077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2024 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe
Size

72KB
MD5

8957a2f4af2c477a265f96bcddb4cef0
SHA1

8cd619691b479ff3f429473ce099e089e356e895
SHA256

077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2
SHA512

0877aecbfe8d2599204a509ae47156daffbf768738e267831876e122c340a2e59fe4cc2f4aa9604317fb9a8df1e38a51847eb0760f59a45d03d8bbf1b5032fa7
SSDEEP

384:y6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2N:ypQNwC3BEddsEqOt/hyJF+x3BEJwRrx

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
4000	backup.exe
4460	backup.exe
1604	backup.exe
1268	backup.exe
2012	backup.exe
408	System Restore.exe
1568	data.exe
1408	backup.exe
384	backup.exe
5044	backup.exe
3012	backup.exe
2888	data.exe
4888	backup.exe
848	backup.exe
3588	backup.exe
3548	backup.exe
4640	backup.exe
2140	backup.exe
1320	backup.exe
1168	backup.exe
3540	backup.exe
3188	backup.exe
3260	backup.exe
3120	backup.exe
2008	backup.exe
1884	backup.exe
3196	backup.exe
4604	backup.exe
2340	backup.exe
804	backup.exe
2284	backup.exe
4560	backup.exe
3036	backup.exe
3580	backup.exe
3060	backup.exe
4172	backup.exe
1912	backup.exe
2500	backup.exe
2172	backup.exe
3128	data.exe
2148	backup.exe
672	backup.exe
3380	backup.exe
5044	backup.exe
872	backup.exe
1048	backup.exe
736	backup.exe
4888	backup.exe
776	backup.exe
4392	backup.exe
4644	backup.exe
1168	backup.exe
3068	backup.exe
1312	backup.exe
5056	backup.exe
636	backup.exe
544	backup.exe
2484	backup.exe
3196	backup.exe
4880	backup.exe
2024	data.exe
8	backup.exe
4440	backup.exe
2680	backup.exe

Drops file in Program Files directory 59 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\th-TH\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe
4000	backup.exe
4460	backup.exe
1604	backup.exe
1268	backup.exe
2012	backup.exe
408	System Restore.exe
1568	data.exe
1408	backup.exe
384	backup.exe
5044	backup.exe
3012	backup.exe
2888	data.exe
4888	backup.exe
848	backup.exe
3588	backup.exe
3548	backup.exe
4640	backup.exe
2140	backup.exe
1320	backup.exe
1168	backup.exe
3540	backup.exe
3188	backup.exe
3260	backup.exe
3120	backup.exe
2008	backup.exe
1884	backup.exe
3196	backup.exe
4604	backup.exe
2340	backup.exe
804	backup.exe
2284	backup.exe
4560	backup.exe
3036	backup.exe
3580	backup.exe
3060	backup.exe
4172	backup.exe
1912	backup.exe
2500	backup.exe
2172	backup.exe
3128	data.exe
2148	backup.exe
672	backup.exe
3380	backup.exe
5044	backup.exe
872	backup.exe
1048	backup.exe
736	backup.exe
4888	backup.exe
776	backup.exe
4392	backup.exe
4644	backup.exe
1168	backup.exe
3068	backup.exe
1312	backup.exe
5056	backup.exe
636	backup.exe
544	backup.exe
2484	backup.exe
3196	backup.exe
4880	backup.exe
2024	data.exe
8	backup.exe
4440	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 4000	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	83
PID 4332 wrote to memory of 4000	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	83
PID 4332 wrote to memory of 4000	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	83
PID 4332 wrote to memory of 4460	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	84
PID 4332 wrote to memory of 4460	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	84
PID 4332 wrote to memory of 4460	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	84
PID 4332 wrote to memory of 1604	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	85
PID 4332 wrote to memory of 1604	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	85
PID 4332 wrote to memory of 1604	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	85
PID 4332 wrote to memory of 1268	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	86
PID 4332 wrote to memory of 1268	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	86
PID 4332 wrote to memory of 1268	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	86
PID 4332 wrote to memory of 2012	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	87
PID 4332 wrote to memory of 2012	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	87
PID 4332 wrote to memory of 2012	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	87
PID 4332 wrote to memory of 408	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	88
PID 4332 wrote to memory of 408	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	88
PID 4332 wrote to memory of 408	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	88
PID 4332 wrote to memory of 1568	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	89
PID 4332 wrote to memory of 1568	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	89
PID 4332 wrote to memory of 1568	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	89
PID 4332 wrote to memory of 1408	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	90
PID 4332 wrote to memory of 1408	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	90
PID 4332 wrote to memory of 1408	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	90
PID 4332 wrote to memory of 384	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	91
PID 4332 wrote to memory of 384	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	91
PID 4332 wrote to memory of 384	4332	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe	91
PID 384 wrote to memory of 5044	384	backup.exe	92
PID 384 wrote to memory of 5044	384	backup.exe	92
PID 384 wrote to memory of 5044	384	backup.exe	92
PID 5044 wrote to memory of 3012	5044	backup.exe	93
PID 5044 wrote to memory of 3012	5044	backup.exe	93
PID 5044 wrote to memory of 3012	5044	backup.exe	93
PID 4000 wrote to memory of 2888	4000	backup.exe	95
PID 4000 wrote to memory of 2888	4000	backup.exe	95
PID 4000 wrote to memory of 2888	4000	backup.exe	95
PID 2888 wrote to memory of 4888	2888	data.exe	96
PID 2888 wrote to memory of 4888	2888	data.exe	96
PID 2888 wrote to memory of 4888	2888	data.exe	96
PID 2888 wrote to memory of 848	2888	data.exe	97
PID 2888 wrote to memory of 848	2888	data.exe	97
PID 2888 wrote to memory of 848	2888	data.exe	97
PID 848 wrote to memory of 3588	848	backup.exe	98
PID 848 wrote to memory of 3588	848	backup.exe	98
PID 848 wrote to memory of 3588	848	backup.exe	98
PID 3588 wrote to memory of 3548	3588	backup.exe	99
PID 3588 wrote to memory of 3548	3588	backup.exe	99
PID 3588 wrote to memory of 3548	3588	backup.exe	99
PID 848 wrote to memory of 4640	848	backup.exe	100
PID 848 wrote to memory of 4640	848	backup.exe	100
PID 848 wrote to memory of 4640	848	backup.exe	100
PID 4640 wrote to memory of 2140	4640	backup.exe	102
PID 4640 wrote to memory of 2140	4640	backup.exe	102
PID 4640 wrote to memory of 2140	4640	backup.exe	102
PID 4640 wrote to memory of 1320	4640	backup.exe	103
PID 4640 wrote to memory of 1320	4640	backup.exe	103
PID 4640 wrote to memory of 1320	4640	backup.exe	103
PID 1320 wrote to memory of 1168	1320	backup.exe	105
PID 1320 wrote to memory of 1168	1320	backup.exe	105
PID 1320 wrote to memory of 1168	1320	backup.exe	105
PID 1320 wrote to memory of 3540	1320	backup.exe	106
PID 1320 wrote to memory of 3540	1320	backup.exe	106
PID 1320 wrote to memory of 3540	1320	backup.exe	106
PID 3540 wrote to memory of 3188	3540	backup.exe	107

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe
"C:\Users\Admin\AppData\Local\Temp\077b01f89d9cd1f419987b41635de17674dc77e7ca4701b8d58b68426d1612a2.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4332
- C:\Users\Admin\AppData\Local\Temp\{BA0E222F-3300-4CD9-9ED1-F5D606717A02}\backup.exe
  C:\Users\Admin\AppData\Local\Temp\{BA0E222F-3300-4CD9-9ED1-F5D606717A02}\backup.exe C:\Users\Admin\AppData\Local\Temp\{BA0E222F-3300-4CD9-9ED1-F5D606717A02}\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\data.exe
    \data.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2888
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:4888
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:848
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3588
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3548
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4640
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2140
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1320
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1168
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3540
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3188
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3260
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3120
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2008
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3196
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4604
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:804
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2284
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4560
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3580
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3060
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4172
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1912
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2500
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2172
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3128
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2148
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:672
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3380
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5044
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:872
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1048
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:736
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4888
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:776
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4392
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4644
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1168
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3068
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1312
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5056
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:636
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:544
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2484
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3196
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4880
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\data.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2024
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:8
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4440
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:2680
        
        C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1592
        
        C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
        8⤵
        System policy modification
        
        PID:440
        
        C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:828
        
        C:\Program Files\Common Files\microsoft shared\ink\th-TH\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\th-TH\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:420
        
        C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1580
        
        C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:5016
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3512
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1648
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        
        PID:3464
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        
        PID:5064
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        
        PID:4952
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        
        PID:3092
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        
        PID:660
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        
        PID:3300
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:1012
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\update.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\
        8⤵
        
        PID:1448
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        
        PID:4644
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:2960
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:3788
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:3120
        
        C:\Program Files\Common Files\microsoft shared\Stationery\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\System Restore.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:4824
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:4028
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:1796
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:2020
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        
        PID:3688
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        
        PID:1664
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:1484
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        
        PID:3140
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        
        PID:1572
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        
        PID:3480
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:1196
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:1872
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:3828
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:3288
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:932
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:4904
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1408
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:4696
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:4536
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:4152
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:3544
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:3044
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:4264
        
        C:\Program Files\Common Files\System\it-IT\update.exe
        
        "C:\Program Files\Common Files\System\it-IT\update.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:380
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:5084
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:4348
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:4504
        
        C:\Program Files\Common Files\System\msadc\en-US\update.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\update.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:3948
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:3576
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:4684
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:3296
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:1796
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:4176
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:1820
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:2860
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\update.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\update.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:3688
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\data.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\data.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:4796
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:4428
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:1484
        
        C:\Program Files\Common Files\System\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\System\uk-UA\backup.exe" C:\Program Files\Common Files\System\uk-UA\
        7⤵
        
        PID:808
    - - C:\Program Files\dotnet\backup.exe
        
        "C:\Program Files\dotnet\backup.exe" C:\Program Files\dotnet\
        5⤵
        
        PID:4588
      - C:\Program Files\dotnet\host\backup.exe
        
        "C:\Program Files\dotnet\host\backup.exe" C:\Program Files\dotnet\host\
        6⤵
        
        PID:960
        
        C:\Program Files\dotnet\host\fxr\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\backup.exe" C:\Program Files\dotnet\host\fxr\
        7⤵
        
        PID:1680
        
        C:\Program Files\dotnet\host\fxr\6.0.27\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\6.0.27\backup.exe" C:\Program Files\dotnet\host\fxr\6.0.27\
        8⤵
        
        PID:420
        
        C:\Program Files\dotnet\host\fxr\7.0.16\System Restore.exe
        
        "C:\Program Files\dotnet\host\fxr\7.0.16\System Restore.exe" C:\Program Files\dotnet\host\fxr\7.0.16\
        8⤵
        
        PID:5016
        
        C:\Program Files\dotnet\host\fxr\8.0.2\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\8.0.2\backup.exe" C:\Program Files\dotnet\host\fxr\8.0.2\
        8⤵
        
        PID:1988
      - C:\Program Files\dotnet\shared\backup.exe
        
        "C:\Program Files\dotnet\shared\backup.exe" C:\Program Files\dotnet\shared\
        6⤵
        
        PID:2172
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\
        7⤵
        
        PID:5088
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\
        8⤵
        
        PID:2676
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\
        8⤵
        
        PID:4792
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\
        8⤵
        
        PID:1584
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\
        7⤵
        
        PID:700
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\
        8⤵
        
        PID:4412
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\
        9⤵
        
        PID:1948
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\
        9⤵
        
        PID:3828
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\
        9⤵
        
        PID:3092
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\
        9⤵
        
        PID:4420
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\
        9⤵
        
        PID:1508
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System Restore.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System Restore.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\
        9⤵
        
        PID:1012
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\
        9⤵
        
        PID:2696
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\
        9⤵
        
        PID:4436
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\
        9⤵
        
        PID:4972
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\
        9⤵
        
        PID:2580
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\
        9⤵
        
        PID:4704
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\
        9⤵
        
        PID:544
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\
        9⤵
        
        PID:2440
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\
        8⤵
        
        PID:940
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\
        9⤵
        
        PID:3068
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\
        9⤵
        
        PID:4880
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\data.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\data.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\
        9⤵
        
        PID:2020
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\
        9⤵
        
        PID:4720
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\
        9⤵
        
        PID:4012
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\
        9⤵
        
        PID:4560
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System Restore.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System Restore.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\
        9⤵
        
        PID:4428
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\
        9⤵
        
        PID:3556
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\
        9⤵
        
        PID:3060
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\
        9⤵
        
        PID:2376
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\
        9⤵
        
        PID:4356
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\
        9⤵
        
        PID:1936
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\
        9⤵
        
        PID:2304
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\
        8⤵
        
        PID:3528
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\
        9⤵
        
        PID:2680
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\
        9⤵
        
        PID:4904
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\
        9⤵
        
        PID:2900
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\
        9⤵
        
        PID:4696
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\data.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\data.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\
        9⤵
        
        PID:1000
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\
        9⤵
        
        PID:4152
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\
        9⤵
        
        PID:776
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\
        9⤵
        
        PID:4092
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\
        9⤵
        
        PID:4392
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\
        9⤵
        
        PID:1644
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\
        9⤵
        
        PID:3804
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\
        9⤵
        
        PID:1312
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\
        9⤵
        
        PID:3788
      - C:\Program Files\dotnet\swidtag\backup.exe
        
        "C:\Program Files\dotnet\swidtag\backup.exe" C:\Program Files\dotnet\swidtag\
        6⤵
        
        PID:1884
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:4824
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:3868
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:2440
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\backup.exe" C:\Program Files\Google\Chrome\Application\110.0.5481.104\
        8⤵
        
        PID:3196
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\110.0.5481.104\default_apps\
        9⤵
        
        PID:1820
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\110.0.5481.104\Extensions\
        9⤵
        
        PID:3704
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\
        9⤵
        
        PID:756
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\
        9⤵
        
        PID:4388
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\110.0.5481.104\MEIPreload\
        9⤵
        
        PID:4292
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\data.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\data.exe" C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\
        9⤵
        
        PID:3036
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\
        9⤵
        
        PID:4176
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\
        10⤵
        
        PID:4640
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:944
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:3140
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1912
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:4816
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:2452
      - C:\Program Files\Internet Explorer\es-ES\System Restore.exe
        
        "C:\Program Files\Internet Explorer\es-ES\System Restore.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:1320
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:3380
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:4472
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:4524
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:2104
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:3544
      - C:\Program Files\Internet Explorer\uk-UA\backup.exe
        
        "C:\Program Files\Internet Explorer\uk-UA\backup.exe" C:\Program Files\Internet Explorer\uk-UA\
        6⤵
        
        PID:4888
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2576
      - C:\Program Files\Java\jdk-1.8\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\backup.exe" C:\Program Files\Java\jdk-1.8\
        6⤵
        
        PID:4516
        
        C:\Program Files\Java\jdk-1.8\bin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\bin\backup.exe" C:\Program Files\Java\jdk-1.8\bin\
        7⤵
        
        PID:4436
        
        C:\Program Files\Java\jdk-1.8\include\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\backup.exe" C:\Program Files\Java\jdk-1.8\include\
        7⤵
        
        PID:3820
        
        C:\Program Files\Java\jdk-1.8\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\win32\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\
        8⤵
        
        PID:2008
        
        C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\bridge\
        9⤵
        
        PID:4344
        
        C:\Program Files\Java\jdk-1.8\legal\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\backup.exe" C:\Program Files\Java\jdk-1.8\legal\
        7⤵
        
        PID:1680
        
        C:\Program Files\Java\jdk-1.8\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\legal\javafx\
        8⤵
        
        PID:960
        
        C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\legal\jdk\
        8⤵
        
        PID:4472
        
        C:\Program Files\Java\jdk-1.8\lib\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\lib\backup.exe" C:\Program Files\Java\jdk-1.8\lib\
        7⤵
        
        PID:1000
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        
        PID:3660
      - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        
        PID:3804
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:3352
    - - C:\Program Files\Windows Defender\backup.exe
        
        "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
        5⤵
        
        PID:1860
      - C:\Program Files\Windows Defender\de-DE\backup.exe
        
        "C:\Program Files\Windows Defender\de-DE\backup.exe" C:\Program Files\Windows Defender\de-DE\
        6⤵
        
        PID:1500
      - C:\Program Files\Windows Defender\en-US\backup.exe
        
        "C:\Program Files\Windows Defender\en-US\backup.exe" C:\Program Files\Windows Defender\en-US\
        6⤵
        
        PID:4816
      - C:\Program Files\Windows Defender\es-ES\backup.exe
        
        "C:\Program Files\Windows Defender\es-ES\backup.exe" C:\Program Files\Windows Defender\es-ES\
        6⤵
        
        PID:1964
      - C:\Program Files\Windows Defender\fr-FR\backup.exe
        
        "C:\Program Files\Windows Defender\fr-FR\backup.exe" C:\Program Files\Windows Defender\fr-FR\
        6⤵
        
        PID:4492
    - - C:\Program Files\WindowsPowerShell\backup.exe
        
        "C:\Program Files\WindowsPowerShell\backup.exe" C:\Program Files\WindowsPowerShell\
        5⤵
        
        PID:4868
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      PID:4704
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:4280
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        
        PID:2160
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        
        PID:756
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        
        PID:4068
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        
        PID:2060
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:3576
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        
        PID:3612
    - - C:\Program Files (x86)\Common Files\data.exe
        
        "C:\Program Files (x86)\Common Files\data.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:4868
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:1028
      - C:\Program Files (x86)\Common Files\System\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System\System Restore.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:4636
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:2440
    - - C:\Program Files (x86)\Windows Portable Devices\data.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\data.exe" C:\Program Files (x86)\Windows Portable Devices\
        5⤵
        
        PID:1352
    - - C:\Program Files (x86)\WindowsPowerShell\backup.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\backup.exe" C:\Program Files (x86)\WindowsPowerShell\
        5⤵
        
        PID:1320
- C:\Users\Admin\AppData\Local\Temp\3320188874\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3320188874\backup.exe C:\Users\Admin\AppData\Local\Temp\3320188874\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4460
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1604
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1268
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:408
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1568
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1408
- C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe
  C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:384
- - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe
    C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe
      C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3012

C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe
"C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\
1⤵
PID:700
- C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe
  "C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\
  2⤵
  PID:576
- C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe
  "C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\
  2⤵
  PID:2904

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
1⤵
PID:3808

C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe
"C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\javafx\
1⤵
PID:2228

C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe
"C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\amd64\
1⤵
PID:1152

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
1⤵
PID:2568

C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe
"C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\ext\
1⤵
PID:3112

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
1⤵
PID:3300

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
1⤵
PID:4504

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe
"C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\
1⤵
PID:3820

C:\Program Files\Java\jdk-1.8\jre\lib\management\backup.exe
"C:\Program Files\Java\jdk-1.8\jre\lib\management\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\management\
1⤵
PID:2340

C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\System Restore.exe
"C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\System Restore.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\
1⤵
PID:3480

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
1⤵
PID:4356
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
  2⤵
  PID:1872
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
    3⤵
    PID:3288
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
  2⤵
  PID:2568
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
  2⤵
  PID:380
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
  2⤵
  PID:3872

C:\Program Files\Java\jre-1.8\bin\backup.exe
"C:\Program Files\Java\jre-1.8\bin\backup.exe" C:\Program Files\Java\jre-1.8\bin\
1⤵
PID:5056
- C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe
  "C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe" C:\Program Files\Java\jre-1.8\bin\dtplugin\
  2⤵
  PID:3736
- C:\Program Files\Java\jre-1.8\bin\server\backup.exe
  "C:\Program Files\Java\jre-1.8\bin\server\backup.exe" C:\Program Files\Java\jre-1.8\bin\server\
  2⤵
  PID:3688

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
1⤵
PID:4068

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
1⤵
PID:4912

C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe
"C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jre-1.8\legal\javafx\
1⤵
PID:3556

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
1⤵
PID:944

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
1⤵
PID:3500
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
  2⤵
  PID:4812
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
    3⤵
    PID:828
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
      4⤵
      PID:3288
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\
        5⤵
        
        PID:3800
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\
        6⤵
        
        PID:4028
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\
        5⤵
        
        PID:5116
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\
        6⤵
        
        PID:4520

C:\Program Files\Java\jre-1.8\lib\backup.exe
"C:\Program Files\Java\jre-1.8\lib\backup.exe" C:\Program Files\Java\jre-1.8\lib\
1⤵
PID:3808
- C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe
  "C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe" C:\Program Files\Java\jre-1.8\lib\amd64\
  2⤵
  PID:3060
- C:\Program Files\Java\jre-1.8\lib\applet\backup.exe
  "C:\Program Files\Java\jre-1.8\lib\applet\backup.exe" C:\Program Files\Java\jre-1.8\lib\applet\
  2⤵
  PID:1988
- C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe
  "C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe" C:\Program Files\Java\jre-1.8\lib\cmm\
  2⤵
  PID:960
- C:\Program Files\Java\jre-1.8\lib\deploy\backup.exe
  "C:\Program Files\Java\jre-1.8\lib\deploy\backup.exe" C:\Program Files\Java\jre-1.8\lib\deploy\
  2⤵
  PID:4152
- C:\Program Files\Java\jre-1.8\lib\security\backup.exe
  "C:\Program Files\Java\jre-1.8\lib\security\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\
  2⤵
  PID:1484
- - C:\Program Files\Java\jre-1.8\lib\security\policy\data.exe
    "C:\Program Files\Java\jre-1.8\lib\security\policy\data.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\
    3⤵
    PID:4424
  - - C:\Program Files\Java\jre-1.8\lib\security\policy\limited\backup.exe
      "C:\Program Files\Java\jre-1.8\lib\security\policy\limited\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\limited\
      4⤵
      PID:4732
  - - C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\backup.exe
      "C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\
      4⤵
      PID:632

C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe
"C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe" C:\Program Files\Java\jre-1.8\lib\images\cursors\
1⤵
PID:3788

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\
1⤵
PID:4052
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\
  2⤵
  PID:420
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\
  2⤵
  PID:2212

C:\Program Files\Java\jre8\lib\backup.exe
"C:\Program Files\Java\jre8\lib\backup.exe" C:\Program Files\Java\jre8\lib\
1⤵
PID:3236

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\
1⤵
PID:4904

C:\Program Files\Microsoft Office\root\backup.exe
"C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
1⤵
PID:2884
- C:\Program Files\Microsoft Office\root\Integration\backup.exe
  "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
  2⤵
  PID:3852
- - C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
    "C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
    3⤵
    PID:1528
- C:\Program Files\Microsoft Office\root\Licenses16\backup.exe
  "C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\
  2⤵
  PID:4052
- C:\Program Files\Microsoft Office\root\Office16\backup.exe
  "C:\Program Files\Microsoft Office\root\Office16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\
  2⤵
  PID:1964
- - C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe
    "C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\
    3⤵
    PID:4152
  - - C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe
      "C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\
      4⤵
      PID:4904
  - - C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe
      "C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\
      4⤵
      PID:2348
- - C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe
    "C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe" C:\Program Files\Microsoft Office\root\Office16\3082\
    3⤵
    PID:3812
- - C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe
    "C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\
    3⤵
    PID:700
  - - C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe
      "C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\
      4⤵
      PID:4868
  - - C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\backup.exe
      "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\
      4⤵
      PID:3688
    - - C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\
        5⤵
        
        PID:1236
  - - C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\backup.exe
      "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\
      4⤵
      PID:1592
  - - C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\backup.exe
      "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\
      4⤵
      PID:3036
    - - C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\
        5⤵
        
        PID:3596
    - - C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\
        5⤵
        
        PID:2900
    - - C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\
        5⤵
        
        PID:3120
- - C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe
    "C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe" C:\Program Files\Microsoft Office\root\Office16\AugLoop\
    3⤵
    PID:380
- - C:\Program Files\Microsoft Office\root\Office16\Bibliography\backup.exe
    "C:\Program Files\Microsoft Office\root\Office16\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\
    3⤵
    PID:3352
- - C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe
    "C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\BORDERS\
    3⤵
    PID:2904
- - C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe
    "C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\
    3⤵
    PID:3852
- - C:\Program Files\Microsoft Office\root\Office16\FPA_f2\backup.exe
    "C:\Program Files\Microsoft Office\root\Office16\FPA_f2\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f2\
    3⤵
    PID:5100
- - C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\backup.exe
    "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\
    3⤵
    PID:4720
- - C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\backup.exe
    "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\
    3⤵
    PID:3664
- - C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\backup.exe
    "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\
    3⤵
    PID:1524
- - C:\Program Files\Microsoft Office\root\Office16\Library\backup.exe
    "C:\Program Files\Microsoft Office\root\Office16\Library\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Library\
    3⤵
    PID:4052
  - - C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\backup.exe
      "C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\
      4⤵
      PID:4012
  - - C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\backup.exe
      "C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\
      4⤵
      PID:2228
- - C:\Program Files\Microsoft Office\root\Office16\LogoImages\backup.exe
    "C:\Program Files\Microsoft Office\root\Office16\LogoImages\backup.exe" C:\Program Files\Microsoft Office\root\Office16\LogoImages\
    3⤵
    PID:2240
- - C:\Program Files\Microsoft Office\root\Office16\osfFPA\backup.exe
    "C:\Program Files\Microsoft Office\root\Office16\osfFPA\backup.exe" C:\Program Files\Microsoft Office\root\Office16\osfFPA\
    3⤵
    PID:1800
- - C:\Program Files\Microsoft Office\root\Office16\PROOF\backup.exe
    "C:\Program Files\Microsoft Office\root\Office16\PROOF\backup.exe" C:\Program Files\Microsoft Office\root\Office16\PROOF\
    3⤵
    PID:212

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\
1⤵
PID:3540

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\
1⤵
PID:2008

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\
1⤵
PID:5056
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\
  2⤵
  PID:1644

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\
1⤵
PID:2376
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\
  2⤵
  PID:2936
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\
    3⤵
    PID:4360

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\
1⤵
PID:4612
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\
  2⤵
  PID:3148

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\
1⤵
PID:2060

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\data.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\
1⤵
PID:1824

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\
1⤵
PID:1912

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\
1⤵
PID:4520

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\
1⤵
PID:636

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\
1⤵
PID:4292

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\
1⤵
PID:808

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\
1⤵
PID:3556

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\
1⤵
PID:3112

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\
1⤵
PID:5100

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\
1⤵
PID:4524

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\
1⤵
PID:1824

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\System Restore.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\
1⤵
PID:2348

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\
1⤵
PID:636

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\
1⤵
PID:408

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\
1⤵
PID:5080
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\
  2⤵
  PID:1432

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\
1⤵
PID:3832

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\
1⤵
PID:2408

C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\backup.exe" C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\
1⤵
PID:3300
- C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\backup.exe
  "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\backup.exe" C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\
  2⤵
  PID:3660

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\
1⤵
PID:4472

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\
1⤵
PID:1824

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\
1⤵
PID:3948

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\
1⤵
PID:1312

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\
1⤵
PID:2696

C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\
1⤵
PID:1648

C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\
1⤵
PID:3380

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\
1⤵
PID:3132

C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\
1⤵
PID:2060

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\
1⤵
PID:772

C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\
1⤵
PID:3736

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\
1⤵
PID:3812

C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\
1⤵
PID:4612

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\
1⤵
PID:544

C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\update.exe
"C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\update.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\
1⤵
PID:4292

C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\
1⤵
PID:5044

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\
1⤵
PID:1588

C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\
1⤵
PID:5096

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\
1⤵
PID:1236

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\
1⤵
PID:3592

C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\
1⤵
PID:3380

C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\
1⤵
PID:4824

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\
1⤵
PID:2228

C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\
1⤵
PID:2060

C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\
1⤵
PID:548

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\
1⤵
PID:1448
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\
  2⤵
  PID:3120

C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\
1⤵
PID:3296

C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\
1⤵
PID:2008

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\
1⤵
PID:2452

C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\
1⤵
PID:4552

C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\
1⤵
PID:3648

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\
1⤵
PID:1604

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\
1⤵
PID:3540

C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\
1⤵
PID:5016

C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\
1⤵
PID:3012

C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\
1⤵
PID:2008

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\
1⤵
PID:4720

C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\
1⤵
PID:3812
- C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\backup.exe
  "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\
  2⤵
  PID:3148
- - C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\backup.exe
    "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\
    3⤵
    PID:3796

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\
1⤵
PID:5080

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\
1⤵
PID:1432

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\
1⤵
PID:4732

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\
1⤵
PID:4508

C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\
1⤵
PID:4684

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\
1⤵
PID:3132

C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\
1⤵
PID:5096

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\System Restore.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\
1⤵
PID:2408

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\
1⤵
PID:4520

C:\Users\Admin\backup.exe
C:\Users\Admin\backup.exe C:\Users\Admin\
1⤵
PID:3688
- C:\Users\Admin\3D Objects\backup.exe
  "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
  2⤵
  PID:2568
- C:\Users\Admin\Contacts\backup.exe
  C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
  2⤵
  PID:4184
- C:\Users\Admin\Desktop\backup.exe
  C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
  2⤵
  PID:3788
- C:\Users\Admin\Documents\backup.exe
  C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
  2⤵
  PID:2340
- C:\Users\Admin\Favorites\backup.exe
  C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
  2⤵
  PID:1076
- C:\Users\Admin\Links\backup.exe
  C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
  2⤵
  PID:3296
- C:\Users\Admin\Music\backup.exe
  C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
  2⤵
  PID:4384
- C:\Users\Admin\OneDrive\System Restore.exe
  "C:\Users\Admin\OneDrive\System Restore.exe" C:\Users\Admin\OneDrive\
  2⤵
  PID:1644
- C:\Users\Admin\Searches\backup.exe
  C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
  2⤵
  PID:1872

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\
1⤵
PID:2900

C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\
1⤵
PID:4412

C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
1⤵
PID:2612

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe
"C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\
1⤵
PID:2260

C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\
1⤵
PID:3036

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\
1⤵
PID:3580
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\
  2⤵
  PID:4544
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\
    3⤵
    PID:756
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\
  2⤵
  PID:4796
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\
    3⤵
    PID:2452
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\
    3⤵
    PID:860
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\
      4⤵
      PID:3764
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\
        5⤵
        
        PID:1404
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\
    3⤵
    PID:2160
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\
      4⤵
      PID:4868
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ar-ae\
        5⤵
        
        PID:4388
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\
        5⤵
        
        PID:1248
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\
        5⤵
        
        PID:1820
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\
        5⤵
        
        PID:4904
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\
        5⤵
        
        PID:3636
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-gb\
        5⤵
        
        PID:2936
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\
        5⤵
        
        PID:5056
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\
        5⤵
        
        PID:3868
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\
        5⤵
        
        PID:444

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
1⤵
PID:3784
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
  2⤵
  PID:1316
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\update.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
    3⤵
    PID:384
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
    3⤵
    PID:4152
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
    3⤵
    PID:3092

C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\
1⤵
PID:3288
- C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\backup.exe
  "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\
  2⤵
  PID:548
- - C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\backup.exe
    "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\
    3⤵
    PID:540
  - - C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\backup.exe
      "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\
      4⤵
      PID:1136

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\
1⤵
PID:3060

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
1⤵
PID:3788
- C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
  "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
  2⤵
  PID:1820
- C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
  "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
  2⤵
  PID:544
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
    3⤵
    PID:1268
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
      4⤵
      PID:3632
    - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
        5⤵
        
        PID:3196
      - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
        6⤵
        
        PID:3044
    - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
        5⤵
        
        PID:1820

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\System Restore.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\
1⤵
PID:3552
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\
  2⤵
  PID:960
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\
    3⤵
    PID:1388
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\
    3⤵
    PID:5100
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\
    3⤵
    PID:3500
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\
    3⤵
    PID:4056
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\
    3⤵
    PID:3188
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\
    3⤵
    PID:1732
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\
    3⤵
    PID:3012
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\
    3⤵
    PID:3660
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\
    3⤵
    PID:756
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\
    3⤵
    PID:4560
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\
    3⤵
    PID:4436
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\
    3⤵
    PID:380
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\
    3⤵
    PID:2160
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\
    3⤵
    PID:1796
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\
    3⤵
    PID:1236
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\
    3⤵
    PID:548

C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\
1⤵
PID:2612

C:\Users\Admin\Pictures\Camera Roll\backup.exe
"C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
1⤵
PID:2240

C:\Users\Public\backup.exe
C:\Users\Public\backup.exe C:\Users\Public\
1⤵
PID:1352

C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe
"C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\
1⤵
PID:2256

C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
"C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
1⤵
PID:2464

C:\Windows\addins\backup.exe
C:\Windows\addins\backup.exe C:\Windows\addins\
1⤵
PID:744

C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\B53A34F1-FF5D-4EF4-BFFA-089E897035BB\backup.exe
"C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\B53A34F1-FF5D-4EF4-BFFA-089E897035BB\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\B53A34F1-FF5D-4EF4-BFFA-089E897035BB\
1⤵
PID:3736

C:\Windows\appcompat\appraiser\backup.exe
C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
1⤵
PID:4436

C:\Program Files\Mozilla Firefox\defaults\backup.exe
"C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
1⤵
PID:2576

C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\
1⤵
PID:660

C:\Program Files\Mozilla Firefox\fonts\backup.exe
"C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
1⤵
PID:2284

C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\
1⤵
PID:804

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B53A34F1-FF5D-4EF4-BFFA-089E897035BB\root\backup.exe
"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B53A34F1-FF5D-4EF4-BFFA-089E897035BB\root\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B53A34F1-FF5D-4EF4-BFFA-089E897035BB\root\
1⤵
PID:3156

C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
"C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
1⤵
PID:872

C:\Program Files\Microsoft Office\root\vfs\Fonts\private\System Restore.exe
"C:\Program Files\Microsoft Office\root\vfs\Fonts\private\System Restore.exe" C:\Program Files\Microsoft Office\root\vfs\Fonts\private\
1⤵
PID:2240

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
1⤵
PID:3236

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\
1⤵
PID:3784

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B53A34F1-FF5D-4EF4-BFFA-089E897035BB\root\vfs\Windows\assembly\GAC_MSIL\backup.exe
"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B53A34F1-FF5D-4EF4-BFFA-089E897035BB\root\vfs\Windows\assembly\GAC_MSIL\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B53A34F1-FF5D-4EF4-BFFA-089E897035BB\root\vfs\Windows\assembly\GAC_MSIL\
1⤵
PID:808
- C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B53A34F1-FF5D-4EF4-BFFA-089E897035BB\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe
  "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B53A34F1-FF5D-4EF4-BFFA-089E897035BB\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B53A34F1-FF5D-4EF4-BFFA-089E897035BB\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\
  2⤵
  PID:1860
- - C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B53A34F1-FF5D-4EF4-BFFA-089E897035BB\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\backup.exe
    "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B53A34F1-FF5D-4EF4-BFFA-089E897035BB\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B53A34F1-FF5D-4EF4-BFFA-089E897035BB\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\
    3⤵
    PID:4456

C:\Windows\apppatch\Custom\Custom64\backup.exe
C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
1⤵
PID:384

C:\Windows\apppatch\CustomSDB\backup.exe
C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
1⤵
PID:4524

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\update.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
1⤵
PID:4712

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\
1⤵
PID:4520

C:\Windows\apppatch\de-DE\backup.exe
C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
1⤵
PID:1692

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
1⤵
PID:4904

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\update.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\update.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\
1⤵
PID:1964

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
1⤵
PID:2256

C:\Windows\apppatch\es-ES\backup.exe
C:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\es-ES\
1⤵
PID:4932

C:\Windows\apppatch\fr-FR\backup.exe
C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\fr-FR\
1⤵
PID:2172

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\
1⤵
PID:3512

C:\Windows\apppatch\it-IT\backup.exe
C:\Windows\apppatch\it-IT\backup.exe C:\Windows\apppatch\it-IT\
1⤵
PID:5000

C:\Windows\AppReadiness\backup.exe
C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
1⤵
PID:1352

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\
1⤵
PID:2876

C:\Windows\assembly\backup.exe
C:\Windows\assembly\backup.exe C:\Windows\assembly\
1⤵
PID:3424
- C:\Windows\assembly\GAC\backup.exe
  C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
  2⤵
  PID:744
- - C:\Windows\assembly\GAC\ADODB\backup.exe
    C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
    3⤵
    PID:3356
  - - C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
      C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
      4⤵
      PID:2644
- - C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
    C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
    3⤵
    PID:4340
  - - C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
      C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
      4⤵
      PID:4504
- - C:\Windows\assembly\GAC\mscomctl\backup.exe
    C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\
    3⤵
    PID:4280
  - - C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe
      C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\
      4⤵
      PID:1320
- - C:\Windows\assembly\GAC\MSDATASRC\backup.exe
    C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\
    3⤵
    PID:660
  - - C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\data.exe
      C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\data.exe C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\
      4⤵
      PID:3512
- C:\Windows\assembly\GAC_MSIL\backup.exe
  C:\Windows\assembly\GAC_MSIL\backup.exe C:\Windows\assembly\GAC_MSIL\
  2⤵
  PID:3536
- - C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\backup.exe
    C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\
    3⤵
    PID:380
- - C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\backup.exe
    C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\
    3⤵
    PID:4576
  - - C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_de_b03f5f7f11d50a3a\backup.exe
      C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_de_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_de_b03f5f7f11d50a3a\
      4⤵
      PID:4152
  - - C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\backup.exe
      C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\
      4⤵
      PID:3040
- - C:\Windows\assembly\GAC_MSIL\ComSvcConfig\backup.exe
    C:\Windows\assembly\GAC_MSIL\ComSvcConfig\backup.exe C:\Windows\assembly\GAC_MSIL\ComSvcConfig\
    3⤵
    PID:3576
- - C:\Windows\assembly\GAC_MSIL\IEExecRemote\backup.exe
    C:\Windows\assembly\GAC_MSIL\IEExecRemote\backup.exe C:\Windows\assembly\GAC_MSIL\IEExecRemote\
    3⤵
    PID:4408
- - C:\Windows\assembly\GAC_MSIL\IIEHost\data.exe
    C:\Windows\assembly\GAC_MSIL\IIEHost\data.exe C:\Windows\assembly\GAC_MSIL\IIEHost\
    3⤵
    PID:544
  - - C:\Windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\backup.exe
      C:\Windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\
      4⤵
      PID:3784
- - C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\backup.exe
    C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\
    3⤵
    PID:1604
  - - C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\3.5.0.0__b03f5f7f11d50a3a\update.exe
      C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\3.5.0.0__b03f5f7f11d50a3a\update.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\3.5.0.0__b03f5f7f11d50a3a\
      4⤵
      PID:2104
- - C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\backup.exe
    C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\
    3⤵
    PID:2612
  - - C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\backup.exe
      C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\
      4⤵
      PID:1520
  - - C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\3.5.0.0__b03f5f7f11d50a3a\backup.exe
      C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\3.5.0.0__b03f5f7f11d50a3a\
      4⤵
      PID:1820
- - C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\backup.exe
    C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\
    3⤵
    PID:2696
- - C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.Resources\backup.exe
    C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.Resources\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.Resources\
    3⤵
    PID:808
  - - C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.Resources\2.0.0.0_es_b03f5f7f11d50a3a\backup.exe
      C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.Resources\2.0.0.0_es_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.Resources\2.0.0.0_es_b03f5f7f11d50a3a\
      4⤵
      PID:1176
- - C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Access.Dao\backup.exe
    C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Access.Dao\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Access.Dao\
    3⤵
    PID:1260
- - C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Graph\backup.exe
    C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Graph\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Graph\
    3⤵
    PID:3300
- - C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Word\backup.exe
    C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Word\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Word\
    3⤵
    PID:912
  - - C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\backup.exe
      C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\
      4⤵
      PID:1432
- - C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.v9.0\data.exe
    C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.v9.0\data.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.v9.0\
    3⤵
    PID:4420
- - C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\backup.exe
    C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\
    3⤵
    PID:744
- - C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\backup.exe
    C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\
    3⤵
    PID:4796
- - C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.Resources\backup.exe
    C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.Resources\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.Resources\
    3⤵
    PID:540
  - - C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.Resources\3.0.0.0_de_b03f5f7f11d50a3a\backup.exe
      C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.Resources\3.0.0.0_de_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.Resources\3.0.0.0_de_b03f5f7f11d50a3a\
      4⤵
      PID:4436
- - C:\Windows\assembly\GAC_MSIL\Microsoft.Vbe.Interop.Forms\backup.exe
    C:\Windows\assembly\GAC_MSIL\Microsoft.Vbe.Interop.Forms\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Vbe.Interop.Forms\
    3⤵
    PID:2104
- - C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\backup.exe
    C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\
    3⤵
    PID:3476
  - - C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\System Restore.exe
      "C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\System Restore.exe" C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\
      4⤵
      PID:2732
- - C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\backup.exe
    C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\
    3⤵
    PID:3648
  - - C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\backup.exe
      C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\
      4⤵
      PID:804
- - C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\backup.exe
    C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\
    3⤵
    PID:1956
  - - C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\backup.exe
      C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\
      4⤵
      PID:1360
- - C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.Resources\backup.exe
    C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.Resources\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.Resources\
    3⤵
    PID:1988
  - - C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.Resources\8.0.0.0_de_b03f5f7f11d50a3a\backup.exe
      C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.Resources\8.0.0.0_de_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.Resources\8.0.0.0_de_b03f5f7f11d50a3a\
      4⤵
      PID:1284
  - - C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.Resources\8.0.0.0_es_b03f5f7f11d50a3a\backup.exe
      C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.Resources\8.0.0.0_es_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.Resources\8.0.0.0_es_b03f5f7f11d50a3a\
      4⤵
      PID:1884
  - - C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.Resources\8.0.0.0_fr_b03f5f7f11d50a3a\backup.exe
      C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.Resources\8.0.0.0_fr_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.Resources\8.0.0.0_fr_b03f5f7f11d50a3a\
      4⤵
      PID:3140
  - - C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.Resources\8.0.0.0_it_b03f5f7f11d50a3a\backup.exe
      C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.Resources\8.0.0.0_it_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.Resources\8.0.0.0_it_b03f5f7f11d50a3a\
      4⤵
      PID:1236
  - - C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.Resources\8.0.0.0_ja_b03f5f7f11d50a3a\backup.exe
      C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.Resources\8.0.0.0_ja_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.Resources\8.0.0.0_ja_b03f5f7f11d50a3a\
      4⤵
      PID:3012
- - C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Resources\backup.exe
    C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Resources\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Resources\
    3⤵
    PID:1388
  - - C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Resources\8.0.0.0_de_b03f5f7f11d50a3a\backup.exe
      C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Resources\8.0.0.0_de_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Resources\8.0.0.0_de_b03f5f7f11d50a3a\
      4⤵
      PID:1644
  - - C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Resources\8.0.0.0_es_b03f5f7f11d50a3a\backup.exe
      C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Resources\8.0.0.0_es_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Resources\8.0.0.0_es_b03f5f7f11d50a3a\
      4⤵
      PID:4160
  - - C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Resources\8.0.0.0_fr_b03f5f7f11d50a3a\backup.exe
      C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Resources\8.0.0.0_fr_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Resources\8.0.0.0_fr_b03f5f7f11d50a3a\
      4⤵
      PID:932
- C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe
  C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\
  2⤵
  PID:3456
- - C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\backup.exe
    C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\
    3⤵
    PID:2836
  - - C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\f8458c8de3d147a80d90bfeb1dbda24e\backup.exe
      C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\f8458c8de3d147a80d90bfeb1dbda24e\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\f8458c8de3d147a80d90bfeb1dbda24e\
      4⤵
      PID:2888
- - C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\backup.exe
    C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\
    3⤵
    PID:1312

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\
1⤵
PID:896
- C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\data.exe
  "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\data.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\
  2⤵
  PID:4952
- - C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\backup.exe
    "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\
    3⤵
    PID:4560
- C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\backup.exe
  "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\
  2⤵
  PID:2452
- C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\backup.exe
  "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\
  2⤵
  PID:3796

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\
1⤵
PID:4172

C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\System Restore.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
1⤵
PID:1072

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\
1⤵
PID:1404

C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
1⤵
PID:1508

C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\
1⤵
PID:3884

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\
1⤵
PID:420

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\
1⤵
PID:4888

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\
1⤵
PID:5092
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\
  2⤵
  PID:1588

C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\
1⤵
PID:1796

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\
1⤵
PID:3704

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\
1⤵
PID:3800

C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\
1⤵
PID:1508

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System Restore.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System Restore.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\
1⤵
PID:4264

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\
1⤵
PID:2192

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\
1⤵
PID:3528

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\
1⤵
PID:4508

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\
1⤵
PID:4348

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\
1⤵
PID:2060

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\
1⤵
PID:4492
- C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\
  2⤵
  PID:3476

C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe
"C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe" C:\Program Files\VideoLAN\VLC\hrtfs\
1⤵
PID:4696

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\
1⤵
PID:2104

C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\
1⤵
PID:1692

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\
1⤵
PID:3528

C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\
1⤵
PID:2836

C:\Program Files\VideoLAN\VLC\locale\am\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\am\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\
1⤵
PID:1824

C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\update.exe
C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\update.exe C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
1⤵
PID:1352

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\
1⤵
PID:440

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\
1⤵
PID:4436

C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
1⤵
PID:2876

C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe
C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\
1⤵
PID:1604

C:\Program Files\VideoLAN\VLC\locale\an\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\an\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\
1⤵
PID:3068

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\
1⤵
PID:3764

C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\
1⤵
PID:2052

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\
1⤵
PID:1940

C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\
1⤵
PID:4280

C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
1⤵
PID:2484

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\
1⤵
PID:956

C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
1⤵
PID:4440

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\
1⤵
PID:4360

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\
1⤵
PID:3352

C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\
1⤵
PID:1692

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\
1⤵
PID:632

C:\Program Files\VideoLAN\VLC\locale\be\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\be\backup.exe" C:\Program Files\VideoLAN\VLC\locale\be\
1⤵
PID:1860

C:\Program Files (x86)\Google\Temp\backup.exe
"C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
1⤵
PID:1796

C:\Windows\assembly\GAC_32\srmlib\backup.exe
C:\Windows\assembly\GAC_32\srmlib\backup.exe C:\Windows\assembly\GAC_32\srmlib\
1⤵
PID:3288

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\data.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\data.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\
1⤵
PID:3872

C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
"C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
1⤵
PID:3156

C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\update.exe
"C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\update.exe" C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\
1⤵
PID:3296

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\
1⤵
PID:1964

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\
1⤵
PID:1644

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\update.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\update.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\
1⤵
PID:4068

C:\Windows\assembly\GAC_32\System.Data.OracleClient\backup.exe
C:\Windows\assembly\GAC_32\System.Data.OracleClient\backup.exe C:\Windows\assembly\GAC_32\System.Data.OracleClient\
1⤵
PID:4904

C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\
1⤵
PID:3276

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-sl\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-sl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-sl\
1⤵
PID:4460

C:\Program Files\VideoLAN\VLC\locale\br\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\br\backup.exe" C:\Program Files\VideoLAN\VLC\locale\br\
1⤵
PID:2644
- C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe
  "C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\
  2⤵
  PID:2408

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\
1⤵
PID:940

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\
1⤵
PID:420

C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
"C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
1⤵
PID:1072

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\
1⤵
PID:3636

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\
1⤵
PID:2696

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\
1⤵
PID:1368

C:\Program Files\VideoLAN\VLC\locale\ca\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ca\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca\
1⤵
PID:3068

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\
1⤵
PID:1664

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\
1⤵
PID:4512

C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\
1⤵
PID:4472

C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe
C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\
1⤵
PID:4552
- C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\data.exe
  C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\data.exe C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
  2⤵
  PID:3608

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\
1⤵
PID:2512

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\
1⤵
PID:4424

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\
1⤵
PID:2052

C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
1⤵
PID:1860

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\
1⤵
PID:3012
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\update.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\
  2⤵
  PID:5048
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\
  2⤵
  PID:1152
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\
  2⤵
  PID:4012

C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe
C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\
1⤵
PID:2484

C:\Program Files (x86)\Microsoft\Edge\Application\data.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\data.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
1⤵
PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
  2⤵
  PID:4956
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\
    3⤵
    PID:756
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\
    3⤵
    PID:3840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\backup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\
      4⤵
      PID:2884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\System Restore.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\System Restore.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\
      4⤵
      PID:1956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\System Restore.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\System Restore.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\
      4⤵
      PID:4504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\backup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\
      4⤵
      PID:4264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\backup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\
      4⤵
      PID:1388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\backup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\
      4⤵
      PID:224
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\
    3⤵
    PID:4888
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\
    3⤵
    PID:4456

C:\Program Files\VideoLAN\VLC\locale\cy\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\cy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cy\
1⤵
PID:3544

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\
1⤵
PID:1520

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\
1⤵
PID:4192

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\
1⤵
PID:4920

C:\Windows\assembly\GAC_64\srmlib\backup.exe
C:\Windows\assembly\GAC_64\srmlib\backup.exe C:\Windows\assembly\GAC_64\srmlib\
1⤵
PID:4348

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\
1⤵
PID:4472
- C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\backup.exe
  "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\
  2⤵
  PID:956
- - C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\backup.exe
    "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\
    3⤵
    PID:4408
- - C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\backup.exe
    "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\
    3⤵
    PID:4644
  - - C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\backup.exe
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\
      4⤵
      PID:4492
- - C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\System Restore.exe
    "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\System Restore.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\
    3⤵
    PID:3276
  - - C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\backup.exe
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\
      4⤵
      PID:3552
- C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\backup.exe
  "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\
  2⤵
  PID:3608

C:\Windows\assembly\GAC_64\System.Data\backup.exe
C:\Windows\assembly\GAC_64\System.Data\backup.exe C:\Windows\assembly\GAC_64\System.Data\
1⤵
PID:5056

C:\Program Files\VideoLAN\VLC\locale\es\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\es\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es\
1⤵
PID:2192

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\
1⤵
PID:4808

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\
1⤵
PID:2748

C:\Windows\assembly\GAC_64\System.Data.OracleClient\backup.exe
C:\Windows\assembly\GAC_64\System.Data.OracleClient\backup.exe C:\Windows\assembly\GAC_64\System.Data.OracleClient\
1⤵
PID:1260

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\update.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\update.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\
1⤵
PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\System Restore.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\System Restore.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\
  2⤵
  PID:4996

C:\Windows\assembly\GAC_64\System.EnterpriseServices\backup.exe
C:\Windows\assembly\GAC_64\System.EnterpriseServices\backup.exe C:\Windows\assembly\GAC_64\System.EnterpriseServices\
1⤵
PID:4460

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\
1⤵
PID:4580

C:\Windows\assembly\GAC_64\System.Printing\backup.exe
C:\Windows\assembly\GAC_64\System.Printing\backup.exe C:\Windows\assembly\GAC_64\System.Printing\
1⤵
PID:2936
- C:\Windows\assembly\GAC_64\System.Printing\3.0.0.0__31bf3856ad364e35\backup.exe
  C:\Windows\assembly\GAC_64\System.Printing\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\System.Printing\3.0.0.0__31bf3856ad364e35\
  2⤵
  PID:4428

C:\Program Files\VideoLAN\VLC\locale\eu\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\eu\backup.exe" C:\Program Files\VideoLAN\VLC\locale\eu\
1⤵
PID:1820

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\
1⤵
PID:5064

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\
1⤵
PID:1580

C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\update.exe
C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\update.exe C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\
1⤵
PID:4588

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\
1⤵
PID:3328
- C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\backup.exe
  "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\
  2⤵
  PID:3148
- - C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\backup.exe
    "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\
    3⤵
    PID:2484

C:\Program Files\VideoLAN\VLC\locale\fa\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fa\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fa\
1⤵
PID:2020

C:\Windows\assembly\GAC_64\System.Web\backup.exe
C:\Windows\assembly\GAC_64\System.Web\backup.exe C:\Windows\assembly\GAC_64\System.Web\
1⤵
PID:2212

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\
1⤵
PID:756

C:\Program Files\VideoLAN\VLC\locale\ff\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ff\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ff\
1⤵
PID:440

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\
1⤵
PID:1644

C:\Program Files\VideoLAN\VLC\locale\fi\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fi\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fi\
1⤵
PID:4172

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\
1⤵
PID:896

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\
1⤵
PID:744

C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\
1⤵
PID:2012

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\
1⤵
PID:808

C:\Windows\Branding\Basebrd\fr-FR\backup.exe
C:\Windows\Branding\Basebrd\fr-FR\backup.exe C:\Windows\Branding\Basebrd\fr-FR\
1⤵
PID:2732

C:\Windows\Branding\Basebrd\ja-JP\backup.exe
C:\Windows\Branding\Basebrd\ja-JP\backup.exe C:\Windows\Branding\Basebrd\ja-JP\
1⤵
PID:3328

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-gb\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-gb\
1⤵
PID:1484

C:\Windows\Branding\Basebrd\uk-UA\backup.exe
C:\Windows\Branding\Basebrd\uk-UA\backup.exe C:\Windows\Branding\Basebrd\uk-UA\
1⤵
PID:5064

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\
1⤵
PID:5092
- C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\backup.exe
  "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\
  2⤵
  PID:3236
- - C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\backup.exe
    "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\
    3⤵
    PID:1408

C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\
1⤵
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\
1⤵
PID:1692

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\
1⤵
PID:4408

C:\Windows\Branding\shellbrd\backup.exe
C:\Windows\Branding\shellbrd\backup.exe C:\Windows\Branding\shellbrd\
1⤵
PID:4384

C:\Program Files\VideoLAN\VLC\locale\fy\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fy\
1⤵
PID:744
- C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\backup.exe
  "C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\
  2⤵
  PID:1628

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\
1⤵
PID:3276

C:\Program Files\VideoLAN\VLC\lua\backup.exe
"C:\Program Files\VideoLAN\VLC\lua\backup.exe" C:\Program Files\VideoLAN\VLC\lua\
1⤵
PID:1424
- C:\Program Files\VideoLAN\VLC\lua\http\backup.exe
  "C:\Program Files\VideoLAN\VLC\lua\http\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\
  2⤵
  PID:4520
- C:\Program Files\VideoLAN\VLC\lua\intf\backup.exe
  "C:\Program Files\VideoLAN\VLC\lua\intf\backup.exe" C:\Program Files\VideoLAN\VLC\lua\intf\
  2⤵
  PID:4660
- C:\Program Files\VideoLAN\VLC\lua\modules\backup.exe
  "C:\Program Files\VideoLAN\VLC\lua\modules\backup.exe" C:\Program Files\VideoLAN\VLC\lua\modules\
  2⤵
  PID:1324

C:\Windows\CbsTemp\backup.exe
C:\Windows\CbsTemp\backup.exe C:\Windows\CbsTemp\
1⤵
PID:3884

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\update.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\
1⤵
PID:3640

C:\Windows\Cursors\backup.exe
C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
1⤵
PID:3456

C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\
1⤵
PID:3552

C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\backup.exe
"C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\
1⤵
PID:4424

C:\Windows\DiagTrack\backup.exe
C:\Windows\DiagTrack\backup.exe C:\Windows\DiagTrack\
1⤵
PID:2452

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\
1⤵
PID:2012

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\
1⤵
PID:2260

C:\Program Files\Windows Media Player\de-DE\backup.exe
"C:\Program Files\Windows Media Player\de-DE\backup.exe" C:\Program Files\Windows Media Player\de-DE\
1⤵
PID:3476

C:\Program Files\VideoLAN\VLC\locale\he\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\he\backup.exe" C:\Program Files\VideoLAN\VLC\locale\he\
1⤵
PID:3948

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\130\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\130\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\130\
1⤵
PID:3596

C:\Windows\en-US\backup.exe
C:\Windows\en-US\backup.exe C:\Windows\en-US\
1⤵
PID:1452

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\
1⤵
PID:2872
- C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\backup.exe
  "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\
  2⤵
  PID:2440

C:\Program Files\VideoLAN\VLC\locale\hi\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\hi\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hi\
1⤵
PID:408

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\
1⤵
PID:1940

C:\Windows\Fonts\backup.exe
C:\Windows\Fonts\backup.exe C:\Windows\Fonts\
1⤵
PID:4952

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\
1⤵
PID:4172

C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\
1⤵
PID:3596

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\
1⤵
PID:4880

C:\Program Files\Windows Media Player\Skins\backup.exe
"C:\Program Files\Windows Media Player\Skins\backup.exe" C:\Program Files\Windows Media Player\Skins\
1⤵
PID:2256

C:\Windows\Globalization\backup.exe
C:\Windows\Globalization\backup.exe C:\Windows\Globalization\
1⤵
PID:1360
- C:\Windows\Globalization\ICU\backup.exe
  C:\Windows\Globalization\ICU\backup.exe C:\Windows\Globalization\ICU\
  2⤵
  PID:3148
- C:\Windows\Globalization\Time Zone\backup.exe
  "C:\Windows\Globalization\Time Zone\backup.exe" C:\Windows\Globalization\Time Zone\
  2⤵
  PID:636

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\data.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\data.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\
1⤵
PID:4264

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\
1⤵
PID:3500

C:\Program Files\VideoLAN\VLC\locale\ie\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ie\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ie\
1⤵
PID:1664

C:\Program Files\Windows NT\Accessories\backup.exe
"C:\Program Files\Windows NT\Accessories\backup.exe" C:\Program Files\Windows NT\Accessories\
1⤵
PID:2936

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\data.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\data.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\
1⤵
PID:1484

C:\Program Files\Windows NT\TableTextService\backup.exe
"C:\Program Files\Windows NT\TableTextService\backup.exe" C:\Program Files\Windows NT\TableTextService\
1⤵
PID:912
- C:\Program Files\Windows NT\TableTextService\en-US\backup.exe
  "C:\Program Files\Windows NT\TableTextService\en-US\backup.exe" C:\Program Files\Windows NT\TableTextService\en-US\
  2⤵
  PID:444

C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\
1⤵
PID:3120

C:\Windows\Help\en-US\System Restore.exe
"C:\Windows\Help\en-US\System Restore.exe" C:\Windows\Help\en-US\
1⤵
PID:3664

C:\Program Files\VideoLAN\VLC\plugins\d3d11\backup.exe
"C:\Program Files\VideoLAN\VLC\plugins\d3d11\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\d3d11\
1⤵
PID:4420

C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\
1⤵
PID:3020

C:\Program Files\VideoLAN\VLC\plugins\d3d9\System Restore.exe
"C:\Program Files\VideoLAN\VLC\plugins\d3d9\System Restore.exe" C:\Program Files\VideoLAN\VLC\plugins\d3d9\
1⤵
PID:1528

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\
1⤵
PID:3632

C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\data.exe
"C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\data.exe" C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\
1⤵
PID:1500

C:\Program Files\VideoLAN\VLC\plugins\gui\backup.exe
"C:\Program Files\VideoLAN\VLC\plugins\gui\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\gui\
1⤵
PID:1268

C:\Program Files\Microsoft Office\root\vfs\System\update.exe
"C:\Program Files\Microsoft Office\root\vfs\System\update.exe" C:\Program Files\Microsoft Office\root\vfs\System\
1⤵
PID:1752

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\update.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\update.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\
1⤵
PID:5024

C:\Program Files\VideoLAN\VLC\plugins\lua\backup.exe
"C:\Program Files\VideoLAN\VLC\plugins\lua\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\lua\
1⤵
PID:3012

C:\Program Files\Microsoft Office\root\vfs\Windows\System Restore.exe
"C:\Program Files\Microsoft Office\root\vfs\Windows\System Restore.exe" C:\Program Files\Microsoft Office\root\vfs\Windows\
1⤵
PID:4388
- C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\backup.exe
  "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\
  2⤵
  PID:3800
- - C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\backup.exe
    "C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\
    3⤵
    PID:632

C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\
1⤵
PID:3980

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\
1⤵
PID:420

C:\Program Files\VideoLAN\VLC\plugins\misc\data.exe
"C:\Program Files\VideoLAN\VLC\plugins\misc\data.exe" C:\Program Files\VideoLAN\VLC\plugins\misc\
1⤵
PID:1424

C:\Windows\Help\mui\0C0A\backup.exe
C:\Windows\Help\mui\0C0A\backup.exe C:\Windows\Help\mui\0C0A\
1⤵
PID:3276

C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.AdomdClient\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.AdomdClient\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.AdomdClient\
1⤵
PID:3668

C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\
1⤵
PID:3328

C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.Resources\2.0.0.0_es_b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.Resources\2.0.0.0_es_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.Resources\2.0.0.0_es_b03f5f7f11d50a3a\
1⤵
PID:4384

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\
1⤵
PID:3352
- C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
  "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\
  2⤵
  PID:2340
- C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe
  "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\
  2⤵
  PID:364

C:\Windows\Help\OEM\IndexStore\backup.exe
C:\Windows\Help\OEM\IndexStore\backup.exe C:\Windows\Help\OEM\IndexStore\
1⤵
PID:3556

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\
1⤵
PID:636

C:\Program Files\VideoLAN\VLC\locale\kn\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\kn\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kn\
1⤵
PID:2408

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\
1⤵
PID:540

C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\backup.exe
"C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\backup.exe" C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\
1⤵
PID:4192

C:\Windows\Help\Windows\IndexStore\backup.exe
C:\Windows\Help\Windows\IndexStore\backup.exe C:\Windows\Help\Windows\IndexStore\
1⤵
PID:1732

C:\Program Files\VideoLAN\VLC\plugins\video_chroma\backup.exe
"C:\Program Files\VideoLAN\VLC\plugins\video_chroma\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\video_chroma\
1⤵
PID:380

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\
1⤵
PID:540

C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\backup.exe
"C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\backup.exe" C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\
1⤵
PID:3576

C:\Program Files\VideoLAN\VLC\plugins\video_filter\backup.exe
"C:\Program Files\VideoLAN\VLC\plugins\video_filter\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\video_filter\
1⤵
PID:1824

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\backup.exe
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\
1⤵
PID:4520

C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\
1⤵
PID:1028

C:\Program Files\Microsoft Office\root\vfs\Windows\PCHEALTH\ERRORREP\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\Windows\PCHEALTH\ERRORREP\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Windows\PCHEALTH\ERRORREP\
1⤵
PID:4880

C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\
1⤵
PID:4796

C:\Program Files\VideoLAN\VLC\locale\ky\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ky\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ky\
1⤵
PID:2748
- C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\backup.exe
  "C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\
  2⤵
  PID:4356

C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\backup.exe
"C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\backup.exe" C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\
1⤵
PID:1028

C:\Program Files\VideoLAN\VLC\skins\backup.exe
"C:\Program Files\VideoLAN\VLC\skins\backup.exe" C:\Program Files\VideoLAN\VLC\skins\
1⤵
PID:3068

C:\Program Files (x86)\Windows Defender\it-IT\backup.exe
"C:\Program Files (x86)\Windows Defender\it-IT\backup.exe" C:\Program Files (x86)\Windows Defender\it-IT\
1⤵
PID:540

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\73c6ae4303a31ae701dd97dcdda2523d\backup.exe
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\73c6ae4303a31ae701dd97dcdda2523d\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\73c6ae4303a31ae701dd97dcdda2523d\
1⤵
PID:2440

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\
1⤵
PID:4732

C:\Program Files\VideoLAN\VLC\locale\lo\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\lo\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lo\
1⤵
PID:3464

C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.v3.5\3.5.0.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.v3.5\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.v3.5\3.5.0.0__b03f5f7f11d50a3a\
1⤵
PID:2676

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\0c596f320c82d9ea5d0b5a6362a0750a\backup.exe
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\0c596f320c82d9ea5d0b5a6362a0750a\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\0c596f320c82d9ea5d0b5a6362a0750a\
1⤵
PID:3036

C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_de_31bf3856ad364e35\
1⤵
PID:4920

C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_en_31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_en_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_en_31bf3856ad364e35\
1⤵
PID:4812

C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\backup.exe
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\
1⤵
PID:3832

C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\System Restore.exe
"C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\System Restore.exe" C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\
1⤵
PID:3592

C:\Windows\assembly\NativeImages_v2.0.50727_32\srmlib\backup.exe
C:\Windows\assembly\NativeImages_v2.0.50727_32\srmlib\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\srmlib\
1⤵
PID:2172

C:\Windows\IME\IMEJP\help\backup.exe
C:\Windows\IME\IMEJP\help\backup.exe C:\Windows\IME\IMEJP\help\
1⤵
PID:4092

C:\Windows\assembly\NativeImages_v2.0.50727_32\System\backup.exe
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\System\
1⤵
PID:3840

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\
1⤵
PID:3020

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\
1⤵
PID:2020

C:\Program Files (x86)\Windows Media Player\ja-JP\backup.exe
"C:\Program Files (x86)\Windows Media Player\ja-JP\backup.exe" C:\Program Files (x86)\Windows Media Player\ja-JP\
1⤵
PID:384

C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\
1⤵
PID:4360

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\
1⤵
PID:852

C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\backup.exe
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\
1⤵
PID:3800

C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\backup.exe
"C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\backup.exe" C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\
1⤵
PID:1408

C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\
1⤵
PID:1872

C:\Program Files (x86)\Windows Media Player\Network Sharing\backup.exe
"C:\Program Files (x86)\Windows Media Player\Network Sharing\backup.exe" C:\Program Files (x86)\Windows Media Player\Network Sharing\
1⤵
PID:3020

C:\Windows\IME\ja-JP\backup.exe
C:\Windows\IME\ja-JP\backup.exe C:\Windows\IME\ja-JP\
1⤵
PID:1368

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\
1⤵
PID:2872

C:\Windows\ImmersiveControlPanel\backup.exe
C:\Windows\ImmersiveControlPanel\backup.exe C:\Windows\ImmersiveControlPanel\
1⤵
PID:2576
- C:\Windows\ImmersiveControlPanel\images\backup.exe
  C:\Windows\ImmersiveControlPanel\images\backup.exe C:\Windows\ImmersiveControlPanel\images\
  2⤵
  PID:3620
- C:\Windows\ImmersiveControlPanel\pris\backup.exe
  C:\Windows\ImmersiveControlPanel\pris\backup.exe C:\Windows\ImmersiveControlPanel\pris\
  2⤵
  PID:4932

C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35\
1⤵
PID:4396

C:\Program Files\VideoLAN\VLC\locale\ms\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ms\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ms\
1⤵
PID:64

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-sl\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-sl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-sl\
1⤵
PID:4580

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\
1⤵
PID:3464

C:\Program Files (x86)\Windows NT\Accessories\backup.exe
"C:\Program Files (x86)\Windows NT\Accessories\backup.exe" C:\Program Files (x86)\Windows NT\Accessories\
1⤵
PID:3660

C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_en_31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_en_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_en_31bf3856ad364e35\
1⤵
PID:2696

C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\
1⤵
PID:2060

C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\backup.exe
"C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\backup.exe" C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\
1⤵
PID:4796

C:\Program Files (x86)\Windows NT\TableTextService\backup.exe
"C:\Program Files (x86)\Windows NT\TableTextService\backup.exe" C:\Program Files (x86)\Windows NT\TableTextService\
1⤵
PID:3356
- C:\Program Files (x86)\Windows NT\TableTextService\en-US\backup.exe
  "C:\Program Files (x86)\Windows NT\TableTextService\en-US\backup.exe" C:\Program Files (x86)\Windows NT\TableTextService\en-US\
  2⤵
  PID:2008

C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\backup.exe
"C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\backup.exe" C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\
1⤵
PID:4512

C:\Windows\INF\backup.exe
C:\Windows\INF\backup.exe C:\Windows\INF\
1⤵
PID:3980
- C:\Windows\INF\RemoteAccess\backup.exe
  C:\Windows\INF\RemoteAccess\backup.exe C:\Windows\INF\RemoteAccess\
  2⤵
  PID:3068
- - C:\Windows\INF\RemoteAccess\0407\backup.exe
    C:\Windows\INF\RemoteAccess\0407\backup.exe C:\Windows\INF\RemoteAccess\0407\
    3⤵
    PID:4384
- - C:\Windows\INF\RemoteAccess\0409\backup.exe
    C:\Windows\INF\RemoteAccess\0409\backup.exe C:\Windows\INF\RemoteAccess\0409\
    3⤵
    PID:444
- - C:\Windows\INF\RemoteAccess\0410\update.exe
    C:\Windows\INF\RemoteAccess\0410\update.exe C:\Windows\INF\RemoteAccess\0410\
    3⤵
    PID:4176
- C:\Windows\INF\ServiceModelService 3.0.0.0\backup.exe
  "C:\Windows\INF\ServiceModelService 3.0.0.0\backup.exe" C:\Windows\INF\ServiceModelService 3.0.0.0\
  2⤵
  PID:2012
- - C:\Windows\INF\ServiceModelService 3.0.0.0\0000\backup.exe
    "C:\Windows\INF\ServiceModelService 3.0.0.0\0000\backup.exe" C:\Windows\INF\ServiceModelService 3.0.0.0\0000\
    3⤵
    PID:2348
- - C:\Windows\INF\ServiceModelService 3.0.0.0\0407\data.exe
    "C:\Windows\INF\ServiceModelService 3.0.0.0\0407\data.exe" C:\Windows\INF\ServiceModelService 3.0.0.0\0407\
    3⤵
    PID:4292
- - C:\Windows\INF\ServiceModelService 3.0.0.0\0409\backup.exe
    "C:\Windows\INF\ServiceModelService 3.0.0.0\0409\backup.exe" C:\Windows\INF\ServiceModelService 3.0.0.0\0409\
    3⤵
    PID:1568
- - C:\Windows\INF\ServiceModelService 3.0.0.0\040C\backup.exe
    "C:\Windows\INF\ServiceModelService 3.0.0.0\040C\backup.exe" C:\Windows\INF\ServiceModelService 3.0.0.0\040C\
    3⤵
    PID:4484
- - C:\Windows\INF\ServiceModelService 3.0.0.0\0410\backup.exe
    "C:\Windows\INF\ServiceModelService 3.0.0.0\0410\backup.exe" C:\Windows\INF\ServiceModelService 3.0.0.0\0410\
    3⤵
    PID:1196
- - C:\Windows\INF\ServiceModelService 3.0.0.0\0411\backup.exe
    "C:\Windows\INF\ServiceModelService 3.0.0.0\0411\backup.exe" C:\Windows\INF\ServiceModelService 3.0.0.0\0411\
    3⤵
    PID:1528
- - C:\Windows\INF\ServiceModelService 3.0.0.0\0C0A\update.exe
    "C:\Windows\INF\ServiceModelService 3.0.0.0\0C0A\update.exe" C:\Windows\INF\ServiceModelService 3.0.0.0\0C0A\
    3⤵
    PID:3556
- C:\Windows\INF\SMSvcHost 3.0.0.0\data.exe
  "C:\Windows\INF\SMSvcHost 3.0.0.0\data.exe" C:\Windows\INF\SMSvcHost 3.0.0.0\
  2⤵
  PID:3676
- - C:\Windows\INF\SMSvcHost 3.0.0.0\0000\backup.exe
    "C:\Windows\INF\SMSvcHost 3.0.0.0\0000\backup.exe" C:\Windows\INF\SMSvcHost 3.0.0.0\0000\
    3⤵
    PID:3352
- - C:\Windows\INF\SMSvcHost 3.0.0.0\0407\backup.exe
    "C:\Windows\INF\SMSvcHost 3.0.0.0\0407\backup.exe" C:\Windows\INF\SMSvcHost 3.0.0.0\0407\
    3⤵
    PID:4420
- - C:\Windows\INF\SMSvcHost 3.0.0.0\0409\backup.exe
    "C:\Windows\INF\SMSvcHost 3.0.0.0\0409\backup.exe" C:\Windows\INF\SMSvcHost 3.0.0.0\0409\
    3⤵
    PID:4428
- - C:\Windows\INF\SMSvcHost 3.0.0.0\040C\backup.exe
    "C:\Windows\INF\SMSvcHost 3.0.0.0\040C\backup.exe" C:\Windows\INF\SMSvcHost 3.0.0.0\040C\
    3⤵
    PID:3296
- - C:\Windows\INF\SMSvcHost 3.0.0.0\0410\backup.exe
    "C:\Windows\INF\SMSvcHost 3.0.0.0\0410\backup.exe" C:\Windows\INF\SMSvcHost 3.0.0.0\0410\
    3⤵
    PID:2644
- - C:\Windows\INF\SMSvcHost 3.0.0.0\0411\backup.exe
    "C:\Windows\INF\SMSvcHost 3.0.0.0\0411\backup.exe" C:\Windows\INF\SMSvcHost 3.0.0.0\0411\
    3⤵
    PID:1520
- - C:\Windows\INF\SMSvcHost 3.0.0.0\0C0A\backup.exe
    "C:\Windows\INF\SMSvcHost 3.0.0.0\0C0A\backup.exe" C:\Windows\INF\SMSvcHost 3.0.0.0\0C0A\
    3⤵
    PID:1588
- C:\Windows\INF\SMSvcHost 4.0.0.0\backup.exe
  "C:\Windows\INF\SMSvcHost 4.0.0.0\backup.exe" C:\Windows\INF\SMSvcHost 4.0.0.0\
  2⤵
  PID:4280

C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\backup.exe
"C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\backup.exe" C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\
1⤵
PID:3068

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\
1⤵
PID:468

C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_ja_31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_ja_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_ja_31bf3856ad364e35\
1⤵
PID:756

C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\backup.exe
"C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\backup.exe" C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\
1⤵
PID:444

C:\Windows\INF\BITS\0409\backup.exe
C:\Windows\INF\BITS\0409\backup.exe C:\Windows\INF\BITS\0409\
1⤵
PID:4436

C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\95ce4e7117457677f847d9f26c3bdf0b\backup.exe
C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\95ce4e7117457677f847d9f26c3bdf0b\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\95ce4e7117457677f847d9f26c3bdf0b\
1⤵
PID:1500

C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Excel\15.0.0.0__71e9bce111e9429c\backup.exe
C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Excel\15.0.0.0__71e9bce111e9429c\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Excel\15.0.0.0__71e9bce111e9429c\
1⤵
PID:2240

C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\backup.exe
"C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\backup.exe" C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\
1⤵
PID:3636

C:\Program Files (x86)\Windows Photo Viewer\ja-JP\backup.exe
"C:\Program Files (x86)\Windows Photo Viewer\ja-JP\backup.exe" C:\Program Files (x86)\Windows Photo Viewer\ja-JP\
1⤵
PID:5048

C:\Windows\INF\BITS\0411\backup.exe
C:\Windows\INF\BITS\0411\backup.exe C:\Windows\INF\BITS\0411\
1⤵
PID:1580

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\
1⤵
PID:4860
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\
  2⤵
  PID:2376

C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.OneNote\12.0.0.0__71e9bce111e9429c\backup.exe
C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.OneNote\12.0.0.0__71e9bce111e9429c\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.OneNote\12.0.0.0__71e9bce111e9429c\
1⤵
PID:1752

C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\backup.exe
"C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\backup.exe" C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\
1⤵
PID:4644

C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.OneNote\15.0.0.0__71e9bce111e9429c\backup.exe
C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.OneNote\15.0.0.0__71e9bce111e9429c\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.OneNote\15.0.0.0__71e9bce111e9429c\
1⤵
PID:4152

C:\Windows\INF\ESENT\0407\backup.exe
C:\Windows\INF\ESENT\0407\backup.exe C:\Windows\INF\ESENT\0407\
1⤵
PID:1508

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\
1⤵
PID:4612

C:\Program Files\VideoLAN\VLC\locale\pl\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\pl\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pl\
1⤵
PID:636

C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\uk-UA\backup.exe
"C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\uk-UA\backup.exe" C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\uk-UA\
1⤵
PID:444

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\
1⤵
PID:3800

C:\Program Files\VideoLAN\VLC\locale\ps\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ps\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ps\
1⤵
PID:1528

C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\data.exe
"C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\data.exe" C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\
1⤵
PID:3376

C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\System Restore.exe
"C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\System Restore.exe" C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\
1⤵
PID:4388

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\
1⤵
PID:3612

C:\Windows\INF\ESENT\0C0A\backup.exe
C:\Windows\INF\ESENT\0C0A\backup.exe C:\Windows\INF\ESENT\0C0A\
1⤵
PID:3764

C:\Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\c4e350255dfdcb7457109e297b572b31\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\c4e350255dfdcb7457109e297b572b31\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\c4e350255dfdcb7457109e297b572b31\
1⤵
PID:4396

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\
1⤵
PID:2876

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\
1⤵
PID:2748

C:\Program Files\WindowsPowerShell\Modules\Pester\update.exe
"C:\Program Files\WindowsPowerShell\Modules\Pester\update.exe" C:\Program Files\WindowsPowerShell\Modules\Pester\
1⤵
PID:3328
- C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\backup.exe
  "C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\backup.exe" C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\
  2⤵
  PID:3576
- - C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\backup.exe
    "C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\backup.exe" C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\
    3⤵
    PID:2644

C:\Windows\INF\LSM\0409\backup.exe
C:\Windows\INF\LSM\0409\backup.exe C:\Windows\INF\LSM\0409\
1⤵
PID:2656

C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\backup.exe
"C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\backup.exe" C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\
1⤵
PID:4644
- C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\backup.exe
  "C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\backup.exe" C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\
  2⤵
  PID:364

C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\
1⤵
PID:3356

C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\backup.exe
"C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\backup.exe" C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\
1⤵
PID:1860

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\
1⤵
PID:1312

C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2#\8d4be6e5a963721e5560e61d906a875a\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2#\8d4be6e5a963721e5560e61d906a875a\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2#\8d4be6e5a963721e5560e61d906a875a\
1⤵
PID:3512

C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90#\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90#\
1⤵
PID:4456

C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b#\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b#\
1⤵
PID:4340

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\
1⤵
PID:2876

C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\backup.exe
"C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\backup.exe" C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\
1⤵
PID:960

C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#\410cb32fbed28bfc3ce04df7c4f70c33\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#\410cb32fbed28bfc3ce04df7c4f70c33\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#\410cb32fbed28bfc3ce04df7c4f70c33\
1⤵
PID:4088

C:\Windows\INF\MSDTC\0410\backup.exe
C:\Windows\INF\MSDTC\0410\backup.exe C:\Windows\INF\MSDTC\0410\
1⤵
PID:3764

C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\backup.exe
"C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\backup.exe" C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\
1⤵
PID:860

C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\backup.exe
"C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\backup.exe" C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\
1⤵
PID:1628

C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b#\bfdaea28d1c61b8d6ebb102bbf468c49\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b#\bfdaea28d1c61b8d6ebb102bbf468c49\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b#\bfdaea28d1c61b8d6ebb102bbf468c49\
1⤵
PID:4492

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\
1⤵
PID:4952

C:\Program Files\VideoLAN\VLC\locale\sr\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\sr\backup.exe" C:\Program Files\VideoLAN\VLC\locale\sr\
1⤵
PID:4092

C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_es_31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_es_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_es_31bf3856ad364e35\
1⤵
PID:3840

C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_fr_31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_fr_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_fr_31bf3856ad364e35\
1⤵
PID:3556

C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\backup.exe
"C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\backup.exe" C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\
1⤵
PID:852
- C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\backup.exe
  "C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\backup.exe" C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\
  2⤵
  PID:4516
- - C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\data.exe
    "C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\data.exe" C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\
    3⤵
    PID:1436
- - C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\backup.exe
    "C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\backup.exe" C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\
    3⤵
    PID:860
- - C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\uk-UA\backup.exe
    "C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\uk-UA\backup.exe" C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\uk-UA\
    3⤵
    PID:672

C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#\
1⤵
PID:1484

C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\
1⤵
PID:3784

C:\Windows\INF\MSDTC Bridge 3.0.0.0\0411\backup.exe
"C:\Windows\INF\MSDTC Bridge 3.0.0.0\0411\backup.exe" C:\Windows\INF\MSDTC Bridge 3.0.0.0\0411\
1⤵
PID:4812

C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb#\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb#\
1⤵
PID:4408
- C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb#\3af15851d0895c008963e8edc7223233\backup.exe
  C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb#\3af15851d0895c008963e8edc7223233\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb#\3af15851d0895c008963e8edc7223233\
  2⤵
  PID:1388

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\
1⤵
PID:1000

C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_es_31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_es_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_es_31bf3856ad364e35\
1⤵
PID:4344

C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#\
1⤵
PID:4552

C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\backup.exe
"C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\backup.exe" C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\
1⤵
PID:3764

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\
1⤵
PID:1268

C:\Windows\INF\MSDTC Bridge 4.0.0.0\0C0A\backup.exe
"C:\Windows\INF\MSDTC Bridge 4.0.0.0\0C0A\backup.exe" C:\Windows\INF\MSDTC Bridge 4.0.0.0\0C0A\
1⤵
PID:4956

C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\System Restore.exe
"C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\
1⤵
PID:3840

C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\
1⤵
PID:1352

C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0#\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0#\
1⤵
PID:5116
- C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0#\d0d5ef42c0e8cf225d6f02493cafd965\backup.exe
  C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0#\d0d5ef42c0e8cf225d6f02493cafd965\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0#\d0d5ef42c0e8cf225d6f02493cafd965\
  2⤵
  PID:3044

C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_en_31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_en_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_en_31bf3856ad364e35\
1⤵
PID:1284

C:\Windows\INF\PERFLIB\040C\backup.exe
C:\Windows\INF\PERFLIB\040C\backup.exe C:\Windows\INF\PERFLIB\040C\
1⤵
PID:4004

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\data.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\
1⤵
PID:1012

C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\
1⤵
PID:3020

C:\Windows\INF\PERFLIB\0410\backup.exe
C:\Windows\INF\PERFLIB\0410\backup.exe C:\Windows\INF\PERFLIB\0410\
1⤵
PID:3884

C:\Windows\INF\PERFLIB\0411\backup.exe
C:\Windows\INF\PERFLIB\0411\backup.exe C:\Windows\INF\PERFLIB\0411\
1⤵
PID:5028

C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_it_31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_it_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_it_31bf3856ad364e35\
1⤵
PID:3612

C:\Program Files\VideoLAN\VLC\locale\vi\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\vi\backup.exe" C:\Program Files\VideoLAN\VLC\locale\vi\
1⤵
PID:848
- C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\backup.exe
  "C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\
  2⤵
  PID:3540

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\
1⤵
PID:1520

C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#\81091ae499b2593b4e8a4b012e6a7c1b\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#\81091ae499b2593b4e8a4b012e6a7c1b\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#\81091ae499b2593b4e8a4b012e6a7c1b\
1⤵
PID:4904

C:\Windows\ja-JP\backup.exe
C:\Windows\ja-JP\backup.exe C:\Windows\ja-JP\
1⤵
PID:3664

C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_en_31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_en_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_en_31bf3856ad364e35\
1⤵
PID:3800

C:\Windows\INF\PNRPSvc\0410\backup.exe
C:\Windows\INF\PNRPSvc\0410\backup.exe C:\Windows\INF\PNRPSvc\0410\
1⤵
PID:3620

C:\Windows\LiveKernelReports\backup.exe
C:\Windows\LiveKernelReports\backup.exe C:\Windows\LiveKernelReports\
1⤵
PID:4912

C:\Windows\INF\PNRPSvc\0411\update.exe
C:\Windows\INF\PNRPSvc\0411\update.exe C:\Windows\INF\PNRPSvc\0411\
1⤵
PID:1408

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\
1⤵
PID:4504

C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#\
1⤵
PID:1572

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\backup.exe
"C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\backup.exe" C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\
1⤵
PID:2380
- C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\backup.exe
  "C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\backup.exe" C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\
  2⤵
  PID:4520
- - C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\backup.exe
    "C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\backup.exe" C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\
    3⤵
    PID:1156
- - C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\backup.exe
    "C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\backup.exe" C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\
    3⤵
    PID:4420

C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_ja_31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_ja_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_ja_31bf3856ad364e35\
1⤵
PID:2876

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\data.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\
1⤵
PID:3020

C:\Windows\Logs\MoSetup\backup.exe
C:\Windows\Logs\MoSetup\backup.exe C:\Windows\Logs\MoSetup\
1⤵
PID:912

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\
1⤵
PID:2568

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\backup.exe
"C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\backup.exe" C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\
1⤵
PID:1648

C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392#\09b91f03d16fc39bc49c0ed85b6903a2\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392#\09b91f03d16fc39bc49c0ed85b6903a2\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392#\09b91f03d16fc39bc49c0ed85b6903a2\
1⤵
PID:3276

C:\Windows\Logs\SIH\backup.exe
C:\Windows\Logs\SIH\backup.exe C:\Windows\Logs\SIH\
1⤵
PID:4808

C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_fr_31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_fr_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_fr_31bf3856ad364e35\
1⤵
PID:2676

C:\Windows\Logs\WindowsUpdate\backup.exe
C:\Windows\Logs\WindowsUpdate\backup.exe C:\Windows\Logs\WindowsUpdate\
1⤵
PID:3948

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\backup.exe
"C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\backup.exe" C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\
1⤵
PID:1148

C:\Windows\Media\System Restore.exe
"C:\Windows\Media\System Restore.exe" C:\Windows\Media\
1⤵
PID:2732

C:\Windows\Microsoft.NET\backup.exe
C:\Windows\Microsoft.NET\backup.exe C:\Windows\Microsoft.NET\
1⤵
PID:4472

C:\Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc#\4bf48e6215e868c5f15ab3cf5e717b90\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc#\4bf48e6215e868c5f15ab3cf5e717b90\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc#\4bf48e6215e868c5f15ab3cf5e717b90\
1⤵
PID:3784

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\
1⤵
PID:3788

C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d#\35da45d13c5581cadfd0546af1ffa6e9\data.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d#\35da45d13c5581cadfd0546af1ffa6e9\data.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d#\35da45d13c5581cadfd0546af1ffa6e9\
1⤵
PID:3196

C:\Windows\assembly\NativeImages_v4.0.30319_64\EventViewer\update.exe
C:\Windows\assembly\NativeImages_v4.0.30319_64\EventViewer\update.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\EventViewer\
1⤵
PID:3660

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\update.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\
1⤵
PID:1236

C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb#\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb#\
1⤵
PID:2376

C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.Dtc.Resources\3.0.0.0_it_b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.Dtc.Resources\3.0.0.0_it_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.Dtc.Resources\3.0.0.0_it_b03f5f7f11d50a3a\
1⤵
PID:1320

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\System Restore.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\
1⤵
PID:808

C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a#\9dc8ecabf3587fd779eed1e7c1376c22\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a#\9dc8ecabf3587fd779eed1e7c1376c22\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a#\9dc8ecabf3587fd779eed1e7c1376c22\
1⤵
PID:860

C:\Windows\assembly\NativeImages_v4.0.30319_32\MMCEx\62d027db4e48b2e35ce8272c55ed780e\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\MMCEx\62d027db4e48b2e35ce8272c55ed780e\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\MMCEx\62d027db4e48b2e35ce8272c55ed780e\
1⤵
PID:672

C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\
1⤵
PID:1196

C:\Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon\data.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon\data.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon\
1⤵
PID:5048

C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\0C0A\data.exe
"C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\0C0A\data.exe" C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\0C0A\
1⤵
PID:2020

C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer.Resources\backup.exe
C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer.Resources\backup.exe C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer.Resources\
1⤵
PID:4660
- C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\backup.exe
  C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\backup.exe C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\
  2⤵
  PID:1320
- C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\backup.exe
  C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\backup.exe C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\
  2⤵
  PID:3188

C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\
1⤵
PID:2452

C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C99be4d25#\3b83a5f5f3e7d4519ef1541797fb0868\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C99be4d25#\3b83a5f5f3e7d4519ef1541797fb0868\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C99be4d25#\3b83a5f5f3e7d4519ef1541797fb0868\
1⤵
PID:3648

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\
1⤵
PID:404

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\
1⤵
PID:2348

C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83#\4de3858b9394861311e54b68def9b9f1\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83#\4de3858b9394861311e54b68def9b9f1\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83#\4de3858b9394861311e54b68def9b9f1\
1⤵
PID:3632

C:\Windows\INF\ServiceModelOperation 3.0.0.0\0410\backup.exe
"C:\Windows\INF\ServiceModelOperation 3.0.0.0\0410\backup.exe" C:\Windows\INF\ServiceModelOperation 3.0.0.0\0410\
1⤵
PID:4888

C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\8681b49f8f2e3fb6d7848aef17e4fb1f\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\8681b49f8f2e3fb6d7848aef17e4fb1f\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\8681b49f8f2e3fb6d7848aef17e4fb1f\
1⤵
PID:1196

C:\Windows\INF\ServiceModelOperation 3.0.0.0\0411\backup.exe
"C:\Windows\INF\ServiceModelOperation 3.0.0.0\0411\backup.exe" C:\Windows\INF\ServiceModelOperation 3.0.0.0\0411\
1⤵
PID:3664

C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.CertificateServices.PKIClient.Cmdlets\backup.exe
C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.CertificateServices.PKIClient.Cmdlets\backup.exe C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.CertificateServices.PKIClient.Cmdlets\
1⤵
PID:400
- C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\backup.exe
  C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\
  2⤵
  PID:3552

C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca#\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca#\
1⤵
PID:2376
- C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca#\085cda9eebdee4ba67ebbcfb4dfa8c85\backup.exe
  C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca#\085cda9eebdee4ba67ebbcfb4dfa8c85\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca#\085cda9eebdee4ba67ebbcfb4dfa8c85\
  2⤵
  PID:2576

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\
1⤵
PID:3544

C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420#\7dbb2a0aca626d77ea20c20c40f32e60\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420#\7dbb2a0aca626d77ea20c20c40f32e60\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420#\7dbb2a0aca626d77ea20c20c40f32e60\
1⤵
PID:1284

C:\Windows\INF\ServiceModelOperation 3.0.0.0\0C0A\System Restore.exe
"C:\Windows\INF\ServiceModelOperation 3.0.0.0\0C0A\System Restore.exe" C:\Windows\INF\ServiceModelOperation 3.0.0.0\0C0A\
1⤵
PID:1664

C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2#\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2#\
1⤵
PID:3788
- C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2#\285f79ebfbbdb039fc9607065b17587f\backup.exe
  C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2#\285f79ebfbbdb039fc9607065b17587f\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2#\285f79ebfbbdb039fc9607065b17587f\
  2⤵
  PID:3464

C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands\backup.exe
C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands\backup.exe C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands\
1⤵
PID:1732
- C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands\v4.0_10.0.0.0__31bf3856ad364e35\System Restore.exe
  "C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands\v4.0_10.0.0.0__31bf3856ad364e35\System Restore.exe" C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands\v4.0_10.0.0.0__31bf3856ad364e35\
  2⤵
  PID:2040

C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\
1⤵
PID:3236
- C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\c4a96325490751c8606894bbe3306589\System Restore.exe
  "C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\c4a96325490751c8606894bbe3306589\System Restore.exe" C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\c4a96325490751c8606894bbe3306589\
  2⤵
  PID:324

C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90#\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90#\
1⤵
PID:3640
- C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90#\cdb4ab324ded8baddb0daf8a2d757ca5\backup.exe
  C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90#\cdb4ab324ded8baddb0daf8a2d757ca5\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90#\cdb4ab324ded8baddb0daf8a2d757ca5\
  2⤵
  PID:5004

C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\backup.exe
C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\backup.exe C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\
1⤵
PID:4308
- C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\backup.exe
  C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\backup.exe C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\
  2⤵
  PID:2836
- C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\backup.exe
  C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\backup.exe C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\
  2⤵
  PID:3592
- C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\backup.exe
  C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\backup.exe C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\
  2⤵
  PID:5016
- C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\backup.exe
  C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\backup.exe C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\
  2⤵
  PID:968
- C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_ja_31bf3856ad364e35\backup.exe
  C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_ja_31bf3856ad364e35\backup.exe C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_ja_31bf3856ad364e35\
  2⤵
  PID:4012

C:\Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413#\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413#\
1⤵
PID:4912
- C:\Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413#\679ef210e507dd4acebe324d3d5fd13a\backup.exe
  C:\Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413#\679ef210e507dd4acebe324d3d5fd13a\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413#\679ef210e507dd4acebe324d3d5fd13a\
  2⤵
  PID:2440

C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#\
1⤵
PID:4780
- C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#\9761aa02e459394769888f74d97b844c\backup.exe
  C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#\9761aa02e459394769888f74d97b844c\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#\9761aa02e459394769888f74d97b844c\
  2⤵
  PID:4456

C:\Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn\
1⤵
PID:1752
- C:\Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn\f615f628433cab34a98f99334931a2a3\backup.exe
  C:\Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn\f615f628433cab34a98f99334931a2a3\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn\f615f628433cab34a98f99334931a2a3\
  2⤵
  PID:3500

C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b#\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b#\
1⤵
PID:932

C:\Windows\assembly\NativeImages_v4.0.30319_32\System\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\System\
1⤵
PID:4612
- C:\Windows\assembly\NativeImages_v4.0.30319_32\System\9d8e5e65320ca92e49017f3043701e5f\backup.exe
  C:\Windows\assembly\NativeImages_v4.0.30319_32\System\9d8e5e65320ca92e49017f3043701e5f\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\System\9d8e5e65320ca92e49017f3043701e5f\
  2⤵
  PID:4908

C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5#\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5#\
1⤵
PID:1940
- C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5#\c5fa38bfe4dcc7609a932de565e0902d\backup.exe
  C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5#\c5fa38bfe4dcc7609a932de565e0902d\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5#\c5fa38bfe4dcc7609a932de565e0902d\
  2⤵
  PID:2340

C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\
1⤵
PID:4356
- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\ab4e1169d06499b26dcd454f8e05b3a6\backup.exe
  C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\ab4e1169d06499b26dcd454f8e05b3a6\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\ab4e1169d06499b26dcd454f8e05b3a6\
  2⤵
  PID:4888

C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe
C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\
1⤵
PID:3764
- C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\v4.0_10.0.0.0__31bf3856ad364e35\backup.exe
  C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\v4.0_10.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\v4.0_10.0.0.0__31bf3856ad364e35\
  2⤵
  PID:4712

C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\
1⤵
PID:940
- C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\d8c6c061391afad5d08eeee96bda9e8f\backup.exe
  C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\d8c6c061391afad5d08eeee96bda9e8f\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\d8c6c061391afad5d08eeee96bda9e8f\
  2⤵
  PID:4584

C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\
1⤵
PID:3760
- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\4a9323e1e332fcc6d5128407fd3404f3\backup.exe
  C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\4a9323e1e332fcc6d5128407fd3404f3\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\4a9323e1e332fcc6d5128407fd3404f3\
  2⤵
  PID:3592

C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\backup.exe
C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\backup.exe C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\
1⤵
PID:1580
- C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\backup.exe
  C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\backup.exe C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\
  2⤵
  PID:852
- C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\backup.exe
  C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\backup.exe C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\
  2⤵
  PID:2012

C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\
1⤵
PID:3356
- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\981b8642758ae60742542a145db9e64b\backup.exe
  C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\981b8642758ae60742542a145db9e64b\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\981b8642758ae60742542a145db9e64b\
  2⤵
  PID:4184

C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\
1⤵
PID:4492
- C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\66022bc189e2124d006343cd9ff28a96\backup.exe
  C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\66022bc189e2124d006343cd9ff28a96\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\66022bc189e2124d006343cd9ff28a96\
  2⤵
  PID:3068

C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#\
1⤵
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
506ed4a8b19acb4f8808a486e461f55d

SHA1
dd1cba17e5ab32d1613adfd13bb70d21957c3696

SHA256
fbdc614ea227757a5d080bd71445789ec869d6c050661365db33ef244534ca7c

SHA512
c4bf60ef42021d709635284ceb920c75526f69bd1e6de7cf9f50d3e0d59a4dcba221b0b705a9f7a2788bc8b7c7492a6c007147cd54101fac6a62bced2fabdf2b

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
94b0f52a0504b6c940dbaa915ddaf900

SHA1
0fdf4d9d4b6896866b529398248acd5b1df5b4c0

SHA256
4df5c4b78e48368ba9e8e8c9bd9ad38e253c32590b760217b4309701e233f722

SHA512
dfe09916900e81a43ee1e61cec47a9ac148234d86e0fcd032ee32ecb600c026b2ad659cb03ceace76f06ca27cc0b1095a82c9a7cc85aa405c455d1497371e508

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
ab6786e8003af7b9ba88a15f2ca006e5

SHA1
850a696ebdd47ea8019c01aefb776131e052f108

SHA256
580ceeb4cd11a761c8296df36cf31ea2f77d37cb296d42f9348fb040b15941d3

SHA512
7c9597d38866f054443d0bad930a0a79d50c271a46c9d6762678c3a50f353f49e965a0fd8ca279387ba2b9e56e0371eb87941b9b033f9edc0fefe788708af1f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
95f31e4bef2ef4fdb803c1840e7d39de

SHA1
b2760e84a6d467495baad5899cb854559c7eabef

SHA256
505d4388b59b36285af00104375cc9e462345c9c79b419742467defa74860278

SHA512
07c5f38bc2d51bd3f09a8cb6bb61a4be0f84cdf6a2b6dc07549f8f437235f14460ec38579548e18ac65199ec0f89788df9dd5a98baa5227b007b74ce8e981f7e

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
4818091635bd1a210a32dcbf15a9a036

SHA1
fafe1282e0c42dded7a67a708f4062889f32ab20

SHA256
29baba4fc0e52345475b0d71b8555c29062cfeb74a5fdec9b8cde7103d2c16cd

SHA512
cf493333dfa74f1a81241e22405372f0288aba453265343bfa6756cfd6455848f66f3d11d4146eed1ca232eec5204cae2232f77a5afb733ff4f38423eb6039a2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
8fa32683a56f2313174c175551139db8

SHA1
e5a7cdef9bb2991f2c75ad372238f71eec2c1b13

SHA256
c72b6cc26f7c216b92003d1717881b140f4a5e4b7719cef93bad735715571ddb

SHA512
4277a9e40747a40e91e2e6a39d6f248e53683f615c3dea007abc8a9f4a8e057b6ec245743373e5a2d41f3b530bf1a4a50298543020237e17a1836e57d1dc8c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
72KB

MD5
c459e639038efb906f2a1abc0628fc5c

SHA1
13ce45b41895c619ab3d6c88a2d2a04380c73b68

SHA256
a4916aa08cab77e20a28307d1ed2fbaf99458079faa7eddb3e0bd0230768ae13

SHA512
a5a25a539f0509dfa1c630eb9cb838993c02ca6cc2087a92ad5382f8337d8918d0ddf146e7f9853c19642214b7d3ddeffd2990ba9f36f75107ab5a15841276b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
72KB

MD5
51912adc323f04bf85f1380e3e04c418

SHA1
48ec21775345f8b4bc56eac92c2770a288a60569

SHA256
318afd579d2c21996d635ca72e9ae8678f1030f7b4e91ae7b5cf20ac575f0390

SHA512
c36ea0d84ab4cbb343fa06fcb5215345d1cb1379f03e580b49de93802e1124ef51338f2567b060f94276d81e711f75413cad3562c950bbb04acee9d8df436426

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
c00918c020107bca2b31ace0262a4e6c

SHA1
dd1289e2b1cb16ac54ee916c016bea22857450f9

SHA256
a07bf11116df3cfda9636eab594176fbe518857fe2ca58f356a118e6cecd1389

SHA512
463ff84cbc5c99cd43c0c9f79d94fa49ff3679bc42cf36435a36c598be0ecc786503ed0c89df4e4359f4d0208cba0e240a0d1ab284d0ea5ce421806bd335db2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
21KB

MD5
17080d14ff66d4a31c073229ddcaa608

SHA1
c2c26414359b154ba79ecf17a817b1081217e494

SHA256
e57210c368d34db835ba5cf605b8e28a4d2373773c603c8d46651b32466cbb69

SHA512
9b1b0a4b1661b0d9d2b0ac26383c73f2aba9dc1c1f231ac105f511b18cffefa4b93cb5280752e4f533ebe2a81bb758c38d1e6d23788a1db40e029ae5a4b9007f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BA0E222F-3300-4CD9-9ED1-F5D606717A02}\backup.exe

Filesize
72KB

MD5
bcb4077c02e48ae6ba0102af7f7bfc93

SHA1
121e9793b2a3fb7e81873cd386661abc8fd82000

SHA256
e4158735c556e7bff1aea293d34ef9e8ec7328b92f6037cb0ad9056ae8aa68ce

SHA512
c184be46656e942241bd328b37fce3baa0643139c42c4d636e0389b20ebe8fe9acc4fcaf469f7bc4a6f71feefb76a4b66dfc7417c8e3cf607cfc262a7cd0633c

Download Submit
C:\data.exe

Filesize
72KB

MD5
8200b313e4c86153fe3a5007986eeead

SHA1
24fbe65457759f2b756da3dddec3f29fb1c2a7dd

SHA256
213aba0e95f333424df918c00b22b9f6265a7bade87ec8de949259e17439099f

SHA512
edeb6f33d1c49f6577d229092b881c42d0c56238cf1d1737d8e63a1b8616cf71dfbee6a5aca75a05225c4c881f8fa3f3456edc9fdf5dc481f02ae7d9f6b0624f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads