PID:2448
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:1240
      - C:\Program Files\VideoLAN\VLC\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\
        6⤵
        
        PID:4004
        
        C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe" C:\Program Files\VideoLAN\VLC\hrtfs\
        7⤵
        
        PID:3200
        
        C:\Program Files\VideoLAN\VLC\locale\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\backup.exe" C:\Program Files\VideoLAN\VLC\locale\
        7⤵
        Drops file in Program Files directory
        
        PID:2704
        
        C:\Program Files\VideoLAN\VLC\locale\ach\data.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\data.exe" C:\Program Files\VideoLAN\VLC\locale\ach\
        8⤵
        
        PID:1644
        
        C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\
        9⤵
        
        PID:1056
        
        C:\Program Files\VideoLAN\VLC\locale\af\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\
        8⤵
        
        PID:2912
        
        C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\
        9⤵
        
        PID:2304
        
        C:\Program Files\VideoLAN\VLC\locale\am\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\
        8⤵
        
        PID:3204
        
        C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\
        9⤵
        
        PID:404
        
        C:\Program Files\VideoLAN\VLC\locale\am_ET\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am_ET\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am_ET\
        8⤵
        
        PID:1100
        
        C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\
        9⤵
        
        PID:3656
        
        C:\Program Files\VideoLAN\VLC\locale\an\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\an\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\
        8⤵
        
        PID:4304
        
        C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\
        9⤵
        
        PID:3352
        
        C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\
        8⤵
        System policy modification
        
        PID:4548
        
        C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\
        9⤵
        
        PID:228
        
        C:\Program Files\VideoLAN\VLC\locale\as_IN\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\as_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\
        8⤵
        
        PID:4408
        
        C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1676
        
        C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\
        8⤵
        
        PID:4708
        
        C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\update.exe" C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\
        9⤵
        
        PID:2056
        
        C:\Program Files\VideoLAN\VLC\locale\be\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\be\backup.exe" C:\Program Files\VideoLAN\VLC\locale\be\
        8⤵
        
        PID:1480
        
        C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\
        9⤵
        
        PID:1104
        
        C:\Program Files\VideoLAN\VLC\locale\bg\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bg\
        8⤵
        
        PID:4168
        
        C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\
        9⤵
        
        PID:3408
        
        C:\Program Files\VideoLAN\VLC\locale\bn\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bn\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn\
        8⤵
        
        PID:1864
        
        C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\
        9⤵
        
        PID:1672
        
        C:\Program Files\VideoLAN\VLC\locale\bn_IN\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bn_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn_IN\
        8⤵
        
        PID:668
        
        C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\
        9⤵
        
        PID:3320
        
        C:\Program Files\VideoLAN\VLC\locale\br\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\br\update.exe" C:\Program Files\VideoLAN\VLC\locale\br\
        8⤵
        
        PID:2064
        
        C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\
        9⤵
        
        PID:4552
        
        C:\Program Files\VideoLAN\VLC\locale\brx\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\brx\backup.exe" C:\Program Files\VideoLAN\VLC\locale\brx\
        8⤵
        
        PID:4992
        
        C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\
        9⤵
        
        PID:740
        
        C:\Program Files\VideoLAN\VLC\locale\bs\data.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bs\data.exe" C:\Program Files\VideoLAN\VLC\locale\bs\
        8⤵
        
        PID:4292
        
        C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\update.exe" C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\
        9⤵
        
        PID:2868
        
        C:\Program Files\VideoLAN\VLC\locale\ca\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ca\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca\
        8⤵
        
        PID:4404
        
        C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\
        9⤵
        
        PID:2400
        
        C:\Program Files\VideoLAN\VLC\locale\ca@valencia\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ca@valencia\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca@valencia\
        8⤵
        
        PID:3784
        
        C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\
        9⤵
        
        PID:488
        
        C:\Program Files\VideoLAN\VLC\locale\cgg\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cgg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cgg\
        8⤵
        
        PID:2724
        
        C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\
        9⤵
        
        PID:4956
        
        C:\Program Files\VideoLAN\VLC\locale\co\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\co\update.exe" C:\Program Files\VideoLAN\VLC\locale\co\
        8⤵
        
        PID:4268
        
        C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\
        9⤵
        
        PID:4248
        
        C:\Program Files\VideoLAN\VLC\locale\cs\data.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cs\data.exe" C:\Program Files\VideoLAN\VLC\locale\cs\
        8⤵
        System policy modification
        
        PID:2888
        
        C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\
        9⤵
        
        PID:2272
        
        C:\Program Files\VideoLAN\VLC\locale\cy\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cy\
        8⤵
        
        PID:1864
        
        C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\
        9⤵
        
        PID:2520
        
        C:\Program Files\VideoLAN\VLC\locale\da\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\da\backup.exe" C:\Program Files\VideoLAN\VLC\locale\da\
        8⤵
        
        PID:3148
        
        C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\
        9⤵
        
        PID:1424
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Drops file in Program Files directory
      PID:416
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:1292
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        
        PID:2804
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        
        PID:1224
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        
        PID:3288
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        
        PID:2548
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        
        PID:2312
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        
        PID:3952
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        
        PID:2948
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        
        PID:3816
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        
        PID:4364
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        
        PID:1132
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        
        PID:3060
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        
        PID:3104
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:2888
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:1432
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        
        PID:3372
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        
        PID:3408
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:2064
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        
        PID:4976
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        
        PID:5092
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:3008
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:4756
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        
        PID:864
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2288
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:428
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:3236
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:1020
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        
        PID:4832
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        
        PID:3620
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        
        PID:2948
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        
        PID:4620
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        
        PID:4248
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        
        PID:4840
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
        9⤵
        
        PID:2472
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
        10⤵
        
        PID:3900
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
        11⤵
        
        PID:4996
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\
        12⤵
        System policy modification
        
        PID:232
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\
        13⤵
        
        PID:1056
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4236
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\
        14⤵
        System policy modification
        
        PID:3144
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\
        12⤵
        
        PID:2364
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\
        13⤵
        
        PID:1864
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\
        14⤵
        
        PID:3052
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\
        14⤵
        
        PID:4972
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\
        12⤵
        
        PID:940
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\
        13⤵
        
        PID:1904
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\
        14⤵
        System policy modification
        
        PID:2756
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\
        14⤵
        
        PID:2996
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\
        11⤵
        
        PID:4156
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\
        12⤵
        System policy modification
        
        PID:3324
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\
        13⤵
        
        PID:740
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\
        13⤵
        
        PID:652
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\
        14⤵
        
        PID:4928
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\
        12⤵
        
        PID:3744
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\
        12⤵
        
        PID:1484
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\
        13⤵
        
        PID:2520
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\
        12⤵
        
        PID:2328
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\
        13⤵
        
        PID:2320
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\
        14⤵
        
        PID:3612
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\
        12⤵
        
        PID:2832
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\
        13⤵
        
        PID:4788
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\
        14⤵
        
        PID:4088
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\
        11⤵
        
        PID:2636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\
        12⤵
        
        PID:5028
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\
        13⤵
        
        PID:2232
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\
        14⤵
        Drops file in Program Files directory
        
        PID:4672
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\
        15⤵
        
        PID:2068
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\
        15⤵
        
        PID:1508
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\
        15⤵
        
        PID:5092
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\
        15⤵
        
        PID:5064
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\
        15⤵
        
        PID:3488
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\
        15⤵
        
        PID:4940
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\
        15⤵
        
        PID:4736
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\
        15⤵
        
        PID:756
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\
        15⤵
        
        PID:4708
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\
        15⤵
        
        PID:2808
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\
        15⤵
        
        PID:1084
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\
        15⤵
        
        PID:5004
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\
        15⤵
        
        PID:240
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\
        15⤵
        
        PID:4228
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\
        15⤵
        
        PID:2012
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\
        15⤵
        
        PID:4788
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\
        15⤵
        
        PID:3464
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\
        15⤵
        
        PID:1444
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\
        15⤵
        
        PID:2824
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\
        15⤵
        
        PID:3876
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\
        15⤵
        
        PID:4920
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\
        15⤵
        
        PID:1904
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\
        15⤵
        
        PID:3220
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\
        15⤵
        
        PID:4072
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\
        15⤵
        
        PID:5064
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\
        15⤵
        
        PID:4928
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\
        15⤵
        
        PID:4940
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\
        15⤵
        
        PID:2360
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\
        15⤵
        
        PID:4528
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\
        15⤵
        
        PID:2520
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\
        15⤵
        
        PID:4888
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\
        15⤵
        
        PID:2876
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\
        15⤵
        
        PID:1056
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\
        15⤵
        
        PID:2652
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\
        12⤵
        
        PID:2304
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\
        13⤵
        
        PID:2052
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5016
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\
        13⤵
        
        PID:4088
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\
        14⤵
        Drops file in Program Files directory
        
        PID:4972
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\
        15⤵
        
        PID:4244
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\
        15⤵
        
        PID:4592
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\
        15⤵
        
        PID:2452
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\
        15⤵
        
        PID:2100
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\
        15⤵
        
        PID:4920
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\
        15⤵
        System policy modification
        
        PID:3352
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\
        15⤵
        
        PID:4760
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\
        15⤵
        
        PID:5112
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\
        15⤵
        
        PID:3316
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\
        15⤵
        
        PID:3324
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\
        15⤵
        
        PID:1688
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\
        15⤵
        
        PID:912
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\
        15⤵
        
        PID:756
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\
        15⤵
        
        PID:2208
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\
        15⤵
        
        PID:2660
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\
        15⤵
        
        PID:4256
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\
        15⤵
        
        PID:4388
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\
        15⤵
        
        PID:1192
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\
        15⤵
        
        PID:4740
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\
        15⤵
        
        PID:3172
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1240
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\
        15⤵
        
        PID:4284
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3404
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\
        15⤵
        
        PID:1952
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\
        15⤵
        
        PID:2288
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\
        15⤵
        
        PID:648
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\
        15⤵
        System policy modification
        
        PID:488
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\
        15⤵
        
        PID:3868
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\
        15⤵
        
        PID:3688
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\
        15⤵
        
        PID:1788
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\
        15⤵
        
        PID:2036
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\
        15⤵
        
        PID:1228
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\
        15⤵
        
        PID:3924
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\
        15⤵
        
        PID:2788
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\
        12⤵
        
        PID:3524
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\
        13⤵
        
        PID:3196
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\
        14⤵
        Drops file in Program Files directory
        
        PID:1188
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\
        15⤵
        
        PID:4068
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\
        15⤵
        
        PID:1388
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\
        15⤵
        System policy modification
        
        PID:4304
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\
        15⤵
        
        PID:2652
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\
        15⤵
        
        PID:2296
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\
        15⤵
        
        PID:4984
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\
        15⤵
        
        PID:668
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\
        15⤵
        
        PID:2364
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\
        15⤵
        
        PID:4656
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\
        15⤵
        
        PID:3052
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\
        15⤵
        
        PID:924
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\
        15⤵
        
        PID:564
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\
        15⤵
        
        PID:648
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\
        15⤵
        
        PID:3620
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\
        15⤵
        
        PID:3352
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\
        15⤵
        
        PID:4604
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\
        15⤵
        
        PID:1788
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\
        15⤵
        
        PID:5116
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\
        15⤵
        
        PID:1416
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\
        15⤵
        
        PID:1316
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\
        15⤵
        
        PID:4736
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\
        15⤵
        
        PID:4580
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\
        15⤵
        
        PID:1524
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\
        15⤵
        
        PID:3756
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\
        15⤵
        
        PID:2368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\
        15⤵
        
        PID:4292
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\
        15⤵
        
        PID:1168
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\
        15⤵
        
        PID:4804
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\
        15⤵
        
        PID:3048
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\
        15⤵
        
        PID:3016
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\
        15⤵
        
        PID:636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1804
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\
        15⤵
        System policy modification
        
        PID:2040
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\
        15⤵
        
        PID:1172
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\
        12⤵
        
        PID:2068
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\
        13⤵
        
        PID:1480
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3656
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\
        13⤵
        
        PID:2008
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\
        14⤵
        
        PID:1408
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\
        12⤵
        
        PID:4664
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\
        12⤵
        Drops file in Program Files directory
        
        PID:5112
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\
        13⤵
        Drops file in Program Files directory
        
        PID:5116
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\
        14⤵
        
        PID:4748
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4024
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\
        14⤵
        
        PID:4268
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\
        15⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4088
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\
        16⤵
        
        PID:1524
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\
        16⤵
        
        PID:4496
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4236
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\
        16⤵
        
        PID:4388
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\
        16⤵
        
        PID:1340
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\
        16⤵
        
        PID:912
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\
        16⤵
        
        PID:4872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\
        16⤵
        
        PID:4156
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\
        16⤵
        
        PID:668
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\
        16⤵
        
        PID:1444
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\
        16⤵
        
        PID:4168
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\
        16⤵
        
        PID:2040
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\
        16⤵
        
        PID:792
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\
        16⤵
        
        PID:1692
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\
        16⤵
        
        PID:4996
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\
        16⤵
        
        PID:3656
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\
        16⤵
        
        PID:4452
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\
        16⤵
        
        PID:1408
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\
        16⤵
        
        PID:468
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4160
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\
        16⤵
        
        PID:780
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\
        16⤵
        
        PID:4024
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1180
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\
        16⤵
        
        PID:2456
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\
        16⤵
        
        PID:3048
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\
        16⤵
        
        PID:928
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\
        16⤵
        
        PID:2152
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\
        16⤵
        
        PID:2452
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\
        16⤵
        
        PID:244
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\
        16⤵
        
        PID:1132
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\
        16⤵
        
        PID:2012
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\
        16⤵
        
        PID:1168
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\
        16⤵
        
        PID:1288
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\
        16⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:420
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\
        13⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3212
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\
        14⤵
        
        PID:4156
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\
        14⤵
        
        PID:5056
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\
        15⤵
        
        PID:4768
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\
        16⤵
        
        PID:1212
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\
        14⤵
        
        PID:3340
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\
        15⤵
        
        PID:3952
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\
        16⤵
        
        PID:3408
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\
        16⤵
        
        PID:896
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\
        16⤵
        
        PID:4380
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\
        16⤵
        
        PID:2892
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\
        16⤵
        
        PID:2804
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\
        16⤵
        
        PID:2176
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\
        16⤵
        
        PID:488
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\
        16⤵
        
        PID:3092
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\
        16⤵
        
        PID:4236
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\
        16⤵
        
        PID:1960
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\
        16⤵
        
        PID:3556
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\
        16⤵
        
        PID:3916
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2456
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\he-il\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\he-il\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\he-il\
        16⤵
        
        PID:4552
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\
        16⤵
        
        PID:3868
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\
        16⤵
        
        PID:2968
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\
        16⤵
        
        PID:2104
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\
        16⤵
        
        PID:3900
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\
        16⤵
        
        PID:1484
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\
        16⤵
        
        PID:1692
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\
        16⤵
        
        PID:1224
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\
        16⤵
        
        PID:2744
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\
        16⤵
        
        PID:840
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\
        16⤵
        
        PID:3204
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4932
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\
        16⤵
        
        PID:5076
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\
        16⤵
        
        PID:3688
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\
        16⤵
        
        PID:2040
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-sl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-sl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-sl\
        16⤵
        
        PID:4676
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\
        16⤵
        
        PID:2304
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\
        16⤵
        
        PID:5000
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\
        16⤵
        
        PID:2804
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\
        16⤵
        
        PID:4772
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\
        16⤵
        
        PID:2564
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\
        13⤵
        
        PID:2876
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\
        14⤵
        
        PID:3688
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\
        14⤵
        System policy modification
        
        PID:4984
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\
        13⤵
        
        PID:1444
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\
        14⤵
        
        PID:4088
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\
        14⤵
        
        PID:2744
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\
        15⤵
        
        PID:3876
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\
        16⤵
        
        PID:1688
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\
        14⤵
        Drops file in Program Files directory
        
        PID:1056
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\
        15⤵
        
        PID:4228
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\
        16⤵
        
        PID:4604
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\
        16⤵
        
        PID:4928
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\
        16⤵
        
        PID:2808
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\
        16⤵
        
        PID:5064
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\
        16⤵
        
        PID:4380
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\
        16⤵
        
        PID:840
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\
        16⤵
        
        PID:5084
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\
        16⤵
        
        PID:2352
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        
        PID:912
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        
        PID:1956
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:1188
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:864
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        
        PID:428
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:424
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:3784
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        
        PID:2836
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:4672
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:3656
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:2856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        
        PID:4160
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:4752
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1084
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        
        PID:2916
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:840
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:648
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        System policy modification
        
        PID:1960
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        
        PID:4300
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        
        PID:2300
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        
        PID:1192
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        
        PID:2380
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        Drops file in Program Files directory
        
        PID:1692
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        
        PID:1960
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        
        PID:4092
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
        11⤵
        
        PID:4300
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        11⤵
        
        PID:4568
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        12⤵
        
        PID:4832
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
        13⤵
        
        PID:256
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
        14⤵
        
        PID:1424
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
        14⤵
        
        PID:4356
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
        14⤵
        
        PID:3480
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
        13⤵
        
        PID:540
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
        14⤵
        
        PID:2056
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2616
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\
        14⤵
        
        PID:3780
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
        13⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:652
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\
        14⤵
        
        PID:4712
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\
        14⤵
        
        PID:3324
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\
        14⤵
        
        PID:1340
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        Drops file in Program Files directory
        
        PID:1588
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:928
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        Drops file in Program Files directory
        
        PID:2068
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4484
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        
        PID:4320
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        
        PID:1600
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:4148
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:4768
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        7⤵
        
        PID:3732
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:4172
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Drops file in Program Files directory
        
        PID:1468
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:1584
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:3464
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:3612
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\
        7⤵
        
        PID:2352
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\
        8⤵
        
        PID:1904
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\
        9⤵
        
        PID:1600
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\
        8⤵
        
        PID:2112
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4980
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\
        9⤵
        
        PID:1432
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\
        9⤵
        
        PID:4972
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\
        9⤵
        
        PID:924
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1992
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\update.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:2044
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        
        PID:2736
      - C:\Program Files (x86)\Common Files\Oracle\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\backup.exe" C:\Program Files (x86)\Common Files\Oracle\
        6⤵
        
        PID:4232
        
        C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\
        7⤵
        
        PID:4748
        
        C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\javapath\
        8⤵
        
        PID:5028
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4832
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        
        PID:3144
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        
        PID:4964
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:1176
        
        C:\Program Files (x86)\Common Files\System\msadc\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\
        7⤵
        
        PID:4656
        
        C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\en-US\
        8⤵
        
        PID:220
        
        C:\Program Files (x86)\Common Files\System\Ole DB\update.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\update.exe" C:\Program Files (x86)\Common Files\System\Ole DB\
        7⤵
        
        PID:4916
        
        C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:1132
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:4616
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:2052
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:4092
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:2884
        
        C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
        7⤵
        
        PID:1176
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:2220
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:2132
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:3680
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:5056
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:4768
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2112
        
        C:\Users\Admin\Documents\OneNote Notebooks\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\
        7⤵
        
        PID:3236
        
        C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\
        8⤵
        
        PID:3060
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:3528
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:3768
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1508
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:564
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:1688
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3216
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        
        PID:2660
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        
        PID:3368
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:4452
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:3352
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:428
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1576
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:1676
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:4044
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:4612
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:236
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:4632
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:2836
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:3884
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Drops file in Windows directory
        
        PID:220
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        System policy modification
        
        PID:3016
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:1448
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:232
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        
        PID:3368
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Drops file in Windows directory
        
        PID:1068
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        
        PID:1924
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        Drops file in Windows directory
        System policy modification
        
        PID:5016
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        
        PID:1340
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        
        PID:4744
      - C:\Windows\apppatch\en-US\backup.exe
        
        C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
        6⤵
        
        PID:3144
    - - C:\Windows\AppReadiness\System Restore.exe
        
        "C:\Windows\AppReadiness\System Restore.exe" C:\Windows\AppReadiness\
        5⤵
        
        PID:3292
    - - C:\Windows\assembly\update.exe
        
        C:\Windows\assembly\update.exe C:\Windows\assembly\
        5⤵
        Drops file in Windows directory
        
        PID:540
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        Drops file in Windows directory
        
        PID:4320
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        
        PID:564
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3092
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        
        PID:2248
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3352
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        Drops file in Windows directory
        
        PID:4092
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2448
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        7⤵
        
        PID:3556
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2200
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\
        7⤵
        
        PID:1212
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\
        8⤵
        
        PID:1576
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\
        7⤵
        
        PID:1232
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\data.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\data.exe C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4356
        
        C:\Windows\assembly\GAC\stdole\backup.exe
        
        C:\Windows\assembly\GAC\stdole\backup.exe C:\Windows\assembly\GAC\stdole\
        7⤵
        
        PID:2040
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:240
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        Drops file in Windows directory
        
        PID:2152
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
        7⤵
        
        PID:1952
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4736
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\
        7⤵
        
        PID:3680
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2144
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\
        7⤵
        
        PID:1104
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:1168
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\
        7⤵
        
        PID:4024
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2980
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4140
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1804
        
        C:\Windows\assembly\GAC_32\MSBuild\backup.exe
        
        C:\Windows\assembly\GAC_32\MSBuild\backup.exe C:\Windows\assembly\GAC_32\MSBuild\
        7⤵
        
        PID:2536
        
        C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2812
- C:\Users\Admin\AppData\Local\Temp\3405611772\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3405611772\backup.exe C:\Users\Admin\AppData\Local\Temp\3405611772\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2104
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4496
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4512
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4704
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4592
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1020
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1068
- C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe
  C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe
    C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe
      C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
212KB

MD5
b63ae9b69f78badde07b553a750ab9ac

SHA1
0db517eebb3bd721236d60fb8ed65e8f8cabf5cd

SHA256
dcb025a1bf7e0a8468bd0c538dbcd7c7f52375f10682334ba6fcf333cf0a8acd

SHA512
8556eee984dcdedbd5abd1b6cebdc749084be45e31b145aa64ab7c5725a3118d586377fbe6a16037d9cb32922063e810c521a6c084ebfa3b8c88978766153b05

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
212KB

MD5
b1d35d79ce0531b60e106b3cd9b56f1f

SHA1
63b7f0ddd5c4035fdbfe0930e4d33321210a9d23

SHA256
e15e65639a2985ccd7bac07be5fcc525e7ea80e545443a15ea46a54f03e968cd

SHA512
49b4687a35d6f5821c39d26b3cacb0d57dc797e01c6ac2b1c3d7ff6226b73368798f20a1809b9b06924738aa10b69ae102708b400a3dc732e97855767c92b3a9

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
212KB

MD5
2881ec07bfc696711438c76473167d4a

SHA1
62d8728ed9fd37bf5556c4970dd7fbd015cf55f9

SHA256
33e8beffc6ead419bc5f4fdc81f5cf84f3182a009aafee5b9260797d6969bd93

SHA512
492f92750784adfa11b6696e797b9f7b12fb42177e3c4996471d5bcc4dc5b6c8e6985abf69702f44c54918d8abdb22fec702ad4f2302fd4b0258b2167c697098

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
212KB

MD5
0fd61836ba5671d25b2128a1884112e0

SHA1
d92c25f4e3b1e4bee61305c431c7948977ab2985

SHA256
99149dd3908e43f186438a31526e3710e2a93b27b1100d4abfe10edfea979ca9

SHA512
d924702aa735691246d3584a14a580dcb401d2ba91073ea4b846a13300a9a74d903aed5969356e7c76c58cb7a21df3d2db6d5c410a0a22a008afa2d11d85d1b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
212KB

MD5
6412cda8ee2905f3fb24076c7f7d7e16

SHA1
ce9f2c2c16d9991a397c05b67dfcd3608cdab6a3

SHA256
a6bbec97dffaaf87d1169a93b411cec5a4d946d6c0a68f1a739a2377696f5ac7

SHA512
9d513461034ae3701591bcbd4d1db24e8e2603dccd00952d91c3b0ea286c7e47a8015170c6f5c3a0e215d81a3cb8c066589d019096a840b939987fbecf72c563

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
212KB

MD5
b5d10de46a15d5c8135f9d807c33dd2d

SHA1
b86534439ff25fe1316c0bd02dc751c580d15631

SHA256
1a23e824addb24fa64b20910d2ec7f877af79573d4ed1c5d0fe2200b72806106

SHA512
a6b1955e032c3de360e75bd9276c7c224b5ce1fb22facadcf2c3c283bda21b5d3ee12b734bfb49cecc2c1c66eddf1b37d64abd52df8c6f1391f8177cdf6f1ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
212KB

MD5
18d62cfb485002a9f1649eea0547b574

SHA1
a5ae9034c2b20653f0f9e77c59b9609bf6e8b112

SHA256
d010b0aafff3652954b60057a3f5c792f0d67b6511cf82cbbb0bcf7c9d6e4d44

SHA512
b9f081ccb76dcae96a0c4718e4f068b2e9c89087c0f7348c7f224fed58d511d200bdcbb5094e00e903fa47838b860584bd26dcfdc3aaaac33a5b31056d54bc8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
212KB

MD5
d5cacf76e9b743686db28ac5bf9c7a22

SHA1
e2e8cef5b48f756193cc61c3df1d6f33ec45d20c

SHA256
3b075d73c9c72cc14924e9797df9c21437d217e8f09e8e083de946577d9acf58

SHA512
dc19f435e8373e1ee2dfbca32485baa3dcdb1a1614d0214819f3536a4a342e9d1916b4e98a8e813fd70273fd4debb800b229a8bafc7023b57af1a8b56165b26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
79KB

MD5
f6fe3977b24ca54cf9b3aea4d7488c31

SHA1
18dc4a279d5de0a24abd605ba06f8bec355db425

SHA256
ac53bf4a023d69f239df0a3b38dfa8f13ce890e175ed9d57cf6609372874e2d3

SHA512
6ea929ef2522ea47fc9630f690eb99b244ffa05b438ed03bfc14114977b3e573e5eb506c3f0744a4580c09752334e1cbc0bed7510240c79ced3c7ad874be3293

Download Submit
C:\Users\Admin\AppData\Local\Temp\{376A4112-0355-489B-8978-24D90645E0E0}\backup.exe

Filesize
212KB

MD5
150d687d579e3b1b3883b08ec9ea2ffb

SHA1
2acee053600f93ec6784e0feec4acdd9fa6f5d7e

SHA256
9bd8e84ffb45f4d00811573a3e2543ade0415355b878a5487356c5cb7673eb6e

SHA512
eae382ae245f58b17d955f5d6b3ff5f181d702a17eb0b7df2a5db38707001799636f4553d2c6746372e5b1a828cce3c4069873a4a4e68bf3c7ee57324ebaf9db

Download Submit
C:\Users\Admin\Desktop\temp.zip

Filesize
79KB

MD5
a4ac7994874f2173256b1b2f8805404f

SHA1
fee8808138dadae27db7084eb411b1a264a853c6

SHA256
bce5884587eb882d3ff3c7c69d8b2a63eef1afdbbfb94910a6d10b9e5adf352b

SHA512
621015e8cc0eac5e7d7edadae389c2ba5c8ef3abe9346d79ba33f0afe1889110b29bd4d38773277d6ded7abfd5b542902e3b84c7d77d32fe264ef5d1bef0404b

Download Submit
C:\backup.exe

Filesize
212KB

MD5
cbe37626c0cc8000e6850508289d2e1a

SHA1
202b526dbefa11343ac95ee3d45f6fc6298eca3f

SHA256
a419725ad1e1322305b083ebaa8411cf4a8bd4ced1cd25436f3a091c01ff4272

SHA512
715ddef73186fc2f1a7a1828fc7f746a68b1be02426fbd3e05e8f5f95d71bbc59681f1dbb29a7d21209c6e2322c157bb7e0846d9682a199f7ac191bf6bc1bc5d

Download Submit
memory/336-76-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/336-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/340-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/400-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/400-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/404-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/404-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/420-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/420-148-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/792-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/792-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/916-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/916-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1020-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1020-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1068-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1068-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1212-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1212-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1240-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1292-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1292-283-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1380-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1556-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1556-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1592-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1752-84-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1752-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1868-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1868-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2020-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2020-146-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2100-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2100-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2104-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2104-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-91-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2788-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2788-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2796-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2796-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3144-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3144-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3200-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3200-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3220-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3220-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-218-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3596-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3596-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3780-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3780-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3780-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3812-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3812-150-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3952-77-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3952-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4084-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4084-302-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4252-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4252-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4264-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4264-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4396-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4396-279-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4512-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4512-36-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4592-51-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4592-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4600-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4600-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4664-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4704-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4704-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4712-173-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4712-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4768-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4768-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4776-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4776-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4872-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4872-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads