6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6

Analysis

max time kernel
24s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe
Size

122KB
MD5

38c9f7241c64855422a2bf460a5e8470
SHA1

32a19e7c08bb3dfcb4efaf1a4d9444a05b7a2bb5
SHA256

6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6
SHA512

c69148c04846d7104614e82aeddf706263b81d52e38ac3c3ac51067a6bf923ba2fcb732ca667d8a8d4e1026337b13c690bb5aa2bee7b7cb643867f7979a86948
SSDEEP

1536:lvm1Fu8AjYaFwjRUdW7fmyY7aZYJVmy0KQbj6vbjuKoauGi4D:6u8ANCUdgfmD7zey0KUj6TjR9i4D

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
3700	backup.exe
2292	backup.exe
2828	backup.exe
4740	backup.exe
1156	backup.exe
2584	backup.exe
4448	backup.exe
5076	backup.exe
4868	backup.exe
2208	backup.exe
2908	System Restore.exe
3620	backup.exe
2084	update.exe
1196	backup.exe
4984	backup.exe
4640	backup.exe
4240	backup.exe
2300	backup.exe
5088	backup.exe
2380	backup.exe
1744	backup.exe
1204	backup.exe
2448	backup.exe
4124	backup.exe
4656	backup.exe
2884	backup.exe
3216	backup.exe
3696	backup.exe
2460	backup.exe
1528	backup.exe
2432	backup.exe
3428	backup.exe
4328	backup.exe
2952	backup.exe
4516	backup.exe
4256	backup.exe
432	backup.exe
4436	backup.exe
1984	backup.exe
5012	System Restore.exe
1580	backup.exe
4568	backup.exe
2152	backup.exe
4808	backup.exe
940	backup.exe
4404	backup.exe
2404	backup.exe
5076	backup.exe
1816	backup.exe
4088	backup.exe
2016	backup.exe
756	backup.exe
4132	backup.exe
976	backup.exe
2084	backup.exe
2116	backup.exe
1228	backup.exe
4924	backup.exe
3084	backup.exe
1008	backup.exe
368	backup.exe
2484	backup.exe
1532	backup.exe
2712	backup.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre-1.8\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fonts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Crashpad\reports\backup.exe	backup.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe	backup.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\backup.exe	backup.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe	data.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\management\data.exe	update.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	data.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	data.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System Restore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2176	backup.exe
1356	backup.exe
624	backup.exe
4740	data.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe
3700	backup.exe
2292	backup.exe
2828	backup.exe
4740	backup.exe
1156	backup.exe
2584	backup.exe
4448	backup.exe
5076	backup.exe
4868	backup.exe
2208	backup.exe
2908	System Restore.exe
3620	backup.exe
2084	update.exe
1196	backup.exe
4984	backup.exe
4640	backup.exe
4240	backup.exe
2300	backup.exe
5088	backup.exe
2380	backup.exe
1744	backup.exe
1204	backup.exe
4124	backup.exe
2448	backup.exe
4656	backup.exe
2884	backup.exe
3216	backup.exe
3696	backup.exe
1528	backup.exe
2460	backup.exe
2432	backup.exe
3428	backup.exe
2952	backup.exe
4328	backup.exe
4516	backup.exe
4256	backup.exe
432	backup.exe
4436	backup.exe
1984	backup.exe
5012	System Restore.exe
1580	backup.exe
4568	backup.exe
2152	backup.exe
4808	backup.exe
940	backup.exe
4404	backup.exe
2404	backup.exe
5076	backup.exe
1816	backup.exe
4088	backup.exe
2016	backup.exe
756	backup.exe
4132	backup.exe
976	backup.exe
2084	backup.exe
2116	backup.exe
1228	backup.exe
4924	backup.exe
3084	backup.exe
1008	backup.exe
368	backup.exe
2484	backup.exe
1532	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 3700	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	82
PID 2400 wrote to memory of 3700	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	82
PID 2400 wrote to memory of 3700	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	82
PID 2400 wrote to memory of 2292	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	83
PID 2400 wrote to memory of 2292	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	83
PID 2400 wrote to memory of 2292	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	83
PID 2400 wrote to memory of 2828	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	84
PID 2400 wrote to memory of 2828	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	84
PID 2400 wrote to memory of 2828	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	84
PID 2400 wrote to memory of 4740	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	85
PID 2400 wrote to memory of 4740	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	85
PID 2400 wrote to memory of 4740	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	85
PID 2400 wrote to memory of 1156	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	86
PID 2400 wrote to memory of 1156	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	86
PID 2400 wrote to memory of 1156	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	86
PID 2400 wrote to memory of 2584	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	87
PID 2400 wrote to memory of 2584	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	87
PID 2400 wrote to memory of 2584	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	87
PID 2400 wrote to memory of 4448	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	88
PID 2400 wrote to memory of 4448	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	88
PID 2400 wrote to memory of 4448	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	88
PID 2400 wrote to memory of 5076	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	89
PID 2400 wrote to memory of 5076	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	89
PID 2400 wrote to memory of 5076	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	89
PID 2400 wrote to memory of 4868	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	90
PID 2400 wrote to memory of 4868	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	90
PID 2400 wrote to memory of 4868	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	90
PID 4868 wrote to memory of 2208	4868	backup.exe	91
PID 4868 wrote to memory of 2208	4868	backup.exe	91
PID 4868 wrote to memory of 2208	4868	backup.exe	91
PID 2208 wrote to memory of 2908	2208	backup.exe	92
PID 2208 wrote to memory of 2908	2208	backup.exe	92
PID 2208 wrote to memory of 2908	2208	backup.exe	92
PID 2400 wrote to memory of 3620	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	93
PID 2400 wrote to memory of 3620	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	93
PID 2400 wrote to memory of 3620	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	93
PID 2400 wrote to memory of 2084	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	94
PID 2400 wrote to memory of 2084	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	94
PID 2400 wrote to memory of 2084	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	94
PID 2400 wrote to memory of 1196	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	95
PID 2400 wrote to memory of 1196	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	95
PID 2400 wrote to memory of 1196	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	95
PID 3700 wrote to memory of 4984	3700	backup.exe	96
PID 3700 wrote to memory of 4984	3700	backup.exe	96
PID 3700 wrote to memory of 4984	3700	backup.exe	96
PID 2400 wrote to memory of 4640	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	97
PID 2400 wrote to memory of 4640	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	97
PID 2400 wrote to memory of 4640	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	97
PID 4984 wrote to memory of 4240	4984	backup.exe	98
PID 4984 wrote to memory of 4240	4984	backup.exe	98
PID 4984 wrote to memory of 4240	4984	backup.exe	98
PID 2400 wrote to memory of 2300	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	99
PID 2400 wrote to memory of 2300	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	99
PID 2400 wrote to memory of 2300	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	99
PID 2400 wrote to memory of 5088	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	101
PID 2400 wrote to memory of 5088	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	101
PID 2400 wrote to memory of 5088	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	101
PID 4984 wrote to memory of 2380	4984	backup.exe	100
PID 4984 wrote to memory of 2380	4984	backup.exe	100
PID 4984 wrote to memory of 2380	4984	backup.exe	100
PID 2380 wrote to memory of 1744	2380	backup.exe	102
PID 2380 wrote to memory of 1744	2380	backup.exe	102
PID 2380 wrote to memory of 1744	2380	backup.exe	102
PID 2400 wrote to memory of 1204	2400	6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe	103

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe
"C:\Users\Admin\AppData\Local\Temp\6e4515036572821bdb8b71711e7d404757611fabd8ae5fef471a3dda5b674ee6N.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\{6FEE10C7-F69B-446A-9D09-7553B44D03EF}\backup.exe
  C:\Users\Admin\AppData\Local\Temp\{6FEE10C7-F69B-446A-9D09-7553B44D03EF}\backup.exe C:\Users\Admin\AppData\Local\Temp\{6FEE10C7-F69B-446A-9D09-7553B44D03EF}\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:4240
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2380
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1744
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4124
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2884
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3696
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3428
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2952
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4516
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:432
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2152
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:940
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2404
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1816
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4132
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2084
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1228
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3084
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:368
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4908
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        
        PID:3476
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        
        PID:2512
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        
        PID:4340
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        
        PID:5068
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        
        PID:4440
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        
        PID:536
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        
        PID:2872
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        System policy modification
        
        PID:4356
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:4436
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4192
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        System policy modification
        
        PID:3608
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3132
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        System policy modification
        
        PID:4248
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        System policy modification
        
        PID:884
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        
        PID:2796
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        
        PID:4156
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        
        PID:1284
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\data.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1644
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        
        PID:1152
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        
        PID:4672
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        
        PID:460
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        
        PID:1508
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        
        PID:2928
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        
        PID:3836
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\data.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        8⤵
        
        PID:4720
        
        C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
        8⤵
        
        PID:4844
        
        C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
        8⤵
        
        PID:2464
        
        C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4284
        
        C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
        8⤵
        
        PID:220
        
        C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
        8⤵
        
        PID:4820
        
        C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
        8⤵
        
        PID:3920
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\
        8⤵
        
        PID:2520
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\
        8⤵
        
        PID:3944
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        System policy modification
        
        PID:808
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        System Location Discovery: System Language Discovery
        System policy modification
        
        PID:952
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        
        PID:1144
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        
        PID:1400
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:2924
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\
        8⤵
        
        PID:2016
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:2604
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:5064
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:3084
        
        C:\Program Files\Common Files\microsoft shared\Stationery\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\update.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:2484
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4700
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:1932
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2244
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        
        PID:3368
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        
        PID:4780
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:1508
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        
        PID:1432
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        
        PID:3888
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2948
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:4064
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:408
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3660
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:4072
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4256
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        System policy modification
        
        PID:4796
        
        C:\Program Files\Common Files\System\ado\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\System Restore.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:852
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:4372
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1984
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:4360
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:3348
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5000
        
        C:\Program Files\Common Files\System\fr-FR\data.exe
        
        "C:\Program Files\Common Files\System\fr-FR\data.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:2708
        
        C:\Program Files\Common Files\System\it-IT\update.exe
        
        "C:\Program Files\Common Files\System\it-IT\update.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        System policy modification
        
        PID:3168
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:3464
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        
        PID:3524
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:4688
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:948
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:1592
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:4812
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:1400
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:3580
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Drops file in Program Files directory
        
        PID:1412
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:4976
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:2604
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:5088
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:2992
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2344
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:760
        
        C:\Program Files\Common Files\System\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\System\uk-UA\backup.exe" C:\Program Files\Common Files\System\uk-UA\
        7⤵
        
        PID:1596
    - - C:\Program Files\Crashpad\backup.exe
        
        "C:\Program Files\Crashpad\backup.exe" C:\Program Files\Crashpad\
        5⤵
        Drops file in Program Files directory
        
        PID:4396
      - C:\Program Files\Crashpad\attachments\backup.exe
        
        "C:\Program Files\Crashpad\attachments\backup.exe" C:\Program Files\Crashpad\attachments\
        6⤵
        System policy modification
        
        PID:2820
      - C:\Program Files\Crashpad\reports\backup.exe
        
        "C:\Program Files\Crashpad\reports\backup.exe" C:\Program Files\Crashpad\reports\
        6⤵
        System policy modification
        
        PID:3696
    - - C:\Program Files\dotnet\backup.exe
        
        "C:\Program Files\dotnet\backup.exe" C:\Program Files\dotnet\
        5⤵
        
        PID:2936
      - C:\Program Files\dotnet\host\backup.exe
        
        "C:\Program Files\dotnet\host\backup.exe" C:\Program Files\dotnet\host\
        6⤵
        
        PID:3876
        
        C:\Program Files\dotnet\host\fxr\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\backup.exe" C:\Program Files\dotnet\host\fxr\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Program Files\dotnet\host\fxr\6.0.27\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\6.0.27\backup.exe" C:\Program Files\dotnet\host\fxr\6.0.27\
        8⤵
        
        PID:2460
        
        C:\Program Files\dotnet\host\fxr\7.0.16\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\7.0.16\backup.exe" C:\Program Files\dotnet\host\fxr\7.0.16\
        8⤵
        
        PID:2972
        
        C:\Program Files\dotnet\host\fxr\8.0.2\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\8.0.2\backup.exe" C:\Program Files\dotnet\host\fxr\8.0.2\
        8⤵
        
        PID:1356
      - C:\Program Files\dotnet\shared\backup.exe
        
        "C:\Program Files\dotnet\shared\backup.exe" C:\Program Files\dotnet\shared\
        6⤵
        
        PID:1184
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\
        7⤵
        Drops file in Program Files directory
        
        PID:624
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\
        8⤵
        
        PID:2044
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\
        8⤵
        
        PID:4884
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\
        8⤵
        
        PID:2292
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\
        7⤵
        System policy modification
        
        PID:4804
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\
        8⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\
        9⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\
        9⤵
        
        PID:2416
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\
        9⤵
        System policy modification
        
        PID:2128
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\
        9⤵
        
        PID:948
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\
        9⤵
        
        PID:4928
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\
        9⤵
        
        PID:3580
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\
        9⤵
        
        PID:4156
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\
        9⤵
        
        PID:512
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:460
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\
        9⤵
        
        PID:4416
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\
        9⤵
        
        PID:1276
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\
        8⤵
        Drops file in Program Files directory
        
        PID:2460
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\
        9⤵
        
        PID:4328
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\
        9⤵
        
        PID:5072
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\data.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\data.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\
        9⤵
        
        PID:1672
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\
        9⤵
        
        PID:3036
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\
        9⤵
        
        PID:5000
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\
        9⤵
        
        PID:2404
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\
        9⤵
        
        PID:2168
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\
        9⤵
        
        PID:3524
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\
        9⤵
        
        PID:3308
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\
        9⤵
        
        PID:3704
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\
        9⤵
        
        PID:760
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\
        9⤵
        
        PID:2884
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\
        9⤵
        
        PID:4340
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1076
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2432
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3316
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\
        9⤵
        
        PID:1356
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\
        9⤵
        
        PID:5012
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\
        9⤵
        
        PID:4944
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2464
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System Restore.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System Restore.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\
        9⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\
        9⤵
        
        PID:4868
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\
        9⤵
        
        PID:5032
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\
        9⤵
        
        PID:3620
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\
        9⤵
        
        PID:4700
        
        C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\
        9⤵
        
        PID:1108
      - C:\Program Files\dotnet\swidtag\backup.exe
        
        "C:\Program Files\dotnet\swidtag\backup.exe" C:\Program Files\dotnet\swidtag\
        6⤵
        
        PID:2884
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:2620
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1580
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\System Restore.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\
        8⤵
        
        PID:2540
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1664
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\
        9⤵
        
        PID:1356
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\
        9⤵
        
        PID:3960
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\
        9⤵
        System policy modification
        
        PID:1344
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\
        9⤵
        
        PID:4500
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\
        9⤵
        
        PID:3512
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\
        9⤵
        
        PID:1764
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\
        10⤵
        
        PID:2176
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:964
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:408
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:4704
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        System policy modification
        
        PID:460
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:4648
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:3972
      - C:\Program Files\Internet Explorer\fr-FR\update.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\update.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:2792
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:4328
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:448
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:4944
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:2912
      - C:\Program Files\Internet Explorer\uk-UA\backup.exe
        
        "C:\Program Files\Internet Explorer\uk-UA\backup.exe" C:\Program Files\Internet Explorer\uk-UA\
        6⤵
        
        PID:4052
    - - C:\Program Files\Java\System Restore.exe
        
        "C:\Program Files\Java\System Restore.exe" C:\Program Files\Java\
        5⤵
        Drops file in Program Files directory
        
        PID:4404
      - C:\Program Files\Java\jdk-1.8\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\backup.exe" C:\Program Files\Java\jdk-1.8\
        6⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4124
        
        C:\Program Files\Java\jdk-1.8\bin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\bin\backup.exe" C:\Program Files\Java\jdk-1.8\bin\
        7⤵
        
        PID:4540
        
        C:\Program Files\Java\jdk-1.8\include\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\backup.exe" C:\Program Files\Java\jdk-1.8\include\
        7⤵
        
        PID:2468
        
        C:\Program Files\Java\jdk-1.8\include\win32\data.exe
        
        "C:\Program Files\Java\jdk-1.8\include\win32\data.exe" C:\Program Files\Java\jdk-1.8\include\win32\
        8⤵
        
        PID:2896
        
        C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\bridge\
        9⤵
        
        PID:1076
        
        C:\Program Files\Java\jdk-1.8\jre\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\backup.exe" C:\Program Files\Java\jdk-1.8\jre\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\
        8⤵
        
        PID:4820
        
        C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3412
        
        C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\server\
        9⤵
        
        PID:5112
        
        C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\
        8⤵
        
        PID:852
        
        C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\javafx\
        9⤵
        
        PID:4192
        
        C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\jdk\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4812
        
        C:\Program Files\Java\jdk-1.8\jre\lib\update.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\update.exe" C:\Program Files\Java\jdk-1.8\jre\lib\
        8⤵
        Drops file in Program Files directory
        
        PID:3556
        
        C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\amd64\
        9⤵
        
        PID:1512
        
        C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\applet\
        9⤵
        
        PID:2616
        
        C:\Program Files\Java\jdk-1.8\jre\lib\cmm\data.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\cmm\data.exe" C:\Program Files\Java\jdk-1.8\jre\lib\cmm\
        9⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\deploy\
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\ext\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3400
        
        C:\Program Files\Java\jdk-1.8\jre\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\fonts\
        9⤵
        
        PID:1176
        
        C:\Program Files\Java\jdk-1.8\jre\lib\images\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\images\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\images\
        9⤵
        Drops file in Program Files directory
        
        PID:2156
        
        C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\
        10⤵
        System policy modification
        
        PID:3112
        
        C:\Program Files\Java\jdk-1.8\jre\lib\jfr\update.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\jfr\update.exe" C:\Program Files\Java\jdk-1.8\jre\lib\jfr\
        9⤵
        
        PID:3952
        
        C:\Program Files\Java\jdk-1.8\jre\lib\management\data.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\management\data.exe" C:\Program Files\Java\jdk-1.8\jre\lib\management\
        9⤵
        
        PID:424
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\update.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\update.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\
        10⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        System policy modification
        
        PID:4300
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\
        11⤵
        
        PID:4328
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Program Files\Java\jdk-1.8\legal\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\backup.exe" C:\Program Files\Java\jdk-1.8\legal\
        7⤵
        
        PID:2116
        
        C:\Program Files\Java\jdk-1.8\legal\javafx\update.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\javafx\update.exe" C:\Program Files\Java\jdk-1.8\legal\javafx\
        8⤵
        
        PID:4052
        
        C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\legal\jdk\
        8⤵
        System policy modification
        
        PID:1152
        
        C:\Program Files\Java\jdk-1.8\lib\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\lib\backup.exe" C:\Program Files\Java\jdk-1.8\lib\
        7⤵
        
        PID:3120
      - C:\Program Files\Java\jre-1.8\backup.exe
        
        "C:\Program Files\Java\jre-1.8\backup.exe" C:\Program Files\Java\jre-1.8\
        6⤵
        Drops file in Program Files directory
        
        PID:4396
        
        C:\Program Files\Java\jre-1.8\bin\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\backup.exe" C:\Program Files\Java\jre-1.8\bin\
        7⤵
        
        PID:432
        
        C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe" C:\Program Files\Java\jre-1.8\bin\dtplugin\
        8⤵
        
        PID:2896
        
        C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe" C:\Program Files\Java\jre-1.8\bin\plugin2\
        8⤵
        System policy modification
        
        PID:2400
        
        C:\Program Files\Java\jre-1.8\bin\server\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\server\backup.exe" C:\Program Files\Java\jre-1.8\bin\server\
        8⤵
        
        PID:2948
        
        C:\Program Files\Java\jre-1.8\legal\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\backup.exe" C:\Program Files\Java\jre-1.8\legal\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1636
        
        C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jre-1.8\legal\javafx\
        8⤵
        System policy modification
        
        PID:4940
        
        C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jre-1.8\legal\jdk\
        8⤵
        
        PID:424
        
        C:\Program Files\Java\jre-1.8\lib\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\backup.exe" C:\Program Files\Java\jre-1.8\lib\
        7⤵
        Drops file in Program Files directory
        
        PID:3756
        
        C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe" C:\Program Files\Java\jre-1.8\lib\amd64\
        8⤵
        
        PID:4192
        
        C:\Program Files\Java\jre-1.8\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\applet\backup.exe" C:\Program Files\Java\jre-1.8\lib\applet\
        8⤵
        
        PID:3848
        
        C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe" C:\Program Files\Java\jre-1.8\lib\cmm\
        8⤵
        
        PID:3556
        
        C:\Program Files\Java\jre-1.8\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\deploy\backup.exe" C:\Program Files\Java\jre-1.8\lib\deploy\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Program Files\Java\jre-1.8\lib\ext\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\ext\backup.exe" C:\Program Files\Java\jre-1.8\lib\ext\
        8⤵
        
        PID:3956
        
        C:\Program Files\Java\jre-1.8\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\fonts\backup.exe" C:\Program Files\Java\jre-1.8\lib\fonts\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3640
        
        C:\Program Files\Java\jre-1.8\lib\images\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\images\backup.exe" C:\Program Files\Java\jre-1.8\lib\images\
        8⤵
        
        PID:756
        
        C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe" C:\Program Files\Java\jre-1.8\lib\images\cursors\
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Program Files\Java\jre-1.8\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\jfr\backup.exe" C:\Program Files\Java\jre-1.8\lib\jfr\
        8⤵
        
        PID:4976
        
        C:\Program Files\Java\jre-1.8\lib\management\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\management\backup.exe" C:\Program Files\Java\jre-1.8\lib\management\
        8⤵
        
        PID:4804
        
        C:\Program Files\Java\jre-1.8\lib\security\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\
        8⤵
        
        PID:2512
        
        C:\Program Files\Java\jre-1.8\lib\security\policy\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\policy\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\
        9⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Program Files\Java\jre-1.8\lib\security\policy\limited\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\policy\limited\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\limited\
        10⤵
        
        PID:1136
        
        C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\data.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\data.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1060
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2160
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        
        PID:860
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        
        PID:1408
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        Drops file in Program Files directory
        
        PID:3856
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        
        PID:2924
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        
        PID:5032
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        8⤵
        
        PID:1744
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        8⤵
        
        PID:1580
        
        C:\Program Files\Microsoft Office\root\fre\data.exe
        
        "C:\Program Files\Microsoft Office\root\fre\data.exe" C:\Program Files\Microsoft Office\root\fre\
        7⤵
        
        PID:224
        
        C:\Program Files\Microsoft Office\root\Integration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
        8⤵
        
        PID:700
        
        C:\Program Files\Microsoft Office\root\Licenses\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses\backup.exe" C:\Program Files\Microsoft Office\root\Licenses\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3524
        
        C:\Program Files\Microsoft Office\root\Licenses16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\
        7⤵
        
        PID:1920
        
        C:\Program Files\Microsoft Office\root\loc\backup.exe
        
        "C:\Program Files\Microsoft Office\root\loc\backup.exe" C:\Program Files\Microsoft Office\root\loc\
        7⤵
        System policy modification
        
        PID:5028
        
        C:\Program Files\Microsoft Office\root\Office15\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office15\backup.exe" C:\Program Files\Microsoft Office\root\Office15\
        7⤵
        
        PID:224
        
        C:\Program Files\Microsoft Office\root\Office16\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\
        7⤵
        
        PID:3608
        
        C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\
        8⤵
        
        PID:384
        
        C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\
        9⤵
        
        PID:4944
        
        C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\
        9⤵
        
        PID:228
        
        C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\
        9⤵
        
        PID:4348
        
        C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1036\
        8⤵
        
        PID:4936
        
        C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe" C:\Program Files\Microsoft Office\root\Office16\3082\
        8⤵
        
        PID:2300
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\
        8⤵
        
        PID:2244
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\data.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\data.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\
        9⤵
        
        PID:3816
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\
        9⤵
        
        PID:2816
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\
        10⤵
        
        PID:3076
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\
        9⤵
        
        PID:4780
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\
        9⤵
        
        PID:1176
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\
        9⤵
        
        PID:4648
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\
        10⤵
        
        PID:3600
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\
        10⤵
        
        PID:3532
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\
        10⤵
        
        PID:4344
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\
        11⤵
        
        PID:740
        
        C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe" C:\Program Files\Microsoft Office\root\Office16\AugLoop\
        8⤵
        
        PID:700
        
        C:\Program Files\Microsoft Office\root\Office16\Bibliography\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\
        8⤵
        
        PID:1316
        
        C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\
        9⤵
        
        PID:3824
        
        C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\
        9⤵
        
        PID:2864
        
        C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\BORDERS\
        8⤵
        
        PID:1976
        
        C:\Program Files\Microsoft Office\root\Office16\Configuration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Configuration\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Configuration\
        8⤵
        
        PID:4300
        
        C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\
        8⤵
        
        PID:1860
        
        C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\
        9⤵
        
        PID:5076
        
        C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\
        10⤵
        
        PID:3096
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f14\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f14\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f14\
        8⤵
        
        PID:4664
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f2\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f2\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f2\
        8⤵
        
        PID:3872
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f3\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f3\update.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f3\
        8⤵
        
        PID:3076
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f33\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f33\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f33\
        8⤵
        
        PID:1724
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f4\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f4\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f4\
        8⤵
        
        PID:4856
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f7\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f7\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f7\
        8⤵
        
        PID:2300
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\
        8⤵
        
        PID:5100
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\
        8⤵
        
        PID:4688
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\
        8⤵
        
        PID:4756
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\update.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\
        8⤵
        
        PID:1356
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\
        8⤵
        
        PID:3056
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_w1\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_w1\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_w1\
        8⤵
        
        PID:2152
        
        C:\Program Files\Microsoft Office\root\Office16\Library\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Library\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Library\
        8⤵
        
        PID:4780
        
        C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\
        9⤵
        
        PID:3796
        
        C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\
        9⤵
        
        PID:4580
        
        C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\backup.exe" C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\
        8⤵
        
        PID:3624
        
        C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\data.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\data.exe" C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\
        9⤵
        
        PID:1088
        
        C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\backup.exe" C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\
        10⤵
        
        PID:3400
        
        C:\Program Files\Microsoft Office\root\Office16\LogoImages\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\LogoImages\backup.exe" C:\Program Files\Microsoft Office\root\Office16\LogoImages\
        8⤵
        
        PID:4552
        
        C:\Program Files\Microsoft Office\root\Office16\MEDIA\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MEDIA\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MEDIA\
        8⤵
        
        PID:2384
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\
        8⤵
        
        PID:2360
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\
        9⤵
        
        PID:3368
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\update.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\
        9⤵
        
        PID:4828
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\
        9⤵
        
        PID:884
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\
        9⤵
        
        PID:3336
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\
        9⤵
        
        PID:1152
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\
        9⤵
        
        PID:4316
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\
        9⤵
        
        PID:1484
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\
        9⤵
        
        PID:4016
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\
        9⤵
        
        PID:3824
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\
        9⤵
        
        PID:4192
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\data.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\data.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\
        9⤵
        
        PID:2208
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\
        9⤵
        
        PID:3400
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\
        9⤵
        
        PID:224
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\
        9⤵
        
        PID:1564
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\
        9⤵
        
        PID:2116
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\
        9⤵
        
        PID:1136
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\
        9⤵
        
        PID:424
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\
        9⤵
        
        PID:1484
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\
        9⤵
        
        PID:4804
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\
        9⤵
        
        PID:1992
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\
        9⤵
        
        PID:1984
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\
        9⤵
        
        PID:3444
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\
        9⤵
        
        PID:4328
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\
        9⤵
        
        PID:4312
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\
        9⤵
        
        PID:4856
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\
        9⤵
        
        PID:4344
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\
        9⤵
        
        PID:2820
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\
        9⤵
        
        PID:3972
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\
        9⤵
        
        PID:2792
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\
        9⤵
        
        PID:3520
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\
        9⤵
        
        PID:5032
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\
        9⤵
        
        PID:2432
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\
        9⤵
        
        PID:64
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\
        9⤵
        
        PID:4088
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\
        9⤵
        
        PID:852
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\
        9⤵
        
        PID:2540
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\
        9⤵
        
        PID:3956
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\
        9⤵
        
        PID:3872
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\
        9⤵
        
        PID:3456
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\
        9⤵
        
        PID:808
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\
        9⤵
        
        PID:3616
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\
        9⤵
        
        PID:916
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\
        9⤵
        
        PID:3080
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\
        9⤵
        
        PID:1812
        
        C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\
        9⤵
        
        PID:1180
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\
        8⤵
        
        PID:1532
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\update.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\
        9⤵
        
        PID:1136
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\
        10⤵
        
        PID:4756
        
        C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\
        11⤵
        
        PID:4400
        
        C:\Program Files\Microsoft Office\root\rsod\backup.exe
        
        "C:\Program Files\Microsoft Office\root\rsod\backup.exe" C:\Program Files\Microsoft Office\root\rsod\
        7⤵
        
        PID:4768
        
        C:\Program Files\Microsoft Office\root\Templates\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\backup.exe" C:\Program Files\Microsoft Office\root\Templates\
        7⤵
        
        PID:3580
        
        C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\
        8⤵
        
        PID:2156
        
        C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\
        9⤵
        
        PID:2788
        
        C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\
        9⤵
        
        PID:3168
        
        C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\
        10⤵
        
        PID:2344
        
        C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\
        11⤵
        
        PID:1484
        
        C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\backup.exe" C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\
        8⤵
        
        PID:4784
        
        C:\Program Files\Microsoft Office\root\vfs\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\backup.exe" C:\Program Files\Microsoft Office\root\vfs\
        7⤵
        
        PID:3388
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\
        8⤵
        
        PID:4364
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\
        9⤵
        
        PID:3632
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\
        10⤵
        
        PID:1508
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\
        11⤵
        
        PID:1032
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\
        9⤵
        
        PID:3572
        
        C:\Program Files\Microsoft Office\root\vfs\Fonts\data.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Fonts\data.exe" C:\Program Files\Microsoft Office\root\vfs\Fonts\
        8⤵
        
        PID:4360
        
        C:\Program Files\Microsoft Office\root\vfs\Fonts\private\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Fonts\private\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Fonts\private\
        9⤵
        
        PID:5068
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\
        8⤵
        
        PID:700
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\
        9⤵
        
        PID:4856
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\update.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\update.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\
        9⤵
        
        PID:3336
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\
        10⤵
        
        PID:1112
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\
        10⤵
        
        PID:4928
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\
        11⤵
        
        PID:4580
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\
        10⤵
        
        PID:2888
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\
        10⤵
        
        PID:2160
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\
        10⤵
        
        PID:3820
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\
        10⤵
        
        PID:1184
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\
        10⤵
        
        PID:3352
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\
        11⤵
        
        PID:3268
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\
        11⤵
        
        PID:3296
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\
        11⤵
        
        PID:2708
      - C:\Program Files\Microsoft Office\Updates\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
        6⤵
        
        PID:3372
        
        C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
        7⤵
        
        PID:3620
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\System Restore.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\System Restore.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
        8⤵
        
        PID:3260
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\
        9⤵
        
        PID:1984
        
        C:\Program Files\Microsoft Office\Updates\Download\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\
        7⤵
        
        PID:2084
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\
        8⤵
        
        PID:4944
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\
        9⤵
        
        PID:3096
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\root\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\root\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\root\
        10⤵
        
        PID:1712
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\root\vfs\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\root\vfs\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\root\vfs\
        11⤵
        
        PID:2244
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\root\vfs\Windows\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\root\vfs\Windows\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\root\vfs\Windows\
        12⤵
        
        PID:4960
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\root\vfs\Windows\assembly\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\root\vfs\Windows\assembly\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\root\vfs\Windows\assembly\
        13⤵
        
        PID:4840
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\root\vfs\Windows\assembly\GAC_MSIL\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\root\vfs\Windows\assembly\GAC_MSIL\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\root\vfs\Windows\assembly\GAC_MSIL\
        14⤵
        
        PID:4756
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\
        15⤵
        
        PID:4256
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\
        16⤵
        
        PID:4016
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        
        PID:3268
      - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        
        PID:2924
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1812
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:804
        
        C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        7⤵
        
        PID:4368
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        7⤵
        
        PID:1096
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:4740
        
        C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
        7⤵
        
        PID:2540
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:540
      - C:\Program Files\Mozilla Firefox\gmp-clearkey\data.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\data.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
        6⤵
        
        PID:1468
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
        7⤵
        
        PID:1724
      - C:\Program Files\Mozilla Firefox\uninstall\System Restore.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\System Restore.exe" C:\Program Files\Mozilla Firefox\uninstall\
        6⤵
        
        PID:3696
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:884
      - C:\Program Files\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
        6⤵
        
        PID:2796
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        
        PID:2992
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        8⤵
        
        PID:3080
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\data.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\data.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        8⤵
        
        PID:432
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2788
      - C:\Program Files\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
        6⤵
        
        PID:3696
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
        7⤵
        
        PID:5116
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
        8⤵
        
        PID:4740
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\
        9⤵
        
        PID:4312
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\data.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\data.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\
        9⤵
        
        PID:1992
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\
        9⤵
        
        PID:2708
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\
        9⤵
        
        PID:3368
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\
        9⤵
        
        PID:2156
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
        9⤵
        
        PID:3080
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\
        8⤵
        
        PID:1432
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\
        9⤵
        
        PID:1344
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\
        9⤵
        
        PID:4088
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\
        9⤵
        
        PID:804
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\
        9⤵
        
        PID:4192
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\
        9⤵
        
        PID:4436
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\
        9⤵
        
        PID:2512
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:5032
      - C:\Program Files\VideoLAN\VLC\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\
        6⤵
        
        PID:2620
        
        C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe" C:\Program Files\VideoLAN\VLC\hrtfs\
        7⤵
        
        PID:3372
        
        C:\Program Files\VideoLAN\VLC\locale\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\backup.exe" C:\Program Files\VideoLAN\VLC\locale\
        7⤵
        
        PID:3972
        
        C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\
        8⤵
        
        PID:3168
        
        C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\
        9⤵
        
        PID:4356
        
        C:\Program Files\VideoLAN\VLC\locale\af\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\
        8⤵
        
        PID:2256
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      System policy modification
      PID:544
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        System policy modification
        
        PID:3520
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Drops file in Program Files directory
        
        PID:2152
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        
        PID:808
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Drops file in Program Files directory
        
        PID:4044
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3308
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        
        PID:3120
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1660
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        
        PID:4384
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        
        PID:2600
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        System policy modification
        
        PID:3796
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3192
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        
        PID:1920
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3452
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:2968
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        
        PID:3912
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4724
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:2464
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        
        PID:3652
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2584
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:2208
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4052
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        
        PID:4540
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:3956
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:3600
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4468
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        
        PID:4664
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        System policy modification
        
        PID:5028
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        
        PID:2492
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        
        PID:2968
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4724
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
        9⤵
        
        PID:4256
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
        10⤵
        Drops file in Program Files directory
        
        PID:1896
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
        11⤵
        
        PID:4556
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\
        13⤵
        
        PID:4980
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2604
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\
        14⤵
        
        PID:5100
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4196
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\
        13⤵
        Drops file in Program Files directory
        
        PID:2084
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\
        14⤵
        
        PID:4484
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\
        14⤵
        System Location Discovery: System Language Discovery
        System policy modification
        
        PID:1860
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\
        12⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\
        13⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2056
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\
        14⤵
        
        PID:2792
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\
        11⤵
        
        PID:852
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\
        12⤵
        
        PID:1712
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\
        13⤵
        
        PID:5000
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\
        13⤵
        System policy modification
        
        PID:2924
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\
        14⤵
        
        PID:1400
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\
        12⤵
        
        PID:4156
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\
        12⤵
        
        PID:3456
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\
        13⤵
        System policy modification
        
        PID:4784
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\
        12⤵
        
        PID:3476
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\
        13⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3952
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\
        14⤵
        
        PID:3796
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\
        12⤵
        Drops file in Program Files directory
        
        PID:3252
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\
        13⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2432
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\
        14⤵
        
        PID:3452
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\
        11⤵
        
        PID:2776
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\
        12⤵
        
        PID:3588
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\
        13⤵
        
        PID:1992
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\
        14⤵
        Drops file in Program Files directory
        
        PID:228
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\
        15⤵
        
        PID:1816
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\
        15⤵
        System policy modification
        
        PID:4636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\
        15⤵
        
        PID:3600
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\
        15⤵
        
        PID:3352
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\
        15⤵
        
        PID:3504
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\
        15⤵
        
        PID:1184
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\
        15⤵
        
        PID:3112
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\
        15⤵
        
        PID:864
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\
        15⤵
        
        PID:2672
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\
        15⤵
        
        PID:1060
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\
        15⤵
        System policy modification
        
        PID:4752
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\
        15⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3888
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\
        15⤵
        
        PID:3040
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\
        15⤵
        
        PID:4316
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\
        15⤵
        
        PID:4052
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\
        15⤵
        System Location Discovery: System Language Discovery
        System policy modification
        
        PID:3260
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\
        15⤵
        
        PID:2796
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\
        15⤵
        System Location Discovery: System Language Discovery
        System policy modification
        
        PID:1764
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\
        15⤵
        
        PID:4780
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\
        15⤵
        
        PID:1688
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\
        15⤵
        
        PID:4108
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\
        15⤵
        
        PID:460
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2864
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\
        15⤵
        
        PID:4664
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\
        15⤵
        
        PID:3428
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\
        15⤵
        
        PID:4400
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\
        15⤵
        
        PID:1260
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\
        15⤵
        
        PID:2708
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2168
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\
        15⤵
        System policy modification
        
        PID:2924
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\
        15⤵
        
        PID:3296
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\
        15⤵
        
        PID:3192
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\
        15⤵
        System policy modification
        
        PID:2536
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\
        12⤵
        System policy modification
        
        PID:4780
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\
        12⤵
        
        PID:1988
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\
        13⤵
        
        PID:4648
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\
        14⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\
        15⤵
        
        PID:3452
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4324
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\
        15⤵
        
        PID:3040
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\
        15⤵
        
        PID:4812
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1032
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4828
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\
        15⤵
        
        PID:5032
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\
        15⤵
        System policy modification
        
        PID:1200
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\
        15⤵
        
        PID:3696
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\
        15⤵
        
        PID:3816
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\
        15⤵
        
        PID:4464
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\
        15⤵
        
        PID:2788
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\
        15⤵
        
        PID:224
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\
        15⤵
        
        PID:4684
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\
        15⤵
        
        PID:4424
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\
        15⤵
        
        PID:1260
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\
        15⤵
        
        PID:4944
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\
        15⤵
        
        PID:2912
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\
        15⤵
        
        PID:3524
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\
        15⤵
        
        PID:992
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\
        15⤵
        
        PID:4672
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\
        15⤵
        
        PID:3740
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3836
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\
        15⤵
        
        PID:2816
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\
        15⤵
        
        PID:4368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\
        15⤵
        
        PID:4424
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\
        15⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3620
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\
        15⤵
        
        PID:1108
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2468
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\
        15⤵
        
        PID:2276
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\
        15⤵
        
        PID:996
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\
        12⤵
        
        PID:3660
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\
        13⤵
        
        PID:1992
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\
        14⤵
        
        PID:1604
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\
        15⤵
        
        PID:4076
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\
        15⤵
        
        PID:2240
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\
        15⤵
        
        PID:2464
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\
        15⤵
        
        PID:4912
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\
        15⤵
        
        PID:2924
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\
        15⤵
        
        PID:5116
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\
        15⤵
        
        PID:2936
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\
        15⤵
        
        PID:4496
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\
        15⤵
        
        PID:1564
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\
        15⤵
        
        PID:2100
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\
        15⤵
        
        PID:1392
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\
        15⤵
        
        PID:5044
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\
        15⤵
        
        PID:4672
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\
        15⤵
        
        PID:4780
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\
        15⤵
        
        PID:4936
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\
        15⤵
        
        PID:2344
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\
        15⤵
        
        PID:4224
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\
        15⤵
        
        PID:1112
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\
        15⤵
        
        PID:5080
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\
        15⤵
        
        PID:4820
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\
        15⤵
        
        PID:2300
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\
        15⤵
        
        PID:4580
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\
        15⤵
        
        PID:3080
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\
        15⤵
        
        PID:2344
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\
        15⤵
        
        PID:5112
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\
        15⤵
        
        PID:264
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\
        15⤵
        
        PID:3532
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\
        15⤵
        
        PID:1152
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\
        15⤵
        
        PID:1060
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\
        15⤵
        
        PID:4468
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\
        15⤵
        
        PID:1932
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\
        15⤵
        
        PID:4072
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\
        15⤵
        
        PID:460
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\
        15⤵
        
        PID:3336
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\
        12⤵
        
        PID:4424
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\
        13⤵
        
        PID:4564
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\
        14⤵
        
        PID:4648
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\
        13⤵
        
        PID:2584
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\
        14⤵
        
        PID:3412
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\
        12⤵
        
        PID:1596
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\
        12⤵
        
        PID:2460
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\
        13⤵
        
        PID:4460
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\
        14⤵
        
        PID:2992
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\
        14⤵
        
        PID:4272
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\
        14⤵
        
        PID:4900
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\
        15⤵
        
        PID:4324
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\
        16⤵
        
        PID:4664
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\
        16⤵
        
        PID:3660
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\
        16⤵
        
        PID:2400
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\
        16⤵
        
        PID:3192
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\
        16⤵
        
        PID:2952
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\
        16⤵
        
        PID:4344
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\
        16⤵
        
        PID:3956
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\
        16⤵
        
        PID:4368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\
        16⤵
        
        PID:2788
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\
        16⤵
        
        PID:3872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\
        16⤵
        
        PID:3936
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\
        16⤵
        
        PID:4880
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\
        16⤵
        
        PID:700
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\
        16⤵
        
        PID:3368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\
        16⤵
        
        PID:2256
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\
        16⤵
        
        PID:5080
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\
        16⤵
        
        PID:2112
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\
        16⤵
        
        PID:4648
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\
        16⤵
        
        PID:2512
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\
        16⤵
        
        PID:640
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\
        16⤵
        
        PID:1532
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\
        16⤵
        
        PID:2924
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\
        16⤵
        
        PID:5068
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\
        16⤵
        
        PID:4784
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\
        16⤵
        
        PID:940
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\
        16⤵
        
        PID:3912
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\
        16⤵
        
        PID:2384
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\
        16⤵
        
        PID:3872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\
        16⤵
        
        PID:1560
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\
        16⤵
        
        PID:952
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\
        16⤵
        
        PID:3912
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\
        16⤵
        
        PID:3476
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\
        16⤵
        
        PID:2864
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\
        16⤵
        
        PID:3336
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\
        13⤵
        
        PID:368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\
        14⤵
        
        PID:4704
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\
        14⤵
        
        PID:1984
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\
        15⤵
        
        PID:2016
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\
        16⤵
        
        PID:740
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\
        14⤵
        
        PID:4460
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\
        15⤵
        
        PID:4464
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\
        16⤵
        
        PID:3624
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\
        16⤵
        
        PID:1976
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\
        16⤵
        
        PID:1356
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\
        16⤵
        
        PID:4936
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\
        16⤵
        
        PID:3824
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\
        16⤵
        
        PID:3112
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\
        16⤵
        
        PID:4720
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\
        16⤵
        
        PID:2784
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\
        16⤵
        
        PID:404
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\
        16⤵
        
        PID:2356
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        
        PID:4224
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        
        PID:424
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        System Location Discovery: System Language Discovery
        System policy modification
        
        PID:2180
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        System policy modification
        
        PID:4856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        
        PID:2532
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:2100
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:1276
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:624
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4740
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2176
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1356
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        
        PID:4780
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:4820
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4540
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1984
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:2788
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        Drops file in Program Files directory
        
        PID:4940
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        
        PID:3516
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        
        PID:2008
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        
        PID:432
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        
        PID:1096
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        
        PID:2112
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        
        PID:2604
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
        11⤵
        
        PID:2208
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        11⤵
        
        PID:1112
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        12⤵
        
        PID:2948
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
        13⤵
        
        PID:4940
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
        14⤵
        
        PID:2272
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
        14⤵
        
        PID:1932
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
        14⤵
        
        PID:3932
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
        13⤵
        
        PID:1108
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
        14⤵
        
        PID:1532
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\
        14⤵
        
        PID:4340
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\
        14⤵
        
        PID:2112
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
        13⤵
        
        PID:264
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\
        14⤵
        
        PID:4960
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\
        14⤵
        
        PID:2592
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\
        14⤵
        
        PID:2156
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        
        PID:4804
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:2808
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        
        PID:996
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        
        PID:2620
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        
        PID:3796
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        
        PID:2708
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        
        PID:2532
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:3336
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        
        PID:4364
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        
        PID:1636
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:3352
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:1592
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:1176
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        
        PID:1580
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        7⤵
        
        PID:3348
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:5056
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\update.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:4340
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:3504
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:4580
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:4384
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\data.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\data.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:2468
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:5104
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:5116
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:224
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1484
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\
        7⤵
        
        PID:4856
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\
        8⤵
        
        PID:4844
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\
        9⤵
        
        PID:1932
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\
        8⤵
        
        PID:2924
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\
        9⤵
        
        PID:2008
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\
        9⤵
        
        PID:3336
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\
        9⤵
        
        PID:2516
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\
        9⤵
        
        PID:4964
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2240
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:2028
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        
        PID:2556
      - C:\Program Files (x86)\Common Files\Oracle\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\System Restore.exe" C:\Program Files (x86)\Common Files\Oracle\
        6⤵
        
        PID:112
        
        C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\
        7⤵
        
        PID:1532
        
        C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\javapath\
        8⤵
        
        PID:1660
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2516
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:3296
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        
        PID:2524
        
        C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1932
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        
        PID:1176
        
        C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1984
        
        C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:2864
        
        C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
        8⤵
        
        PID:2288
        
        C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:3852
        
        C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        
        PID:512
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:4976
        
        C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
        7⤵
        
        PID:4300
        
        C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
        7⤵
        
        PID:404
        
        C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        7⤵
        
        PID:1412
        
        C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\
        7⤵
        
        PID:3088
        
        C:\Program Files (x86)\Common Files\System\msadc\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\
        7⤵
        
        PID:460
        
        C:\Program Files (x86)\Common Files\System\msadc\de-DE\data.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\de-DE\data.exe" C:\Program Files (x86)\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:1136
        
        C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\en-US\
        8⤵
        
        PID:4780
        
        C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:3956
        
        C:\Program Files (x86)\Common Files\System\msadc\fr-FR\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\fr-FR\System Restore.exe" C:\Program Files (x86)\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:2288
        
        C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:1088
        
        C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:5032
        
        C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\
        7⤵
        
        PID:3524
        
        C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:3832
        
        C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:2244
        
        C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:3372
        
        C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\update.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\update.exe" C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:1356
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:3516
        
        C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:4756
        
        C:\Program Files (x86)\Common Files\System\uk-UA\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\uk-UA\backup.exe" C:\Program Files (x86)\Common Files\System\uk-UA\
        7⤵
        
        PID:4400
    - - C:\Program Files (x86)\Google\System Restore.exe
        
        "C:\Program Files (x86)\Google\System Restore.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:5032
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:2028
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:4360
        
        C:\Program Files (x86)\Google\Update\1.3.36.371\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.371\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.371\
        7⤵
        
        PID:2820
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:1920
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:3836
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\
        9⤵
        
        PID:216
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:3348
        
        C:\Program Files (x86)\Google\Update\Install\{6ADF0E6F-E89E-4071-B634-15DAFC87E007}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{6ADF0E6F-E89E-4071-B634-15DAFC87E007}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{6ADF0E6F-E89E-4071-B634-15DAFC87E007}\
        8⤵
        
        PID:4936
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:4344
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:2524
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:408
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:4844
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:4928
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:264
      - C:\Program Files (x86)\Internet Explorer\images\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        
        PID:64
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:4768
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:4704
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:4124
      - C:\Program Files (x86)\Internet Explorer\uk-UA\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\uk-UA\backup.exe" C:\Program Files (x86)\Internet Explorer\uk-UA\
        6⤵
        
        PID:3352
    - - C:\Program Files (x86)\Microsoft\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft\System Restore.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        
        PID:3216
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        
        PID:1660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
        7⤵
        
        PID:112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
        8⤵
        
        PID:4828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
        9⤵
        
        PID:4868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
        9⤵
        
        PID:4484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\System Restore.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
        10⤵
        
        PID:448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\
        10⤵
        
        PID:4656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\
        9⤵
        
        PID:216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\
        9⤵
        
        PID:5092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\System Restore.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\
        9⤵
        
        PID:408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\
        9⤵
        
        PID:2540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\
        9⤵
        
        PID:4420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\
        9⤵
        
        PID:2708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\System Restore.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\
        9⤵
        
        PID:4704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\
        9⤵
        
        PID:4736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\
        10⤵
        
        PID:916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\
        11⤵
        
        PID:4368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\
        9⤵
        
        PID:4484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\
        10⤵
        
        PID:5068
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:4156
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1200
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        
        PID:3372
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        System policy modification
        
        PID:4780
      - C:\Users\Admin\Desktop\data.exe
        
        C:\Users\Admin\Desktop\data.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:3128
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        System policy modification
        
        PID:1356
        
        C:\Users\Admin\Documents\OneNote Notebooks\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\
        8⤵
        
        PID:3704
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:4544
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1316
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:4356
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:4328
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:3848
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:3388
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        
        PID:3372
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        
        PID:4656
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:400
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:4740
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:5100
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:5032
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2044
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:2616
      - C:\Users\Public\Music\System Restore.exe
        
        "C:\Users\Public\Music\System Restore.exe" C:\Users\Public\Music\
        6⤵
        
        PID:4356
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:4384
      - C:\Users\Public\Videos\System Restore.exe
        
        "C:\Users\Public\Videos\System Restore.exe" C:\Users\Public\Videos\
        6⤵
        
        PID:3640
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:2464
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:4940
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        
        PID:4812
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        
        PID:2616
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:2360
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:3580
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        
        PID:2388
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        
        PID:4420
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        
        PID:4460
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        
        PID:1060
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        
        PID:2152
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        
        PID:4344
      - C:\Windows\apppatch\de-DE\backup.exe
        
        C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
        6⤵
        
        PID:4720
      - C:\Windows\apppatch\en-US\backup.exe
        
        C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
        6⤵
        
        PID:3484
      - C:\Windows\apppatch\es-ES\backup.exe
        
        C:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\es-ES\
        6⤵
        
        PID:2388
      - C:\Windows\apppatch\fr-FR\System Restore.exe
        
        "C:\Windows\apppatch\fr-FR\System Restore.exe" C:\Windows\apppatch\fr-FR\
        6⤵
        
        PID:4464
      - C:\Windows\apppatch\it-IT\backup.exe
        
        C:\Windows\apppatch\it-IT\backup.exe C:\Windows\apppatch\it-IT\
        6⤵
        
        PID:116
      - C:\Windows\apppatch\ja-JP\backup.exe
        
        C:\Windows\apppatch\ja-JP\backup.exe C:\Windows\apppatch\ja-JP\
        6⤵
        
        PID:2888
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        
        PID:1260
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:5064
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        
        PID:4044
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        
        PID:4928
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3624
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        
        PID:756
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:940
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        
        PID:3076
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2620
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        7⤵
        
        PID:4828
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4436
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\
        7⤵
        
        PID:3168
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\
        8⤵
        
        PID:2604
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\
        7⤵
        
        PID:5112
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:224
        
        C:\Windows\assembly\GAC\stdole\data.exe
        
        C:\Windows\assembly\GAC\stdole\data.exe C:\Windows\assembly\GAC\stdole\
        7⤵
        
        PID:3088
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3076
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        
        PID:1948
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\update.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\update.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
        7⤵
        
        PID:5100
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1276
        
        C:\Windows\assembly\GAC_32\ISymWrapper\data.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\data.exe C:\Windows\assembly\GAC_32\ISymWrapper\
        7⤵
        
        PID:3524
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4364
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\
        7⤵
        
        PID:4964
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:4804
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\
        7⤵
        
        PID:4028
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:4356
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\
        7⤵
        
        PID:2468
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:5080
        
        C:\Windows\assembly\GAC_32\MSBuild\backup.exe
        
        C:\Windows\assembly\GAC_32\MSBuild\backup.exe C:\Windows\assembly\GAC_32\MSBuild\
        7⤵
        
        PID:1392
        
        C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2540
        
        C:\Windows\assembly\GAC_32\mscorlib\backup.exe
        
        C:\Windows\assembly\GAC_32\mscorlib\backup.exe C:\Windows\assembly\GAC_32\mscorlib\
        7⤵
        
        PID:852
        
        C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:992
        
        C:\Windows\assembly\GAC_32\PresentationCore\backup.exe
        
        C:\Windows\assembly\GAC_32\PresentationCore\backup.exe C:\Windows\assembly\GAC_32\PresentationCore\
        7⤵
        
        PID:408
        
        C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:3456
        
        C:\Windows\assembly\GAC_32\srmlib\backup.exe
        
        C:\Windows\assembly\GAC_32\srmlib\backup.exe C:\Windows\assembly\GAC_32\srmlib\
        7⤵
        
        PID:760
        
        C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:4328
        
        C:\Windows\assembly\GAC_32\System.Data\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data\backup.exe C:\Windows\assembly\GAC_32\System.Data\
        7⤵
        
        PID:4636
        
        C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:4420
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\backup.exe C:\Windows\assembly\GAC_32\System.Data.OracleClient\
        7⤵
        
        PID:1816
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:3888
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\backup.exe
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\backup.exe C:\Windows\assembly\GAC_32\System.EnterpriseServices\
        7⤵
        
        PID:2388
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2276
        
        C:\Windows\assembly\GAC_32\System.Printing\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Printing\backup.exe C:\Windows\assembly\GAC_32\System.Printing\
        7⤵
        
        PID:3824
        
        C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:3848
        
        C:\Windows\assembly\GAC_32\System.Transactions\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Transactions\backup.exe C:\Windows\assembly\GAC_32\System.Transactions\
        7⤵
        
        PID:2888
        
        C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\data.exe
        
        C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\data.exe C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:3348
        
        C:\Windows\assembly\GAC_32\System.Web\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Web\backup.exe C:\Windows\assembly\GAC_32\System.Web\
        7⤵
        
        PID:5076
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:992
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        
        PID:1192
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\
        7⤵
        
        PID:1316
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4720
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\
        7⤵
        
        PID:4568
        
        C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2356
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\data.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\data.exe C:\Windows\assembly\GAC_64\Microsoft.Ink\
        7⤵
        
        PID:1932
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:4580
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\
        7⤵
        
        PID:1408
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2808
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\
        7⤵
        
        PID:3864
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1180
        
        C:\Windows\assembly\GAC_64\MSBuild\backup.exe
        
        C:\Windows\assembly\GAC_64\MSBuild\backup.exe C:\Windows\assembly\GAC_64\MSBuild\
        7⤵
        
        PID:4468
        
        C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4312
        
        C:\Windows\assembly\GAC_64\mscorlib\backup.exe
        
        C:\Windows\assembly\GAC_64\mscorlib\backup.exe C:\Windows\assembly\GAC_64\mscorlib\
        7⤵
        
        PID:4424
        
        C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:4984
        
        C:\Windows\assembly\GAC_64\PresentationCore\backup.exe
        
        C:\Windows\assembly\GAC_64\PresentationCore\backup.exe C:\Windows\assembly\GAC_64\PresentationCore\
        7⤵
        
        PID:3260
        
        C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:4648
        
        C:\Windows\assembly\GAC_64\srmlib\backup.exe
        
        C:\Windows\assembly\GAC_64\srmlib\backup.exe C:\Windows\assembly\GAC_64\srmlib\
        7⤵
        
        PID:2948
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:1712
        
        C:\Windows\assembly\GAC_64\System.Data\backup.exe
        
        C:\Windows\assembly\GAC_64\System.Data\backup.exe C:\Windows\assembly\GAC_64\System.Data\
        7⤵
        
        PID:4540
        
        C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:2176
    - - C:\Windows\bcastdvr\backup.exe
        
        C:\Windows\bcastdvr\backup.exe C:\Windows\bcastdvr\
        5⤵
        
        PID:264
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:2400
      - C:\Windows\Branding\Basebrd\backup.exe
        
        C:\Windows\Branding\Basebrd\backup.exe C:\Windows\Branding\Basebrd\
        6⤵
        
        PID:3912
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe C:\Windows\Branding\Basebrd\de-DE\
        7⤵
        
        PID:3616
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe C:\Windows\Branding\Basebrd\en-US\
        7⤵
        
        PID:4664
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe C:\Windows\Branding\Basebrd\es-ES\
        7⤵
        
        PID:1108
        
        C:\Windows\Branding\Basebrd\fr-FR\backup.exe
        
        C:\Windows\Branding\Basebrd\fr-FR\backup.exe C:\Windows\Branding\Basebrd\fr-FR\
        7⤵
        
        PID:4672
        
        C:\Windows\Branding\Basebrd\it-IT\backup.exe
        
        C:\Windows\Branding\Basebrd\it-IT\backup.exe C:\Windows\Branding\Basebrd\it-IT\
        7⤵
        
        PID:3452
- C:\Users\Admin\AppData\Local\Temp\325501614\backup.exe
  C:\Users\Admin\AppData\Local\Temp\325501614\backup.exe C:\Users\Admin\AppData\Local\Temp\325501614\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2292
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4740
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1156
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2584
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4448
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5076
- C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe
  C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe
    C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\System Restore.exe
      "C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2908
- C:\Users\Admin\AppData\Local\Temp\TCD87C1.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD87C1.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD87C1.tmp\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3620
- C:\Users\Admin\AppData\Local\Temp\TCD87C2.tmp\update.exe
  C:\Users\Admin\AppData\Local\Temp\TCD87C2.tmp\update.exe C:\Users\Admin\AppData\Local\Temp\TCD87C2.tmp\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2084
- C:\Users\Admin\AppData\Local\Temp\TCD87C3.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD87C3.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD87C3.tmp\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1196
- C:\Users\Admin\AppData\Local\Temp\TCD87E4.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD87E4.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD87E4.tmp\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4640
- C:\Users\Admin\AppData\Local\Temp\TCD87E6.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD87E6.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD87E6.tmp\
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2300
- C:\Users\Admin\AppData\Local\Temp\TCD8807.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8807.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8807.tmp\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5088
- C:\Users\Admin\AppData\Local\Temp\TCD8809.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8809.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8809.tmp\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1204
- C:\Users\Admin\AppData\Local\Temp\TCD883A.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD883A.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD883A.tmp\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2448
- C:\Users\Admin\AppData\Local\Temp\TCD888A.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD888A.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD888A.tmp\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4656
- C:\Users\Admin\AppData\Local\Temp\TCD888C.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD888C.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD888C.tmp\
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3216
- C:\Users\Admin\AppData\Local\Temp\TCD889E.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD889E.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD889E.tmp\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\TCD88BF.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD88BF.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD88BF.tmp\
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2432
- C:\Users\Admin\AppData\Local\Temp\TCD890F.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD890F.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD890F.tmp\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4328
- C:\Users\Admin\AppData\Local\Temp\TCD8950.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8950.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8950.tmp\
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4256
- C:\Users\Admin\AppData\Local\Temp\TCD8961.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8961.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8961.tmp\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4436
- C:\Users\Admin\AppData\Local\Temp\TCD8973.tmp\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\TCD8973.tmp\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\TCD8973.tmp\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5012
- C:\Users\Admin\AppData\Local\Temp\TCD8975.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8975.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8975.tmp\
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4568
- C:\Users\Admin\AppData\Local\Temp\TCD8996.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8996.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8996.tmp\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4808
- C:\Users\Admin\AppData\Local\Temp\TCD89C7.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD89C7.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD89C7.tmp\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4404
- C:\Users\Admin\AppData\Local\Temp\TCD89C9.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD89C9.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD89C9.tmp\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:5076
- C:\Users\Admin\AppData\Local\Temp\TCD89CB.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD89CB.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD89CB.tmp\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4088
- C:\Users\Admin\AppData\Local\Temp\TCD89DD.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD89DD.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD89DD.tmp\
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:756
- C:\Users\Admin\AppData\Local\Temp\TCD8A4C.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8A4C.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8A4C.tmp\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:976
- C:\Users\Admin\AppData\Local\Temp\TCD8A5E.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8A5E.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8A5E.tmp\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2116
- C:\Users\Admin\AppData\Local\Temp\TCD8A6F.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8A6F.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8A6F.tmp\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4924
- C:\Users\Admin\AppData\Local\Temp\TCD8A71.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8A71.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8A71.tmp\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1008
- C:\Users\Admin\AppData\Local\Temp\TCD8A83.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8A83.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8A83.tmp\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2484
- C:\Users\Admin\AppData\Local\Temp\TCD8A94.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8A94.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8A94.tmp\
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\TCD8AB6.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8AB6.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8AB6.tmp\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4004
- C:\Users\Admin\AppData\Local\Temp\TCD8AC7.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8AC7.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8AC7.tmp\
  2⤵
  - System policy modification
  PID:3192
- C:\Users\Admin\AppData\Local\Temp\TCD8AC9.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8AC9.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8AC9.tmp\
  2⤵
  PID:3372
- C:\Users\Admin\AppData\Local\Temp\TCD8B48.tmp\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\TCD8B48.tmp\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\TCD8B48.tmp\
  2⤵
  PID:1688
- C:\Users\Admin\AppData\Local\Temp\TCD8BA8.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8BA8.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8BA8.tmp\
  2⤵
  PID:856
- C:\Users\Admin\AppData\Local\Temp\TCD8BAA.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8BAA.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8BAA.tmp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3388
- C:\Users\Admin\AppData\Local\Temp\TCD8BBC.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8BBC.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8BBC.tmp\
  2⤵
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\TCD8BBE.tmp\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\TCD8BBE.tmp\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\TCD8BBE.tmp\
  2⤵
  PID:112
- C:\Users\Admin\AppData\Local\Temp\TCD8C0E.tmp\update.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8C0E.tmp\update.exe C:\Users\Admin\AppData\Local\Temp\TCD8C0E.tmp\
  2⤵
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\TCD8C10.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8C10.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8C10.tmp\
  2⤵
  PID:3856
- C:\Users\Admin\AppData\Local\Temp\TCD8C21.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8C21.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8C21.tmp\
  2⤵
  PID:4076
- C:\Users\Admin\AppData\Local\Temp\TCD8C52.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8C52.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8C52.tmp\
  2⤵
  - System policy modification
  PID:808
- C:\Users\Admin\AppData\Local\Temp\TCD8C54.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8C54.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8C54.tmp\
  2⤵
  PID:3076
- C:\Users\Admin\AppData\Local\Temp\TCD8CB4.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8CB4.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8CB4.tmp\
  2⤵
  PID:2112
- C:\Users\Admin\AppData\Local\Temp\TCD8D33.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8D33.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8D33.tmp\
  2⤵
  PID:4972
- C:\Users\Admin\AppData\Local\Temp\TCD8D45.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8D45.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8D45.tmp\
  2⤵
  PID:5032
- C:\Users\Admin\AppData\Local\Temp\TCD8D56.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8D56.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8D56.tmp\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - System Location Discovery: System Language Discovery
  PID:3320
- C:\Users\Admin\AppData\Local\Temp\TCD8D68.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8D68.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8D68.tmp\
  2⤵
  PID:4848
- C:\Users\Admin\AppData\Local\Temp\TCD8DF7.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8DF7.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8DF7.tmp\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4856
- C:\Users\Admin\AppData\Local\Temp\TCD8E56.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8E56.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8E56.tmp\
  2⤵
  PID:4572
- C:\Users\Admin\AppData\Local\Temp\TCD8E68.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8E68.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8E68.tmp\
  2⤵
  - System policy modification
  PID:2360
- C:\Users\Admin\AppData\Local\Temp\TCD8E89.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8E89.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8E89.tmp\
  2⤵
  - System Location Discovery: System Language Discovery
  - System policy modification
  PID:3864
- C:\Users\Admin\AppData\Local\Temp\TCD8EBA.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD8EBA.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8EBA.tmp\
  2⤵
  PID:1512
- C:\Users\Admin\AppData\Local\Temp\TCD90EF.tmp\update.exe
  C:\Users\Admin\AppData\Local\Temp\TCD90EF.tmp\update.exe C:\Users\Admin\AppData\Local\Temp\TCD90EF.tmp\
  2⤵
  - System policy modification
  PID:540
- C:\Users\Admin\AppData\Local\Temp\TCD914E.tmp\backup.exe
  C:\Users\Admin\AppData\Local\Temp\TCD914E.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD914E.tmp\
  2⤵
  PID:464
- C:\Users\Admin\AppData\Local\Temp\VBE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\VBE\backup.exe C:\Users\Admin\AppData\Local\Temp\VBE\
  2⤵
  - System policy modification
  PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
122KB

MD5
ba1715cb11e88619e3e9e63cf2a7354e

SHA1
2cbb8ad1f118eeab242d66d5d535393aeee4125f

SHA256
ff2bf3704463fb4f8f79dfb86dfe4cdcec93f1e9804a83708e5fab931d5c15f3

SHA512
32655695602f60ad08bb6764c9e929cab96937111a6bcc1fbddcbc186f94a63bf00a5e1320afb64896fe7708cc6e9e5efa3a4490e170ec72d610eef60c538c1c

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
122KB

MD5
b92001c1d0d2b1dc79e1e9f74b5b24f1

SHA1
ae98fcbf5f85160db26ac782c01c44ee1e28bd7b

SHA256
3d53839ab8fb8a5d32258bf002758272d8b8e4a7163d1d756958c6ab20c02bac

SHA512
e1b0eb3cde913d7190a02d3f8ae8a030f2d9c00bebceabb252617c7cfd60b668c3d6930f598744ae655b33d314ca70988a7c2b3f2fd7027375a712629df1f8fb

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
122KB

MD5
63502e76aa714693aafca2af64fa7ce7

SHA1
3d87b0a68900526d0d21911fc6972d482e084bf0

SHA256
c2887937c9b3d7c711a235f6e96624c2f2947933b66a6a12cd699f9774f3a1a8

SHA512
c19988ed74c7d5d042f338f0ef7c4edd3795bff4237466333acf07db6c9fe2a32c5a97d991ca49c5a58041a6503a6bb4e59121b7adef659d4ab41d880f22d7f8

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
122KB

MD5
9d07420e3f39ed323fc7ba4c245b8a69

SHA1
eae8fa2dbf573d093ac4cbe409d7ecfb8a6d0775

SHA256
5e69455db7baacf72835993141a4a96360d6f32cecae3c1f0e17680a2e9d4358

SHA512
1de767269cdf20c6dbe76c10b65340161d80f02ee3f89484dc41840e70b569b72a93074568fe138152ac9194298dde1b55c4b2c49f6305bdb54d25865d15d5b7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
122KB

MD5
84e3e64725dacf77fd76cefd5562e518

SHA1
363af4a05527412c4790de9ccfd8cab122fa6641

SHA256
0e803e6af8175ac8c5e54d1f620c37c06fb750b8966c1ee142d873f1c34dc362

SHA512
72efc45015956cd76f48f3ee051e27c3b03f810e83e067a08bb586940a147477d23c1503b34f4566901586305924017440811579d5c161faa7ab5fc3b0416c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\System Restore.exe

Filesize
122KB

MD5
4c976c94c669d162df989924a3fed8e6

SHA1
c9448d29f62fb3ebafd3bce96b218e8d6dc11590

SHA256
2fc0053672f52bb8e53b6739af7b3fe7fe67804a4086acc94d80a618f79dc1e7

SHA512
1d822f1fdb29b5501d648b09fde69ab90a441dfc0ba61fc5cd6e676f5e756d789c9f505c6eabf8e65c6671b0e54f7022f14d4b6664e19ec4156f99f53c54710b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
122KB

MD5
c065fb426c5bcca3392dd0fa93426d75

SHA1
79a57d07f1b1f8519c14738b363e65989d51aeb2

SHA256
474d412c46e5d922a94226d3f663b9c26f566368ac38e7e7ef2511a3a868079a

SHA512
5026b3d1c2486cd660d5cfccf9a6fce6bded29cb543b86c4a31198bb973feaac672973370826676eff0be9fc1e8295ef91b0be669e5c9600871d95c55f7851b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD888C.tmp\backup.exe

Filesize
122KB

MD5
5b48dfcc8b51356c8abf3bf459a5b36c

SHA1
1dda8bcb90c243401c5ffdf79318eb344576b323

SHA256
e0b7a8eb086d13e55fa19f80012f82a6d3ba6b90dc85ff6a6582d10d5f289986

SHA512
01ef8a3f82ce26bfb99d175cdebe8c7c4fb98d6b5e896cff98ae27ff2ebc3c90091703ec26d1935e478380994b87a1dcac572ec5a1e7d238818d2007856a64ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
122KB

MD5
522f281048a56a8df843d76c8c968791

SHA1
807317e0e37b9c3e1ca785693e6bbcfdd0493e17

SHA256
db8150768e2e1a0b34683bd5431ec292cef5618bca1e09696100b84fc2d4eaad

SHA512
f819f251fc07e9eaccbfa67f0f94c88bd07e714e9ef4c75ae3e975626069c91361c2c287c65d2a8d2208c6fceee5898a0451f99a5c9d7fd0b28c1755b9a9934c

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
41KB

MD5
2caa2ea81c3e9a1821994ef46ec34189

SHA1
fc87b8273bf8889db7d09ef55c99aa8b6b0457d0

SHA256
d43c46fce0bf7219e898c529526c4b53ecfde0a9f0d2d6aab095dfc1e065b141

SHA512
ca5cbeaf40638242a1488f03d8428e7803e03721bd6847acfb857bf71e7abb79562d3c43eb4e84d199105d8ecc8b53603d05fef2bcb74c3aec71c27f8464efe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6FEE10C7-F69B-446A-9D09-7553B44D03EF}\backup.exe

Filesize
122KB

MD5
7c178385f8b3fd53a43d1fd783d0375a

SHA1
a77edc1d81c43800074a7d8db6fb7c7ecfd410ef

SHA256
56cffecb2be7fe1ae96ddcc6249424b0b533d7cbf8ca6e3bc324106ec6b4f0db

SHA512
9d0d67b95f516bef3c8e81acecc691b4aba38b762fd21caf7d0e9b93ed436ba8675ed5cbc5657cde5298af7fb2d617d3a946a0409754575ac8e65095420eca9d

Download Submit
C:\backup.exe

Filesize
122KB

MD5
fe3da1f0a536befe386463cf020b38dd

SHA1
58024819b0581ecfd29aea9294556bfeb5267e6f

SHA256
993cb58a89244a9f2641f6048a74600432dfd23dc85459e2207e1274427586e5

SHA512
1a6e225943d9b0bbf25443d0379f8a9ca0879bbea79c68c02fe26e52c9ca8d0207567e1cd926e4cac0ec73274f78579e86e0bd8c7806bdea8cc66210532b03a6

Download Submit
memory/112-548-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/368-435-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/432-286-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/536-522-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/756-377-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/808-599-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/856-512-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/940-325-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/940-339-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/976-389-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1008-425-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1156-115-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1196-121-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1204-182-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1228-410-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1528-240-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1532-490-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1532-562-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1564-573-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1580-313-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1688-499-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1744-198-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1816-363-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1984-299-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2016-375-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2084-105-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2084-400-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2084-100-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2116-401-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2152-327-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2208-86-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2292-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2300-148-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2348-564-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2380-230-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2400-70-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2400-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2404-350-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2432-253-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2448-192-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2460-289-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2484-437-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2512-476-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2584-46-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-447-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2792-538-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2828-98-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2872-536-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2884-267-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2908-82-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2952-317-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3076-612-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3084-422-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3132-610-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3192-477-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3216-223-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3372-487-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3388-524-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3428-255-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3476-463-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3608-600-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3620-96-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3696-229-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3700-77-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3856-575-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4004-465-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4076-588-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4088-364-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4124-196-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4132-386-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4192-587-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4240-144-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4248-622-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4256-279-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4328-265-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4340-489-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4356-549-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4404-343-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4436-295-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4436-557-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4440-514-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4448-53-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4516-277-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4568-316-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4640-122-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4640-133-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4656-208-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4740-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4808-330-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4868-89-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4908-452-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4924-413-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4984-188-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5012-304-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5068-502-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5076-61-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5076-354-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5088-162-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads