c2d599b39d60e046ece391111752e9c0114d396ff4ef41a2a717ff106cfbe36e

Analysis

max time kernel
30s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77b4c4cc880e608f7fdc7172ad1d9330N.exe
Size

85KB
MD5

77b4c4cc880e608f7fdc7172ad1d9330
SHA1

f049faa9887ab69dfd5d428d97a5d4a4fe87c2d2
SHA256

c2d599b39d60e046ece391111752e9c0114d396ff4ef41a2a717ff106cfbe36e
SHA512

e20b6cca9e392fdd9638e01aa084d0aa5d7499d16c6fe9a2a6b741ca596db89c85411677efe54ba838c91dd9a6e4418f4af23833f993e73ea2347a530aee8c21
SSDEEP

768:8qnum1opQNwC3BESe4Vqth+0V5vKPyLylze70wi3BEmxg:8vm1AeT7BVwxfvLFwjRxg

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1192	backup.exe
1496	backup.exe
2428	backup.exe
3336	backup.exe
3372	backup.exe
944	backup.exe
2388	backup.exe
2912	backup.exe
512	backup.exe
5068	backup.exe
3236	backup.exe
1676	backup.exe
4524	backup.exe
464	backup.exe
1544	backup.exe
3508	backup.exe
4220	backup.exe
676	backup.exe
2648	backup.exe
2308	backup.exe
4972	backup.exe
2508	backup.exe
2324	backup.exe
3544	backup.exe
4396	backup.exe
4352	update.exe
2588	backup.exe
932	backup.exe
4112	backup.exe
3860	backup.exe
452	backup.exe
1608	backup.exe
2912	backup.exe
1672	backup.exe
5028	backup.exe
712	backup.exe
4016	backup.exe
5076	backup.exe
4836	backup.exe
4756	backup.exe
2620	backup.exe
4056	backup.exe
624	backup.exe
2708	backup.exe
3496	System Restore.exe
3008	backup.exe
2812	backup.exe
1900	backup.exe
4412	backup.exe
1144	backup.exe
4984	backup.exe
2648	backup.exe
1796	backup.exe
2640	backup.exe
3884	backup.exe
1376	backup.exe
4768	backup.exe
4884	backup.exe
4360	backup.exe
4328	backup.exe
5016	backup.exe
1640	backup.exe
4276	backup.exe
528	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2700-0-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/files/0x000700000002343d-6.dat	upx
behavioral2/memory/1496-20-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/2428-21-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/3336-33-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/944-45-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/2388-52-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/2912-60-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/files/0x0008000000023447-59.dat	upx
behavioral2/files/0x0007000000023449-66.dat	upx
behavioral2/memory/2700-67-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/files/0x000700000002344b-73.dat	upx
behavioral2/memory/1192-75-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/3236-78-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/5068-82-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/512-84-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/1676-87-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/files/0x000800000002344a-93.dat	upx
behavioral2/memory/2428-95-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/files/0x000700000002344e-112.dat	upx
behavioral2/memory/464-119-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/3372-122-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/files/0x0007000000023450-127.dat	upx
behavioral2/files/0x0007000000023452-133.dat	upx
behavioral2/memory/3508-140-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/4220-138-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/files/0x0008000000023456-154.dat	upx
behavioral2/memory/2648-155-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/files/0x0007000000023458-161.dat	upx
behavioral2/memory/4972-167-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/files/0x000700000002345b-173.dat	upx
behavioral2/memory/4524-174-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/2324-181-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/3544-186-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/1544-189-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/4396-194-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/4352-201-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/2588-208-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/676-212-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/932-216-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/4112-223-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/2308-226-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/3860-231-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/452-239-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/files/0x0008000000023466-240.dat	upx
behavioral2/memory/2508-242-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/1608-247-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/2912-251-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/1672-257-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/5028-261-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/712-266-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/5076-283-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/4836-288-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/4756-293-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/2620-298-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/4056-303-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/624-308-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/2708-313-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/3496-318-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/3008-323-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/4016-324-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/2812-328-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/4016-330-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral2/memory/1900-335-0x0000000000400000-0x000000000041B314-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe	backup.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe	backup.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe	backup.exe
File opened for modification	C:\Program Files\dotnet\shared\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\backup.exe	backup.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\data.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\backup.exe	backup.exe
File opened for modification	C:\Program Files\dotnet\backup.exe	backup.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses\data.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\backup.exe	backup.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\WidevineCdm\_platform_specific\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\backup.exe	backup.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\6.0.27\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe	backup.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\es-ES\System Restore.exe	backup.exe
File opened for modification	C:\Windows\AppReadiness\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\it-IT\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe
1192	backup.exe
1496	backup.exe
2428	backup.exe
3336	backup.exe
3372	backup.exe
944	backup.exe
2388	backup.exe
2912	backup.exe
512	backup.exe
5068	backup.exe
3236	backup.exe
1676	backup.exe
4524	backup.exe
464	backup.exe
1544	backup.exe
3508	backup.exe
4220	backup.exe
676	backup.exe
2648	backup.exe
2308	backup.exe
4972	backup.exe
2508	backup.exe
2324	backup.exe
3544	backup.exe
4396	backup.exe
4352	update.exe
2588	backup.exe
932	backup.exe
4112	backup.exe
3860	backup.exe
452	backup.exe
1608	backup.exe
2912	backup.exe
1672	backup.exe
5028	backup.exe
712	backup.exe
4016	backup.exe
5076	backup.exe
4836	backup.exe
4756	backup.exe
2620	backup.exe
4056	backup.exe
624	backup.exe
2708	backup.exe
3496	System Restore.exe
3008	backup.exe
2812	backup.exe
1900	backup.exe
4412	backup.exe
1144	backup.exe
4984	backup.exe
2648	backup.exe
1796	backup.exe
2640	backup.exe
3884	backup.exe
1376	backup.exe
4768	backup.exe
4884	backup.exe
4360	backup.exe
4328	backup.exe
5016	backup.exe
1640	backup.exe
4276	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 1192	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	84
PID 2700 wrote to memory of 1192	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	84
PID 2700 wrote to memory of 1192	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	84
PID 2700 wrote to memory of 1496	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	85
PID 2700 wrote to memory of 1496	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	85
PID 2700 wrote to memory of 1496	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	85
PID 2700 wrote to memory of 2428	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	86
PID 2700 wrote to memory of 2428	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	86
PID 2700 wrote to memory of 2428	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	86
PID 2700 wrote to memory of 3336	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	87
PID 2700 wrote to memory of 3336	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	87
PID 2700 wrote to memory of 3336	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	87
PID 2700 wrote to memory of 3372	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	88
PID 2700 wrote to memory of 3372	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	88
PID 2700 wrote to memory of 3372	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	88
PID 2700 wrote to memory of 944	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	89
PID 2700 wrote to memory of 944	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	89
PID 2700 wrote to memory of 944	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	89
PID 2700 wrote to memory of 2388	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	90
PID 2700 wrote to memory of 2388	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	90
PID 2700 wrote to memory of 2388	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	90
PID 2700 wrote to memory of 2912	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	91
PID 2700 wrote to memory of 2912	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	91
PID 2700 wrote to memory of 2912	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	91
PID 2700 wrote to memory of 512	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	92
PID 2700 wrote to memory of 512	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	92
PID 2700 wrote to memory of 512	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	92
PID 512 wrote to memory of 5068	512	backup.exe	94
PID 512 wrote to memory of 5068	512	backup.exe	94
PID 512 wrote to memory of 5068	512	backup.exe	94
PID 5068 wrote to memory of 3236	5068	backup.exe	96
PID 5068 wrote to memory of 3236	5068	backup.exe	96
PID 5068 wrote to memory of 3236	5068	backup.exe	96
PID 2700 wrote to memory of 1676	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	97
PID 2700 wrote to memory of 1676	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	97
PID 2700 wrote to memory of 1676	2700	77b4c4cc880e608f7fdc7172ad1d9330N.exe	97
PID 1192 wrote to memory of 4524	1192	backup.exe	99
PID 1192 wrote to memory of 4524	1192	backup.exe	99
PID 1192 wrote to memory of 4524	1192	backup.exe	99
PID 4524 wrote to memory of 464	4524	backup.exe	100
PID 4524 wrote to memory of 464	4524	backup.exe	100
PID 4524 wrote to memory of 464	4524	backup.exe	100
PID 4524 wrote to memory of 1544	4524	backup.exe	101
PID 4524 wrote to memory of 1544	4524	backup.exe	101
PID 4524 wrote to memory of 1544	4524	backup.exe	101
PID 1544 wrote to memory of 3508	1544	backup.exe	102
PID 1544 wrote to memory of 3508	1544	backup.exe	102
PID 1544 wrote to memory of 3508	1544	backup.exe	102
PID 3508 wrote to memory of 4220	3508	backup.exe	103
PID 3508 wrote to memory of 4220	3508	backup.exe	103
PID 3508 wrote to memory of 4220	3508	backup.exe	103
PID 1544 wrote to memory of 676	1544	backup.exe	104
PID 1544 wrote to memory of 676	1544	backup.exe	104
PID 1544 wrote to memory of 676	1544	backup.exe	104
PID 676 wrote to memory of 2648	676	backup.exe	105
PID 676 wrote to memory of 2648	676	backup.exe	105
PID 676 wrote to memory of 2648	676	backup.exe	105
PID 676 wrote to memory of 2308	676	backup.exe	106
PID 676 wrote to memory of 2308	676	backup.exe	106
PID 676 wrote to memory of 2308	676	backup.exe	106
PID 2308 wrote to memory of 4972	2308	backup.exe	107
PID 2308 wrote to memory of 4972	2308	backup.exe	107
PID 2308 wrote to memory of 4972	2308	backup.exe	107
PID 2308 wrote to memory of 2508	2308	backup.exe	108

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\77b4c4cc880e608f7fdc7172ad1d9330N.exe
"C:\Users\Admin\AppData\Local\Temp\77b4c4cc880e608f7fdc7172ad1d9330N.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\{E879C586-156D-4912-B47D-AB5C65B508B2}\backup.exe
  C:\Users\Admin\AppData\Local\Temp\{E879C586-156D-4912-B47D-AB5C65B508B2}\backup.exe C:\Users\Admin\AppData\Local\Temp\{E879C586-156D-4912-B47D-AB5C65B508B2}\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:464
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3508
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4220
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:676
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2648
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4972
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2508
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3544
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4396
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\update.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4352
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:932
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4112
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3860
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:452
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5028
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:712
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4016
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5076
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4836
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4756
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4056
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:624
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3496
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2812
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1900
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4412
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1144
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4984
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2640
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3884
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1376
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4768
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4884
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4360
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4328
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5016
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4276
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        8⤵
        Executes dropped EXE
        
        PID:528
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4808
        
        C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
        8⤵
        
        PID:3004
        
        C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
        8⤵
        
        PID:2968
        
        C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
        8⤵
        
        PID:3512
        
        C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2948
        
        C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
        8⤵
        
        PID:2384
        
        C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:212
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-CN\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-CN\update.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\
        8⤵
        
        PID:4920
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\
        8⤵
        
        PID:400
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        
        PID:2176
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        
        PID:4828
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        
        PID:4628
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        
        PID:2708
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        
        PID:2908
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        
        PID:3008
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:4020
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\
        8⤵
        
        PID:2408
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\data.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        
        PID:3376
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:3084
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:4720
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:1652
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:4140
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:1800
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4384
        
        C:\Program Files\Common Files\microsoft shared\Triedit\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\data.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:4308
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        
        PID:4572
        
        C:\Program Files\Common Files\microsoft shared\VC\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\data.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        
        PID:4768
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:4464
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        
        PID:2148
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        
        PID:3484
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        System policy modification
        
        PID:5016
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:1868
      - C:\Program Files\Common Files\System\data.exe
        
        "C:\Program Files\Common Files\System\data.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:4172
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        
        PID:2240
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:3500
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:4456
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:224
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1792
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1352
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:5040
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1412
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:4544
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:3880
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:3184
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:2468
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        System policy modification
        
        PID:2732
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1504
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2908
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:3440
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:1124
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:4280
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:2040
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        System policy modification
        
        PID:4220
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:5088
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:3084
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:3124
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:1724
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:2788
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:4744
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:1800
        
        C:\Program Files\Common Files\System\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\System\uk-UA\backup.exe" C:\Program Files\Common Files\System\uk-UA\
        7⤵
        
        PID:1200
    - - C:\Program Files\Crashpad\backup.exe
        
        "C:\Program Files\Crashpad\backup.exe" C:\Program Files\Crashpad\
        5⤵
        
        PID:536
      - C:\Program Files\Crashpad\attachments\data.exe
        
        "C:\Program Files\Crashpad\attachments\data.exe" C:\Program Files\Crashpad\attachments\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4396
      - C:\Program Files\Crashpad\reports\backup.exe
        
        "C:\Program Files\Crashpad\reports\backup.exe" C:\Program Files\Crashpad\reports\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4464
    - - C:\Program Files\dotnet\backup.exe
        
        "C:\Program Files\dotnet\backup.exe" C:\Program Files\dotnet\
        5⤵
        Drops file in Program Files directory
        
        PID:3632
      - C:\Program Files\dotnet\host\backup.exe
        
        "C:\Program Files\dotnet\host\backup.exe" C:\Program Files\dotnet\host\
        6⤵
        
        PID:4248
        
        C:\Program Files\dotnet\host\fxr\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\backup.exe" C:\Program Files\dotnet\host\fxr\
        7⤵
        Drops file in Program Files directory
        
        PID:2364
        
        C:\Program Files\dotnet\host\fxr\6.0.27\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\6.0.27\backup.exe" C:\Program Files\dotnet\host\fxr\6.0.27\
        8⤵
        
        PID:4276
        
        C:\Program Files\dotnet\host\fxr\7.0.16\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\7.0.16\backup.exe" C:\Program Files\dotnet\host\fxr\7.0.16\
        8⤵
        
        PID:1272
        
        C:\Program Files\dotnet\host\fxr\8.0.2\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\8.0.2\backup.exe" C:\Program Files\dotnet\host\fxr\8.0.2\
        8⤵
        
        PID:4808
      - C:\Program Files\dotnet\shared\backup.exe
        
        "C:\Program Files\dotnet\shared\backup.exe" C:\Program Files\dotnet\shared\
        6⤵
        Drops file in Program Files directory
        
        PID:2700
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\System Restore.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\System Restore.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\
        7⤵
        
        PID:1668
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\
        8⤵
        
        PID:712
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\
        8⤵
        
        PID:4316
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:708
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\
        7⤵
        
        PID:3324
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\data.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\data.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\
        8⤵
        Drops file in Program Files directory
        
        PID:2240
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\
        9⤵
        
        PID:4756
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\
        9⤵
        
        PID:968
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3668
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\
        9⤵
        
        PID:4252
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\
        9⤵
        
        PID:1260
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\
        9⤵
        
        PID:3712
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2292
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\data.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\data.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\
        9⤵
        
        PID:828
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1712
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\
        9⤵
        
        PID:1284
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\
        9⤵
        
        PID:2176
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System Restore.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System Restore.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1072
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\
        9⤵
        System policy modification
        
        PID:916
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\
        8⤵
        Drops file in Program Files directory
        
        PID:4380
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\
        9⤵
        
        PID:5060
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\
        9⤵
        System policy modification
        
        PID:1100
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\
        9⤵
        
        PID:2876
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\
        9⤵
        
        PID:3968
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\
        9⤵
        
        PID:5048
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\
        9⤵
        
        PID:3376
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\
        9⤵
        
        PID:3028
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\
        9⤵
        
        PID:3204
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\
        9⤵
        
        PID:3200
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\
        9⤵
        
        PID:4460
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\
        9⤵
        System policy modification
        
        PID:4312
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:944
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\
        9⤵
        
        PID:1272
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\
        8⤵
        Drops file in Program Files directory
        
        PID:1276
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4248
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\
        9⤵
        
        PID:1736
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\
        9⤵
        
        PID:3836
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5032
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\
        9⤵
        System policy modification
        
        PID:708
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\
        9⤵
        
        PID:2616
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\
        9⤵
        
        PID:2136
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\
        9⤵
        
        PID:2620
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\
        9⤵
        
        PID:2508
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4828
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\
        9⤵
        
        PID:3496
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\
        9⤵
        
        PID:4000
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\
        9⤵
        
        PID:4016
      - C:\Program Files\dotnet\swidtag\backup.exe
        
        "C:\Program Files\dotnet\swidtag\backup.exe" C:\Program Files\dotnet\swidtag\
        6⤵
        
        PID:1172
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2932
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1504
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:3148
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.106\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.106\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.106\
        8⤵
        
        PID:2648
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.106\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.106\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.106\default_apps\
        9⤵
        
        PID:2712
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.106\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.106\Extensions\
        9⤵
        
        PID:2324
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\
        9⤵
        
        PID:1200
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\data.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\data.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\
        9⤵
        
        PID:1452
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.106\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.106\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.106\MEIPreload\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4868
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.106\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.106\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.106\VisualElements\
        9⤵
        
        PID:3084
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.106\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.106\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.106\WidevineCdm\
        9⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:712
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.106\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.106\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.106\WidevineCdm\_platform_specific\
        10⤵
        
        PID:3004
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.106\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.106\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.106\WidevineCdm\_platform_specific\win_x64\
        11⤵
        System policy modification
        
        PID:1412
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:3880
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:4504
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:1076
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:828
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:4580
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1292
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:5044
      - C:\Program Files\Internet Explorer\it-IT\update.exe
        
        "C:\Program Files\Internet Explorer\it-IT\update.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:60
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:3872
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        System policy modification
        
        PID:4464
      - C:\Program Files\Internet Explorer\uk-UA\backup.exe
        
        "C:\Program Files\Internet Explorer\uk-UA\backup.exe" C:\Program Files\Internet Explorer\uk-UA\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2548
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:3340
      - C:\Program Files\Java\jdk-1.8\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\backup.exe" C:\Program Files\Java\jdk-1.8\
        6⤵
        
        PID:4316
        
        C:\Program Files\Java\jdk-1.8\bin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\bin\backup.exe" C:\Program Files\Java\jdk-1.8\bin\
        7⤵
        System policy modification
        
        PID:4608
        
        C:\Program Files\Java\jdk-1.8\include\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\backup.exe" C:\Program Files\Java\jdk-1.8\include\
        7⤵
        Drops file in Program Files directory
        
        PID:1724
        
        C:\Program Files\Java\jdk-1.8\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\win32\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\
        8⤵
        System policy modification
        
        PID:624
        
        C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\bridge\
        9⤵
        
        PID:4220
        
        C:\Program Files\Java\jdk-1.8\jre\System Restore.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\System Restore.exe" C:\Program Files\Java\jdk-1.8\jre\
        7⤵
        
        PID:3148
        
        C:\Program Files\Java\jdk-1.8\jre\bin\data.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\data.exe" C:\Program Files\Java\jdk-1.8\jre\bin\
        8⤵
        
        PID:2320
        
        C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\
        9⤵
        
        PID:1984
        
        C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\
        9⤵
        
        PID:828
        
        C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\server\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3936
        
        C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\
        8⤵
        
        PID:1376
        
        C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\javafx\
        9⤵
        
        PID:676
        
        C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\jdk\
        9⤵
        
        PID:4500
        
        C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\
        8⤵
        Drops file in Program Files directory
        
        PID:3028
        
        C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\amd64\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4780
        
        C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\applet\
        9⤵
        System policy modification
        
        PID:2360
        
        C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\cmm\
        9⤵
        
        PID:708
        
        C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\deploy\
        9⤵
        
        PID:1660
        
        C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\ext\
        9⤵
        
        PID:3208
        
        C:\Program Files\Java\jdk-1.8\jre\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\fonts\
        9⤵
        System policy modification
        
        PID:692
        
        C:\Program Files\Java\jdk-1.8\jre\lib\images\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\images\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\images\
        9⤵
        
        PID:4160
        
        C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\
        10⤵
        
        PID:2292
        
        C:\Program Files\Java\jdk-1.8\jre\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\jfr\
        9⤵
        
        PID:1664
        
        C:\Program Files\Java\jdk-1.8\jre\lib\management\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\management\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\management\
        9⤵
        
        PID:3652
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\
        9⤵
        
        PID:5060
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\
        10⤵
        System policy modification
        
        PID:1100
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\
        11⤵
        System policy modification
        
        PID:2212
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\
        11⤵
        
        PID:3620
        
        C:\Program Files\Java\jdk-1.8\legal\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\backup.exe" C:\Program Files\Java\jdk-1.8\legal\
        7⤵
        System policy modification
        
        PID:764
        
        C:\Program Files\Java\jdk-1.8\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\legal\javafx\
        8⤵
        
        PID:4652
        
        C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\legal\jdk\
        8⤵
        
        PID:4552
        
        C:\Program Files\Java\jdk-1.8\lib\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\lib\backup.exe" C:\Program Files\Java\jdk-1.8\lib\
        7⤵
        
        PID:3612
      - C:\Program Files\Java\jre-1.8\backup.exe
        
        "C:\Program Files\Java\jre-1.8\backup.exe" C:\Program Files\Java\jre-1.8\
        6⤵
        
        PID:5084
        
        C:\Program Files\Java\jre-1.8\bin\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\backup.exe" C:\Program Files\Java\jre-1.8\bin\
        7⤵
        
        PID:1952
        
        C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe" C:\Program Files\Java\jre-1.8\bin\dtplugin\
        8⤵
        
        PID:4140
        
        C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe" C:\Program Files\Java\jre-1.8\bin\plugin2\
        8⤵
        
        PID:1076
        
        C:\Program Files\Java\jre-1.8\bin\server\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\server\backup.exe" C:\Program Files\Java\jre-1.8\bin\server\
        8⤵
        
        PID:3712
        
        C:\Program Files\Java\jre-1.8\legal\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\backup.exe" C:\Program Files\Java\jre-1.8\legal\
        7⤵
        
        PID:548
        
        C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jre-1.8\legal\javafx\
        8⤵
        
        PID:1396
        
        C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jre-1.8\legal\jdk\
        8⤵
        
        PID:4744
        
        C:\Program Files\Java\jre-1.8\lib\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\backup.exe" C:\Program Files\Java\jre-1.8\lib\
        7⤵
        Drops file in Program Files directory
        
        PID:1232
        
        C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe" C:\Program Files\Java\jre-1.8\lib\amd64\
        8⤵
        
        PID:688
        
        C:\Program Files\Java\jre-1.8\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\applet\backup.exe" C:\Program Files\Java\jre-1.8\lib\applet\
        8⤵
        
        PID:1356
        
        C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe" C:\Program Files\Java\jre-1.8\lib\cmm\
        8⤵
        
        PID:4308
        
        C:\Program Files\Java\jre-1.8\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\deploy\backup.exe" C:\Program Files\Java\jre-1.8\lib\deploy\
        8⤵
        
        PID:1096
        
        C:\Program Files\Java\jre-1.8\lib\ext\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\ext\backup.exe" C:\Program Files\Java\jre-1.8\lib\ext\
        8⤵
        
        PID:4544
        
        C:\Program Files\Java\jre-1.8\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\fonts\backup.exe" C:\Program Files\Java\jre-1.8\lib\fonts\
        8⤵
        
        PID:4456
        
        C:\Program Files\Java\jre-1.8\lib\images\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\images\backup.exe" C:\Program Files\Java\jre-1.8\lib\images\
        8⤵
        
        PID:3612
        
        C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe" C:\Program Files\Java\jre-1.8\lib\images\cursors\
        9⤵
        
        PID:3656
        
        C:\Program Files\Java\jre-1.8\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\jfr\backup.exe" C:\Program Files\Java\jre-1.8\lib\jfr\
        8⤵
        
        PID:968
        
        C:\Program Files\Java\jre-1.8\lib\management\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\management\backup.exe" C:\Program Files\Java\jre-1.8\lib\management\
        8⤵
        
        PID:4008
        
        C:\Program Files\Java\jre-1.8\lib\security\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\
        8⤵
        
        PID:396
        
        C:\Program Files\Java\jre-1.8\lib\security\policy\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\policy\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\
        9⤵
        Drops file in Program Files directory
        
        PID:1952
        
        C:\Program Files\Java\jre-1.8\lib\security\policy\limited\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\policy\limited\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\limited\
        10⤵
        
        PID:4588
        
        C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\
        10⤵
        System policy modification
        
        PID:2956
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:312
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        
        PID:4520
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        
        PID:1272
      - C:\Program Files\Microsoft Office\root\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\System Restore.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        Drops file in Program Files directory
        
        PID:3028
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        
        PID:1324
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        Drops file in Program Files directory
        
        PID:4312
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        
        PID:4552
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        8⤵
        
        PID:4064
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        8⤵
        
        PID:3372
        
        C:\Program Files\Microsoft Office\root\fre\backup.exe
        
        "C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
        7⤵
        
        PID:3324
        
        C:\Program Files\Microsoft Office\root\Integration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
        7⤵
        
        PID:4164
        
        C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1948
        
        C:\Program Files\Microsoft Office\root\Licenses\data.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses\data.exe" C:\Program Files\Microsoft Office\root\Licenses\
        7⤵
        
        PID:216
        
        C:\Program Files\Microsoft Office\root\Licenses16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\
        7⤵
        
        PID:4580
        
        C:\Program Files\Microsoft Office\root\loc\backup.exe
        
        "C:\Program Files\Microsoft Office\root\loc\backup.exe" C:\Program Files\Microsoft Office\root\loc\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2968
        
        C:\Program Files\Microsoft Office\root\Office15\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office15\backup.exe" C:\Program Files\Microsoft Office\root\Office15\
        7⤵
        
        PID:396
        
        C:\Program Files\Microsoft Office\root\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\
        7⤵
        Drops file in Program Files directory
        
        PID:688
        
        C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\
        8⤵
        
        PID:428
        
        C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\
        9⤵
        
        PID:4352
        
        C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2432
        
        C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\
        9⤵
        System policy modification
        
        PID:1668
        
        C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1036\
        8⤵
        
        PID:4652
        
        C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe" C:\Program Files\Microsoft Office\root\Office16\3082\
        8⤵
        System policy modification
        
        PID:1660
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\
        8⤵
        
        PID:4064
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2500
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\
        9⤵
        
        PID:4584
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\
        10⤵
        
        PID:872
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\
        9⤵
        
        PID:2304
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\
        9⤵
        
        PID:5060
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\
        9⤵
        
        PID:1104
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\
        10⤵
        
        PID:4920
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\
        10⤵
        
        PID:3324
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\
        10⤵
        Drops file in Program Files directory
        
        PID:872
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\
        11⤵
        
        PID:4768
        
        C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe" C:\Program Files\Microsoft Office\root\Office16\AugLoop\
        8⤵
        
        PID:2244
        
        C:\Program Files\Microsoft Office\root\Office16\Bibliography\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\
        8⤵
        Drops file in Program Files directory
        
        PID:1604
        
        C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\
        9⤵
        
        PID:2364
        
        C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\
        9⤵
        
        PID:412
        
        C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\BORDERS\
        8⤵
        
        PID:872
        
        C:\Program Files\Microsoft Office\root\Office16\Configuration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Configuration\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Configuration\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:764
        
        C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\
        8⤵
        
        PID:4172
        
        C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\
        9⤵
        Drops file in Program Files directory
        
        PID:4848
        
        C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\
        10⤵
        
        PID:4940
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f14\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f14\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f14\
        8⤵
        
        PID:1100
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f2\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f2\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f2\
        8⤵
        
        PID:5040
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f3\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f3\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f3\
        8⤵
        
        PID:4820
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f33\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f33\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f33\
        8⤵
        
        PID:4572
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f4\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f4\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f4\
        8⤵
        
        PID:2136
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f7\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f7\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f7\
        8⤵
        System policy modification
        
        PID:4848
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\
        8⤵
        System policy modification
        
        PID:1324
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\
        8⤵
        
        PID:2132
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1144
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\
        8⤵
        
        PID:2240
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\update.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\
        8⤵
        
        PID:4944
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_w1\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_w1\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_w1\
        8⤵
        System policy modification
        
        PID:212
        
        C:\Program Files\Microsoft Office\root\Office16\Library\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Library\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Library\
        8⤵
        
        PID:1076
        
        C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\
        9⤵
        
        PID:3432
        
        C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\update.exe" C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\
        9⤵
        
        PID:1404
        
        C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\backup.exe" C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1604
        
        C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\backup.exe" C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\
        9⤵
        Drops file in Program Files directory
        
        PID:216
        
        C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\backup.exe" C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\
        10⤵
        
        PID:2304
        
        C:\Program Files\Microsoft Office\root\Office16\LogoImages\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\LogoImages\backup.exe" C:\Program Files\Microsoft Office\root\Office16\LogoImages\
        8⤵
        
        PID:3492
        
        C:\Program Files\Microsoft Office\root\Office16\MEDIA\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MEDIA\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MEDIA\
        8⤵
        
        PID:3324
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4668
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\
        9⤵
        
        PID:4584
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\data.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\data.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:400
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\
        9⤵
        
        PID:1284
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\
        9⤵
        
        PID:4520
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\
        9⤵
        
        PID:212
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1608
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\
        9⤵
        
        PID:1928
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\
        9⤵
        
        PID:4008
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\
        9⤵
        
        PID:4464
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\
        9⤵
        
        PID:944
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\
        9⤵
        
        PID:1944
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\
        9⤵
        
        PID:2040
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\
        9⤵
        
        PID:5056
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\data.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\data.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\
        9⤵
        
        PID:4552
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\
        9⤵
        
        PID:4260
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\
        9⤵
        
        PID:4280
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\
        9⤵
        
        PID:4932
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\
        9⤵
        
        PID:4516
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\
        9⤵
        
        PID:2968
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\
        9⤵
        
        PID:2164
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\update.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\
        9⤵
        
        PID:1676
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\
        9⤵
        
        PID:4244
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\
        9⤵
        
        PID:4352
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\
        9⤵
        
        PID:4920
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\
        9⤵
        
        PID:2364
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\data.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\data.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\
        9⤵
        
        PID:1820
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\
        9⤵
        
        PID:968
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\
        9⤵
        
        PID:4816
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\
        9⤵
        
        PID:4568
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\
        9⤵
        
        PID:4796
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\
        9⤵
        
        PID:5048
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\
        9⤵
        
        PID:3884
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\
        9⤵
        
        PID:3644
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\
        9⤵
        
        PID:4828
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\
        9⤵
        
        PID:1340
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\
        9⤵
        
        PID:1528
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\
        9⤵
        
        PID:1260
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\
        9⤵
        
        PID:3372
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\
        9⤵
        
        PID:1624
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\
        9⤵
        
        PID:4744
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\
        9⤵
        
        PID:2548
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\
        9⤵
        
        PID:1396
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\
        9⤵
        
        PID:4816
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\
        9⤵
        
        PID:4940
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\
        9⤵
        
        PID:2732
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\
        8⤵
        
        PID:348
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\
        9⤵
        
        PID:4056
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\
        10⤵
        
        PID:2900
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\
        11⤵
        
        PID:4272
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\
        9⤵
        
        PID:1992
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\
        10⤵
        
        PID:4648
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\
        11⤵
        
        PID:1800
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\
        11⤵
        
        PID:3324
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\
        12⤵
        
        PID:4408
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\
        11⤵
        
        PID:4500
        
        C:\Program Files\Microsoft Office\root\Office16\OneNote\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\OneNote\backup.exe" C:\Program Files\Microsoft Office\root\Office16\OneNote\
        8⤵
        
        PID:3620
        
        C:\Program Files\Microsoft Office\root\Office16\osfFPA\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\osfFPA\backup.exe" C:\Program Files\Microsoft Office\root\Office16\osfFPA\
        8⤵
        
        PID:1260
        
        C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\backup.exe" C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\
        8⤵
        
        PID:1984
        
        C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\backup.exe" C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\
        8⤵
        
        PID:2220
        
        C:\Program Files\Microsoft Office\root\Office16\PROOF\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\PROOF\backup.exe" C:\Program Files\Microsoft Office\root\Office16\PROOF\
        8⤵
        
        PID:5088
        
        C:\Program Files\Microsoft Office\root\Office16\QUERIES\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\QUERIES\backup.exe" C:\Program Files\Microsoft Office\root\Office16\QUERIES\
        8⤵
        
        PID:4672
        
        C:\Program Files\Microsoft Office\root\Office16\SAMPLES\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\SAMPLES\backup.exe" C:\Program Files\Microsoft Office\root\Office16\SAMPLES\
        8⤵
        
        PID:4636
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\
        8⤵
        
        PID:4348
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\
        9⤵
        
        PID:1084
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\
        10⤵
        
        PID:2076
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\
        11⤵
        
        PID:4568
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\
        12⤵
        
        PID:4376
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\
        13⤵
        
        PID:4344
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\
        9⤵
        
        PID:2508
        
        C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\backup.exe" C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\
        10⤵
        
        PID:2160
        
        C:\Program Files\Microsoft Office\root\rsod\backup.exe
        
        "C:\Program Files\Microsoft Office\root\rsod\backup.exe" C:\Program Files\Microsoft Office\root\rsod\
        7⤵
        
        PID:4600
        
        C:\Program Files\Microsoft Office\root\Templates\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\backup.exe" C:\Program Files\Microsoft Office\root\Templates\
        7⤵
        
        PID:1796
        
        C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\
        8⤵
        
        PID:4064
        
        C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\
        9⤵
        
        PID:2708
        
        C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\
        9⤵
        
        PID:4288
        
        C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\
        10⤵
        
        PID:3836
        
        C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\
        11⤵
        
        PID:3456
        
        C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\backup.exe" C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\
        8⤵
        
        PID:1128
        
        C:\Program Files\Microsoft Office\root\vfs\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\backup.exe" C:\Program Files\Microsoft Office\root\vfs\
        7⤵
        
        PID:2292
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\
        8⤵
        
        PID:1604
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\
        9⤵
        
        PID:3832
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\
        10⤵
        
        PID:2968
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\
        11⤵
        
        PID:3208
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\
        9⤵
        
        PID:4648
        
        C:\Program Files\Microsoft Office\root\vfs\Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Fonts\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Fonts\
        8⤵
        
        PID:3512
        
        C:\Program Files\Microsoft Office\root\vfs\Fonts\private\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Fonts\private\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Fonts\private\
        9⤵
        
        PID:4200
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\
        8⤵
        
        PID:464
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\data.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\data.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\
        9⤵
        
        PID:512
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\
        9⤵
        
        PID:952
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\
        10⤵
        
        PID:636
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\
        10⤵
        
        PID:4308
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\
        11⤵
        
        PID:60
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\
        10⤵
        
        PID:2640
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\
        10⤵
        
        PID:860
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\
        10⤵
        
        PID:4588
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\
        10⤵
        
        PID:3200
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\
        10⤵
        
        PID:412
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\
        11⤵
        
        PID:2360
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\
        11⤵
        
        PID:3880
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\
        11⤵
        
        PID:212
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\
        12⤵
        
        PID:2240
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\
        12⤵
        
        PID:860
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\
        13⤵
        
        PID:676
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\
        11⤵
        
        PID:4248
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\
        11⤵
        
        PID:1820
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\
        12⤵
        
        PID:1636
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\
        11⤵
        
        PID:2956
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\
        10⤵
        
        PID:2456
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\
        10⤵
        
        PID:4484
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\
        11⤵
        
        PID:2164
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\
        11⤵
        
        PID:1660
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\
        12⤵
        
        PID:1604
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\
        10⤵
        
        PID:4344
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\
        10⤵
        
        PID:1396
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\
        10⤵
        
        PID:4628
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\
        11⤵
        
        PID:680
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\
        11⤵
        
        PID:1624
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\
        11⤵
        
        PID:4500
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\
        11⤵
        
        PID:4672
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\
        11⤵
        
        PID:704
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\data.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\data.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\
        11⤵
        
        PID:2864
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\
        11⤵
        
        PID:4160
      - C:\Program Files\Microsoft Office\Updates\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
        6⤵
        
        PID:2696
        
        C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
        7⤵
        
        PID:3376
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
        8⤵
        
        PID:2648
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\F283FAB0-91F5-4AC3-9894-058F553F83EA\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\F283FAB0-91F5-4AC3-9894-058F553F83EA\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\F283FAB0-91F5-4AC3-9894-058F553F83EA\
        9⤵
        
        PID:4232
        
        C:\Program Files\Microsoft Office\Updates\Download\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\
        7⤵
        
        PID:952
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\
        8⤵
        
        PID:1724
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\
        9⤵
        
        PID:1844
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\root\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\root\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\root\
        10⤵
        
        PID:4248
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\root\vfs\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\root\vfs\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\root\vfs\
        11⤵
        
        PID:1660
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\root\vfs\Windows\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\root\vfs\Windows\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\root\vfs\Windows\
        12⤵
        
        PID:5048
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\root\vfs\Windows\assembly\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\root\vfs\Windows\assembly\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\root\vfs\Windows\assembly\
        13⤵
        
        PID:1604
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\root\vfs\Windows\assembly\GAC_MSIL\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\root\vfs\Windows\assembly\GAC_MSIL\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\root\vfs\Windows\assembly\GAC_MSIL\
        14⤵
        
        PID:4448
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\
        15⤵
        
        PID:4272
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F283FAB0-91F5-4AC3-9894-058F553F83EA\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\
        16⤵
        
        PID:1404
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        System policy modification
        
        PID:4628
      - C:\Program Files\Microsoft Office 15\ClientX64\update.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\update.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        
        PID:2208
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2928
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:4064
        
        C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        7⤵
        
        PID:932
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        7⤵
        
        PID:4720
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:1672
        
        C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
        7⤵
        
        PID:3884
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:60
      - C:\Program Files\Mozilla Firefox\gmp-clearkey\System Restore.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\System Restore.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
        6⤵
        
        PID:3556
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
        7⤵
        
        PID:3124
      - C:\Program Files\Mozilla Firefox\uninstall\backup.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
        6⤵
        
        PID:860
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1820
      - C:\Program Files\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
        6⤵
        
        PID:3644
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        
        PID:4984
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        8⤵
        
        PID:2508
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        8⤵
        
        PID:3964
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:3200
      - C:\Program Files\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
        6⤵
        
        PID:4576
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
        7⤵
        
        PID:536
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
        8⤵
        
        PID:4432
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\data.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\data.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\
        9⤵
        
        PID:1468
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\
        9⤵
        
        PID:1404
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\
        9⤵
        
        PID:828
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\
        9⤵
        
        PID:1084
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\
        9⤵
        
        PID:3124
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
        9⤵
        
        PID:2364
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\
        8⤵
        
        PID:396
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\
        9⤵
        
        PID:2548
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\
        9⤵
        
        PID:3872
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\
        9⤵
        
        PID:4448
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\
        9⤵
        
        PID:4812
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\
        9⤵
        
        PID:4200
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\
        9⤵
        
        PID:1396
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:556
      - C:\Program Files\VideoLAN\VLC\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\
        6⤵
        
        PID:624
        
        C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe" C:\Program Files\VideoLAN\VLC\hrtfs\
        7⤵
        
        PID:1652
        
        C:\Program Files\VideoLAN\VLC\locale\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\backup.exe" C:\Program Files\VideoLAN\VLC\locale\
        7⤵
        
        PID:3084
        
        C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\
        8⤵
        
        PID:2620
        
        C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\
        9⤵
        
        PID:1340
        
        C:\Program Files\VideoLAN\VLC\locale\af\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\
        8⤵
        
        PID:2312
        
        C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\
        9⤵
        
        PID:3776
        
        C:\Program Files\VideoLAN\VLC\locale\am\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\
        8⤵
        
        PID:1760
        
        C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\
        9⤵
        
        PID:5032
        
        C:\Program Files\VideoLAN\VLC\locale\am_ET\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am_ET\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am_ET\
        8⤵
        
        PID:2164
        
        C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\
        9⤵
        
        PID:4008
        
        C:\Program Files\VideoLAN\VLC\locale\an\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\an\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\
        8⤵
        
        PID:400
        
        C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\
        9⤵
        
        PID:2732
        
        C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\
        8⤵
        
        PID:2408
        
        C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\
        9⤵
        
        PID:2976
        
        C:\Program Files\VideoLAN\VLC\locale\as_IN\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\as_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\
        8⤵
        
        PID:4412
        
        C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\
        9⤵
        
        PID:4044
        
        C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\
        8⤵
        
        PID:4460
        
        C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\
        9⤵
        
        PID:3736
        
        C:\Program Files\VideoLAN\VLC\locale\be\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\be\backup.exe" C:\Program Files\VideoLAN\VLC\locale\be\
        8⤵
        
        PID:3996
        
        C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\
        9⤵
        
        PID:4316
        
        C:\Program Files\VideoLAN\VLC\locale\bg\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bg\
        8⤵
        
        PID:764
        
        C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\
        9⤵
        
        PID:3496
        
        C:\Program Files\VideoLAN\VLC\locale\bn\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bn\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn\
        8⤵
        
        PID:3880
        
        C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\
        9⤵
        
        PID:3540
        
        C:\Program Files\VideoLAN\VLC\locale\bn_IN\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bn_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn_IN\
        8⤵
        
        PID:2176
        
        C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\
        9⤵
        
        PID:3372
        
        C:\Program Files\VideoLAN\VLC\locale\br\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\br\backup.exe" C:\Program Files\VideoLAN\VLC\locale\br\
        8⤵
        
        PID:1744
        
        C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\
        9⤵
        
        PID:2160
        
        C:\Program Files\VideoLAN\VLC\locale\brx\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\brx\backup.exe" C:\Program Files\VideoLAN\VLC\locale\brx\
        8⤵
        
        PID:1664
        
        C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\
        9⤵
        
        PID:4272
        
        C:\Program Files\VideoLAN\VLC\locale\bs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bs\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bs\
        8⤵
        
        PID:4004
        
        C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\
        9⤵
        
        PID:4588
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      PID:3308
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:1284
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3920
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        
        PID:2284
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Drops file in Program Files directory
        
        PID:5108
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        
        PID:3620
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        
        PID:3376
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3504
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        
        PID:2548
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        
        PID:3340
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1640
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        
        PID:1564
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        
        PID:4400
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        
        PID:4920
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:968
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:2696
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        
        PID:3604
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        
        PID:3500
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:1172
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1508
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        
        PID:4820
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:4384
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:5048
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        
        PID:2000
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:2304
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:4868
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        System policy modification
        
        PID:1792
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1660
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        
        PID:1412
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        
        PID:3760
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        
        PID:2976
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        
        PID:1944
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        
        PID:2208
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        
        PID:2812
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
        9⤵
        
        PID:3456
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
        10⤵
        
        PID:2640
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
        11⤵
        
        PID:1652
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\
        12⤵
        
        PID:3336
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\
        13⤵
        
        PID:2244
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\
        14⤵
        
        PID:4848
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\
        14⤵
        
        PID:4200
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\
        12⤵
        
        PID:4432
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\
        13⤵
        Drops file in Program Files directory
        
        PID:2500
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\
        14⤵
        
        PID:4864
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\
        14⤵
        
        PID:4836
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\
        12⤵
        System policy modification
        
        PID:1504
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\
        13⤵
        Drops file in Program Files directory
        
        PID:464
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\
        14⤵
        
        PID:872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\
        14⤵
        
        PID:2700
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\
        11⤵
        
        PID:3632
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\
        12⤵
        Drops file in Program Files directory
        
        PID:428
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\
        13⤵
        
        PID:1292
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\
        13⤵
        System policy modification
        
        PID:2620
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\
        14⤵
        
        PID:676
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\
        12⤵
        
        PID:1096
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\
        12⤵
        Drops file in Program Files directory
        
        PID:1104
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\
        13⤵
        System policy modification
        
        PID:4636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\
        12⤵
        
        PID:4616
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\
        13⤵
        System policy modification
        
        PID:4820
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\
        14⤵
        
        PID:3208
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\
        12⤵
        
        PID:2976
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\
        13⤵
        
        PID:4004
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\
        14⤵
        
        PID:1624
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\
        11⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2464
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\
        12⤵
        
        PID:2456
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\
        13⤵
        
        PID:1800
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\
        14⤵
        Drops file in Program Files directory
        
        PID:1928
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\
        15⤵
        
        PID:3872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\
        15⤵
        
        PID:676
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\
        15⤵
        
        PID:3028
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\
        15⤵
        System policy modification
        
        PID:1324
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4652
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\
        15⤵
        
        PID:400
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\
        15⤵
        
        PID:1660
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4828
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\
        15⤵
        
        PID:1724
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\
        15⤵
        
        PID:5072
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\
        15⤵
        System policy modification
        
        PID:3496
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\
        15⤵
        
        PID:692
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\
        15⤵
        
        PID:2864
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\
        15⤵
        
        PID:2740
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\
        15⤵
        
        PID:4720
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\
        15⤵
        
        PID:536
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\
        15⤵
        
        PID:2076
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\
        15⤵
        
        PID:1352
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\
        15⤵
        
        PID:4248
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\
        15⤵
        
        PID:4652
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\
        15⤵
        
        PID:1760
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\
        15⤵
        
        PID:4432
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\
        15⤵
        
        PID:2952
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\
        15⤵
        System policy modification
        
        PID:2652
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\
        15⤵
        
        PID:3712
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\
        15⤵
        
        PID:4004
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\
        15⤵
        System policy modification
        
        PID:832
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\
        15⤵
        
        PID:4588
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\
        15⤵
        
        PID:2956
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\
        15⤵
        
        PID:1744
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\
        15⤵
        
        PID:944
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\
        15⤵
        
        PID:4944
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\
        15⤵
        
        PID:4200
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\
        15⤵
        
        PID:2428
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\
        12⤵
        
        PID:3640
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\
        13⤵
        
        PID:4456
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\
        12⤵
        
        PID:4432
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\
        13⤵
        
        PID:1468
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\
        14⤵
        Drops file in Program Files directory
        
        PID:2160
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\
        15⤵
        
        PID:1664
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\
        15⤵
        
        PID:3116
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\
        15⤵
        
        PID:1356
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\
        15⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:516
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\
        15⤵
        
        PID:1668
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\
        15⤵
        System policy modification
        
        PID:2364
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:548
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\
        15⤵
        
        PID:1084
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\
        15⤵
        
        PID:5040
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\
        15⤵
        System policy modification
        
        PID:4248
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4836
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\
        15⤵
        
        PID:3872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\
        15⤵
        
        PID:2356
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\
        15⤵
        
        PID:2040
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\
        15⤵
        
        PID:5032
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\
        15⤵
        
        PID:3836
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\
        15⤵
        
        PID:1232
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\
        15⤵
        
        PID:1096
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\
        15⤵
        
        PID:1604
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\
        15⤵
        
        PID:3640
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\
        15⤵
        
        PID:2244
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\
        15⤵
        
        PID:1652
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\
        15⤵
        
        PID:832
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\
        15⤵
        
        PID:4780
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\
        15⤵
        
        PID:2424
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\
        15⤵
        
        PID:3208
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\
        15⤵
        System policy modification
        
        PID:5056
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\
        15⤵
        
        PID:4888
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\
        15⤵
        
        PID:1952
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\
        15⤵
        System policy modification
        
        PID:2076
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\
        15⤵
        
        PID:1928
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\
        15⤵
        
        PID:1548
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\
        15⤵
        
        PID:3848
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\
        15⤵
        
        PID:3184
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\
        12⤵
        Drops file in Program Files directory
        
        PID:4572
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\
        13⤵
        
        PID:3540
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\
        14⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2428
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\
        15⤵
        
        PID:1572
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\
        15⤵
        
        PID:952
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\
        15⤵
        
        PID:2900
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\
        15⤵
        System policy modification
        
        PID:4360
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\
        15⤵
        
        PID:512
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\
        15⤵
        
        PID:3684
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\
        15⤵
        
        PID:1276
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\
        15⤵
        
        PID:1984
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\
        15⤵
        
        PID:952
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\
        15⤵
        
        PID:708
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\
        15⤵
        
        PID:4608
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\
        15⤵
        
        PID:4816
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\
        15⤵
        
        PID:3148
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\
        15⤵
        
        PID:5116
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\
        15⤵
        
        PID:4944
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\
        15⤵
        
        PID:1276
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\
        15⤵
        
        PID:4140
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\
        15⤵
        
        PID:2424
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\
        15⤵
        
        PID:212
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\
        15⤵
        
        PID:4076
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\
        15⤵
        
        PID:5060
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\
        15⤵
        
        PID:4544
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\
        15⤵
        
        PID:2620
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\
        15⤵
        
        PID:2164
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\
        15⤵
        
        PID:2136
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\
        15⤵
        
        PID:1292
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\
        15⤵
        
        PID:4652
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\
        15⤵
        
        PID:1352
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\
        15⤵
        
        PID:4836
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\
        15⤵
        
        PID:952
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\
        15⤵
        
        PID:1548
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\
        15⤵
        
        PID:2324
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\
        15⤵
        
        PID:2968
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\
        15⤵
        
        PID:4172
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\
        12⤵
        
        PID:4888
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\
        13⤵
        
        PID:4940
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\
        14⤵
        
        PID:2132
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\
        13⤵
        
        PID:4568
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\
        14⤵
        
        PID:4004
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\
        12⤵
        
        PID:4140
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\
        12⤵
        
        PID:2928
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\
        13⤵
        
        PID:5040
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\
        14⤵
        
        PID:2364
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\
        14⤵
        
        PID:1200
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\
        14⤵
        
        PID:1668
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\
        15⤵
        
        PID:548
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\
        16⤵
        
        PID:3376
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\
        16⤵
        
        PID:3200
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\
        16⤵
        
        PID:2160
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\
        16⤵
        
        PID:4668
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\
        16⤵
        
        PID:1672
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\
        16⤵
        
        PID:636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\
        16⤵
        
        PID:4588
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\
        16⤵
        
        PID:4160
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\
        16⤵
        
        PID:4348
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\
        16⤵
        
        PID:1232
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\
        16⤵
        
        PID:4268
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\
        16⤵
        
        PID:3376
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\
        16⤵
        
        PID:2072
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\
        16⤵
        
        PID:2076
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\
        16⤵
        
        PID:2240
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\
        16⤵
        
        PID:3324
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\
        16⤵
        
        PID:1124
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\
        16⤵
        
        PID:2640
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\
        16⤵
        
        PID:4312
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\
        16⤵
        
        PID:4808
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\
        16⤵
        
        PID:3008
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\
        16⤵
        
        PID:4720
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\
        16⤵
        
        PID:4820
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Drops file in Program Files directory
        
        PID:3684
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1260
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:4232
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:5032
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        
        PID:1072
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:2652
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:1676
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        
        PID:4352
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:1836
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:5088
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:1276
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        
        PID:968
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:3556
    - - C:\Program Files (x86)\Common Files\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System Restore.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:3496
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        
        PID:4004
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Drops file in Program Files directory
        
        PID:5044
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4360
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        
        PID:4756
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        
        PID:2424
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        
        PID:4836
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        
        PID:5072
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        
        PID:3760
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4308
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        
        PID:5116
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        
        PID:2312
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
        11⤵
        
        PID:1796
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        11⤵
        
        PID:2928
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        12⤵
        System policy modification
        
        PID:2620
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
        13⤵
        System policy modification
        
        PID:4608
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2712
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
        14⤵
        System policy modification
        
        PID:464
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
        14⤵
        
        PID:2304
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
        13⤵
        
        PID:2740
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
        14⤵
        
        PID:4064
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\
        14⤵
        
        PID:4500
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\
        14⤵
        
        PID:2240
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
        13⤵
        
        PID:3620
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\
        14⤵
        
        PID:4412
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\
        14⤵
        
        PID:1084
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2500
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        
        PID:1492
        
        C:\Program Files (x86)\Common Files\Java\Java Update\update.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\update.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:2652
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        
        PID:640
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        System policy modification
        
        PID:1676
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        System policy modification
        
        PID:4848
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1668
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        
        PID:3652
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3760
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        
        PID:1760
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\data.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\data.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:428
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:4628
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:4756
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:1928
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        
        PID:3008
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        7⤵
        
        PID:1580
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:4808
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Drops file in Program Files directory
        
        PID:1792
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3800
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:920
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1548
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:4652
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:4984
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:3208
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:4344
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\update.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:2812
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\
        7⤵
        
        PID:1940
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\
        8⤵
        
        PID:4008
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\
        9⤵
        
        PID:4720
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\
        8⤵
        
        PID:4464
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\
        9⤵
        
        PID:2812
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\
        9⤵
        
        PID:3148
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\
        9⤵
        
        PID:2136
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\
        9⤵
        
        PID:1508
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\update.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:708
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:764
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        
        PID:3964
      - C:\Program Files (x86)\Common Files\Oracle\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\backup.exe" C:\Program Files (x86)\Common Files\Oracle\
        6⤵
        
        PID:1672
        
        C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\
        7⤵
        
        PID:60
        
        C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\javapath\
        8⤵
        
        PID:4248
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:3996
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:3148
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        
        PID:5060
        
        C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
        8⤵
        
        PID:4784
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        
        PID:2712
        
        C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
        8⤵
        
        PID:3484
        
        C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1944
        
        C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
        8⤵
        
        PID:916
        
        C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1796
        
        C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        
        PID:3656
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:2428
        
        C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
        7⤵
        
        PID:3644
        
        C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
        7⤵
        
        PID:1928
        
        C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        7⤵
        
        PID:4520
        
        C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\
        7⤵
        
        PID:4796
        
        C:\Program Files (x86)\Common Files\System\msadc\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\
        7⤵
        
        PID:3008
        
        C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:512
        
        C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\en-US\
        8⤵
        
        PID:1992
        
        C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:4484
        
        C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:3652
        
        C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:2304
        
        C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:312
        
        C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\
        7⤵
        
        PID:3832
        
        C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:920
        
        C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:2132
        
        C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:4920
        
        C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\data.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\data.exe" C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:944
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:4636
        
        C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:2976
        
        C:\Program Files (x86)\Common Files\System\uk-UA\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\uk-UA\backup.exe" C:\Program Files (x86)\Common Files\System\uk-UA\
        7⤵
        
        PID:3372
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:3492
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1572
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:772
        
        C:\Program Files (x86)\Google\Update\1.3.36.371\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.371\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.371\
        7⤵
        
        PID:2240
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:4344
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:1624
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\
        9⤵
        
        PID:1096
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:3504
        
        C:\Program Files (x86)\Google\Update\Install\{81C44847-CFD4-4467-BC43-4620F6C2BDBD}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{81C44847-CFD4-4467-BC43-4620F6C2BDBD}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{81C44847-CFD4-4467-BC43-4620F6C2BDBD}\
        8⤵
        
        PID:4584
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:1412
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:2176
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1084
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:2640
      - C:\Program Files (x86)\Internet Explorer\es-ES\System Restore.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\System Restore.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:4464
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:968
      - C:\Program Files (x86)\Internet Explorer\images\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        
        PID:1072
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:2648
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:1076
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:3996
      - C:\Program Files (x86)\Internet Explorer\uk-UA\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\uk-UA\backup.exe" C:\Program Files (x86)\Internet Explorer\uk-UA\
        6⤵
        
        PID:1352
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        
        PID:4172
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        
        PID:3500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
        7⤵
        
        PID:1076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
        8⤵
        
        PID:3492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
        9⤵
        
        PID:1624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
        9⤵
        
        PID:4672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
        10⤵
        
        PID:396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\
        10⤵
        
        PID:2176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\
        9⤵
        
        PID:4308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\
        9⤵
        
        PID:1272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\
        9⤵
        
        PID:2428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\
        9⤵
        
        PID:3372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\
        9⤵
        
        PID:4836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\
        9⤵
        
        PID:4064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\
        9⤵
        
        PID:2212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\
        9⤵
        
        PID:2956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\
        10⤵
        
        PID:4584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\
        11⤵
        
        PID:4076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\data.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\data.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\
        9⤵
        
        PID:2212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\
        10⤵
        
        PID:2900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\
        10⤵
        
        PID:4460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\
        10⤵
        
        PID:1280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\
        10⤵
        
        PID:3836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\
        10⤵
        
        PID:1564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\
        10⤵
        
        PID:4836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\
        10⤵
        
        PID:4944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\
        11⤵
        
        PID:4244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\
        11⤵
        
        PID:3640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\
        10⤵
        
        PID:2640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\
        10⤵
        
        PID:4260
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1944
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:2208
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        
        PID:4796
      - C:\Users\Admin\Contacts\update.exe
        
        C:\Users\Admin\Contacts\update.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1100
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:3432
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:4784
        
        C:\Users\Admin\Documents\OneNote Notebooks\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\
        7⤵
        
        PID:412
        
        C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\
        8⤵
        
        PID:3504
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:2384
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:2556
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2284
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:4576
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:2740
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:4572
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        
        PID:2132
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        
        PID:4140
      - C:\Users\Admin\Saved Games\data.exe
        
        "C:\Users\Admin\Saved Games\data.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:4516
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        System policy modification
        
        PID:4780
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:3324
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:3612
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:4936
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:2284
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:464
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:3376
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:4172
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:3968
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:932
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Drops file in Windows directory
        
        PID:4820
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        Drops file in Windows directory
        
        PID:1792
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:1172
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:4220
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        
        PID:4056
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        System policy modification
        
        PID:4728
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        
        PID:4280
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        Drops file in Windows directory
        
        PID:4636
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        
        PID:1144
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        
        PID:4648
      - C:\Windows\apppatch\de-DE\backup.exe
        
        C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
        6⤵
        System policy modification
        
        PID:1232
      - C:\Windows\apppatch\en-US\backup.exe
        
        C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:396
      - C:\Windows\apppatch\es-ES\System Restore.exe
        
        "C:\Windows\apppatch\es-ES\System Restore.exe" C:\Windows\apppatch\es-ES\
        6⤵
        
        PID:3964
      - C:\Windows\apppatch\fr-FR\backup.exe
        
        C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\fr-FR\
        6⤵
        
        PID:2040
      - C:\Windows\apppatch\it-IT\backup.exe
        
        C:\Windows\apppatch\it-IT\backup.exe C:\Windows\apppatch\it-IT\
        6⤵
        
        PID:4004
      - C:\Windows\apppatch\ja-JP\backup.exe
        
        C:\Windows\apppatch\ja-JP\backup.exe C:\Windows\apppatch\ja-JP\
        6⤵
        
        PID:1492
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        
        PID:2240
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Drops file in Windows directory
        
        PID:4220
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        Drops file in Windows directory
        
        PID:1324
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        
        PID:5072
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1340
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        
        PID:4940
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4784
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        
        PID:1948
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2360
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        7⤵
        
        PID:1352
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1356
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\
        7⤵
        
        PID:412
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\
        8⤵
        
        PID:3432
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\
        7⤵
        
        PID:1952
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1076
        
        C:\Windows\assembly\GAC\stdole\backup.exe
        
        C:\Windows\assembly\GAC\stdole\backup.exe C:\Windows\assembly\GAC\stdole\
        7⤵
        
        PID:1624
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4824
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        
        PID:4000
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
        7⤵
        
        PID:704
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4360
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\
        7⤵
        
        PID:2928
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1200
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\
        7⤵
        
        PID:428
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:4004
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\
        7⤵
        
        PID:1508
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:1340
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\
        7⤵
        
        PID:1724
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4344
        
        C:\Windows\assembly\GAC_32\MSBuild\backup.exe
        
        C:\Windows\assembly\GAC_32\MSBuild\backup.exe C:\Windows\assembly\GAC_32\MSBuild\
        7⤵
        
        PID:1352
        
        C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\data.exe
        
        C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\data.exe C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:5072
        
        C:\Windows\assembly\GAC_32\mscorlib\backup.exe
        
        C:\Windows\assembly\GAC_32\mscorlib\backup.exe C:\Windows\assembly\GAC_32\mscorlib\
        7⤵
        
        PID:4432
        
        C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:3776
        
        C:\Windows\assembly\GAC_32\PresentationCore\backup.exe
        
        C:\Windows\assembly\GAC_32\PresentationCore\backup.exe C:\Windows\assembly\GAC_32\PresentationCore\
        7⤵
        
        PID:2812
        
        C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:1668
        
        C:\Windows\assembly\GAC_32\srmlib\backup.exe
        
        C:\Windows\assembly\GAC_32\srmlib\backup.exe C:\Windows\assembly\GAC_32\srmlib\
        7⤵
        
        PID:1896
        
        C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:3832
        
        C:\Windows\assembly\GAC_32\System.Data\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data\backup.exe C:\Windows\assembly\GAC_32\System.Data\
        7⤵
        
        PID:2348
        
        C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:2968
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\backup.exe C:\Windows\assembly\GAC_32\System.Data.OracleClient\
        7⤵
        
        PID:4572
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:2788
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\backup.exe
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\backup.exe C:\Windows\assembly\GAC_32\System.EnterpriseServices\
        7⤵
        
        PID:4164
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1564
        
        C:\Windows\assembly\GAC_32\System.Printing\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Printing\backup.exe C:\Windows\assembly\GAC_32\System.Printing\
        7⤵
        
        PID:1660
        
        C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2364
        
        C:\Windows\assembly\GAC_32\System.Transactions\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Transactions\backup.exe C:\Windows\assembly\GAC_32\System.Transactions\
        7⤵
        
        PID:2456
        
        C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:1900
        
        C:\Windows\assembly\GAC_32\System.Web\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Web\backup.exe C:\Windows\assembly\GAC_32\System.Web\
        7⤵
        
        PID:676
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4348
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        
        PID:3508
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\
        7⤵
        
        PID:5056
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4164
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\
        7⤵
        
        PID:1376
        
        C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2364
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Ink\
        7⤵
        
        PID:3604
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2716
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\
        7⤵
        
        PID:4060
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:1564
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\
        7⤵
        
        PID:4820
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1128
        
        C:\Windows\assembly\GAC_64\MSBuild\backup.exe
        
        C:\Windows\assembly\GAC_64\MSBuild\backup.exe C:\Windows\assembly\GAC_64\MSBuild\
        7⤵
        
        PID:2428
        
        C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3644
        
        C:\Windows\assembly\GAC_64\mscorlib\backup.exe
        
        C:\Windows\assembly\GAC_64\mscorlib\backup.exe C:\Windows\assembly\GAC_64\mscorlib\
        7⤵
        
        PID:4140
        
        C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:4520
        
        C:\Windows\assembly\GAC_64\PresentationCore\backup.exe
        
        C:\Windows\assembly\GAC_64\PresentationCore\backup.exe C:\Windows\assembly\GAC_64\PresentationCore\
        7⤵
        
        PID:3632
        
        C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:3128
    - - C:\Windows\bcastdvr\backup.exe
        
        C:\Windows\bcastdvr\backup.exe C:\Windows\bcastdvr\
        5⤵
        
        PID:4616
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:3992
      - C:\Windows\Branding\Basebrd\backup.exe
        
        C:\Windows\Branding\Basebrd\backup.exe C:\Windows\Branding\Basebrd\
        6⤵
        
        PID:1100
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe C:\Windows\Branding\Basebrd\de-DE\
        7⤵
        
        PID:4592
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe C:\Windows\Branding\Basebrd\en-US\
        7⤵
        
        PID:3668
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe C:\Windows\Branding\Basebrd\es-ES\
        7⤵
        
        PID:4044
        
        C:\Windows\Branding\Basebrd\fr-FR\backup.exe
        
        C:\Windows\Branding\Basebrd\fr-FR\backup.exe C:\Windows\Branding\Basebrd\fr-FR\
        7⤵
        
        PID:4816
        
        C:\Windows\Branding\Basebrd\it-IT\backup.exe
        
        C:\Windows\Branding\Basebrd\it-IT\backup.exe C:\Windows\Branding\Basebrd\it-IT\
        7⤵
        
        PID:4788
        
        C:\Windows\Branding\Basebrd\ja-JP\backup.exe
        
        C:\Windows\Branding\Basebrd\ja-JP\backup.exe C:\Windows\Branding\Basebrd\ja-JP\
        7⤵
        
        PID:3836
        
        C:\Windows\Branding\Basebrd\uk-UA\backup.exe
        
        C:\Windows\Branding\Basebrd\uk-UA\backup.exe C:\Windows\Branding\Basebrd\uk-UA\
        7⤵
        
        PID:3556
      - C:\Windows\Branding\shellbrd\backup.exe
        
        C:\Windows\Branding\shellbrd\backup.exe C:\Windows\Branding\shellbrd\
        6⤵
        
        PID:4460
    - - C:\Windows\CbsTemp\backup.exe
        
        C:\Windows\CbsTemp\backup.exe C:\Windows\CbsTemp\
        5⤵
        
        PID:1744
- C:\Users\Admin\AppData\Local\Temp\3348296258\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3348296258\backup.exe C:\Users\Admin\AppData\Local\Temp\3348296258\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1496
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2428
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3336
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3372
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:944
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2388
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2912
- C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe
  C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:512
- - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe
    C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe
      C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:3236
- C:\Users\Admin\AppData\Local\Temp\VBE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\VBE\backup.exe C:\Users\Admin\AppData\Local\Temp\VBE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1676

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
85KB

MD5
a268279c6aa36312db387e7e6cc42266

SHA1
2800755ba6daaca88f6b62fcb2c1a059d1426b9d

SHA256
2718040b588c3fb4e9451db82a052ee6bdb66bce408358ee6bf962767ac67aa6

SHA512
0396e42b13b51da9410f3a933cf4a26fdda151ba529ad9a09a5c2b00daa94259503250082dd51663310abf4ed3b46ad7a83b1fd8e7e4e0a0b311eea661679376

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
85KB

MD5
b0077dd58483474c1a4e003cab354a10

SHA1
94a4ab112426c9c8b8ab7277f7a6c2d08657ca27

SHA256
d357bd67caee6e9979cd4e6cf542367cbf4234ba12d3c3c6e80f687d9426a215

SHA512
547068c04057a7efec2d7b40c6379deb8606f279f9c8faf37b50844b35b87c1be26b7d5d1feb7c343c255a6a65ab5e4d961764c4d8fc2daab174b8c3c56c6d56

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
85KB

MD5
1745947ff19f1eeecda5a71f12e7a910

SHA1
82b5ad28d1d572ce9698ca54ddf71d6fbf8373cd

SHA256
c8ab8da915b7444bf406f680decc1e6bc36087c63c4e9243951eaaf324efa069

SHA512
ee46bd1f30ae655d3f72883ec74cc8dd7ccc40156816c76ffd4d21d8af1143bf7b89b5ea6a0b607c2bac801d0965798e0a295c39f8bbb06407e7a13a8262c677

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
85KB

MD5
eed1d5f955383b244a00992c91e3751a

SHA1
cf97b11d5b7aad1ba9f336c33ce4ce574b097ba7

SHA256
076d2acbf01a853f173fb57f730fcfe6b377b3bd6284ef088dd55bb2109fa729

SHA512
4d3a10379c23d6e739594116cf429dfad0364f3fb69121e1e751eaf2918d4e120d3fa05a35608af69edb35a8ff4e8f3c1ae134420e85eb0a1d7713b3279a7720

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
85KB

MD5
d9a97c5a109d662e9d172fc4e40dfada

SHA1
a9eae575ca39c235ba25d262ebad1fd8937845d6

SHA256
17d6ede4883c00a8e6c2beb16dde457a63ccb6c71dbc4bbd788080da5386d665

SHA512
d68cecd22c4faabca4ce298d4cfcd2a91ceaab45d80a1ae626d436448ce504bc7445c9cead2050a24b4f86a3bfacccb0837473f37ed7bbc11d0c032582efed96

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
85KB

MD5
a61ae61138df10273d0ec8c35e7e379d

SHA1
d7d853103809870ed46a9448091a3fc9cb630397

SHA256
853177ddda0bc24c4c3e6cfcb27e7f216d4ebc51583ba42a77bf77186e834668

SHA512
7cf87bd3e98b5cdb58a76bd200cad73d0ac6a204552a71a8c9fdfad2ab5ef3de7c04a132e4ac23347b39eb45de638314a44bd03e3a9e68ea4780090f57fc9c9c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
85KB

MD5
7dfd502cf8e715878cad34cf6d0a778d

SHA1
9a2f981733583af14f2dcb24feed325b6a1b0d33

SHA256
d25d3b5a1a2829ae24dc9e730c212fca1ae50ebea8dacc4884aae41e00905c99

SHA512
bb3a2c0b9a1b77d580686b679cd8d52fe0acbd15a0325f0fd69b46a95827ed9d8ad483104a5995775997f9d0ef1aea424b074109b1f41478eb155a245dc6bfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
85KB

MD5
bb8aabd42b546cf246ce3ae8f8b725e2

SHA1
ced1a5afde88c9dc848a8fcfab390d514fd7e6b8

SHA256
b7bff190e318adc4965f19b03500116276203ed664a264cead82ea7184fcb144

SHA512
7b26cdb7d8cd65e4d700637ee0209775feb6a908f4cdde60b5c7593ebc28b90730cd5cb648c20a5253fa93ecb81379877674e51d69d0abac34da33908b62361e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
85KB

MD5
dde9458964ef8e3c3762d241bbe01f3b

SHA1
0b4b6949a2abeea21d597f1ead151590674df037

SHA256
6392ce7d28eb2483c59a1400be20efb5ec6c65856d7481bcd2dea7e7b70dd65f

SHA512
de781922613178349f0b19a481fd6bbc6c9b7f2b3845418a7dcef7a33c7db175a8de0dcf61aeef97709fe4bd75f960fe4c94d087ca8a88f5deb3c909095fb8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
85KB

MD5
1624b2f2bcea70f0e636214d8929c6f7

SHA1
7af5cb18787d7d9f89f8146e5d29a1b2645de8f5

SHA256
ee490c77ca3eb43648de487173b7acd91a6e5e4bab433833a86bf5e718d80dd8

SHA512
fe19338ef876113b16391e133c67dd9840521814637bd03ecfb89ae2205c2b13fc8e1f5af9d850bc2127cd764db76e36997fb90e30498b0590f039a864ae1556

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
33KB

MD5
de5ed3639292ba6336ac3e8667453f0a

SHA1
e19458a72060e75b034ca07362e28b9d56559930

SHA256
0d201ff511fba4abd3e6ee52c43f2d526f4809dc63d50ff11a889f6641901908

SHA512
a824790328ffdac7d349824c68463bbbfcd33fece50ef4694cddae3cfd5ca6e9d49d2303d9c5a305ffdaf5225d9b50c0e18ecc5accb74dc8f5ebea6dbe296940

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E879C586-156D-4912-B47D-AB5C65B508B2}\backup.exe

Filesize
85KB

MD5
d3bf65837296e9bdc326a592103ad780

SHA1
a8f40b1bcd2297229f8fbcc42da349d3b547a95e

SHA256
67fe46dcc784e65381435db81a5cc1fd4544f4fa1b8cb4b32974068aa9bf70eb

SHA512
d0a341e2f92f1edb8703088c6a6c31f2d3261b563205b76aba0d77646a74f7eec40cabf7c287ff5f7af71fc22a29e007b80d739bd8573cf2c7ee95c26a360839

Download Submit
C:\backup.exe

Filesize
85KB

MD5
c9ba322e1bec7a1fd98967fde45d2a2c

SHA1
12a87bf4beb77b37897240385848f472f7f816f4

SHA256
14721dbc20f5d0fbfc2253447684d2864f004f875b2e718ff79d898f408be4b8

SHA512
efa9de73c23797faee53af30f819ccb2bbdbfe514cb19a2080809da34428c9ad2c16543915e8af7294a2fd2f18b43d1c55f7f827de7ce25c459a1479bdda6920

Download Submit
memory/212-449-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/400-459-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/452-239-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/464-119-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/512-84-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/528-415-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/624-308-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/676-212-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/712-266-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/932-216-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/944-45-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/1144-345-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/1192-75-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/1376-375-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/1496-20-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/1544-189-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/1608-247-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/1640-405-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/1652-521-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/1672-257-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/1676-87-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/1796-359-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/1800-536-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/1900-335-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2176-500-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2308-226-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2324-181-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2384-444-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2388-52-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2408-499-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2428-95-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2428-21-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2508-461-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2508-242-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2588-208-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2620-298-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2640-365-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2648-355-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2648-155-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2700-67-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2700-0-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2708-313-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2708-480-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2812-328-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2908-485-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2912-60-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2912-251-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2948-440-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2968-430-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/3004-425-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/3008-323-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/3008-490-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/3084-511-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/3236-78-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/3336-33-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/3372-122-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/3376-510-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/3496-318-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/3508-140-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/3512-435-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/3544-186-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/3860-231-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/3884-370-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4016-330-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4016-324-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4020-494-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4056-303-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4112-223-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4140-526-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4220-138-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4276-410-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4308-546-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4328-395-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4352-201-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4360-389-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4384-534-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4396-194-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4412-340-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4524-174-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4572-544-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4628-475-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4720-515-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4756-293-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4768-380-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4768-551-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4808-420-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4828-470-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4836-288-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4884-385-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4920-455-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4972-167-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/4984-349-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/5016-400-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/5028-261-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/5068-82-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/5076-283-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads