Malware Analysis Report

2024-12-07 02:27

Sample ID 241116-2hf7cayrhp
Target 17-10-2024__20.rar
SHA256 2e402d9779e3b3399479a69016a0912d2b5f705f33c2aa98dd2c819ac0829e28
Tags
discovery persistence evasion privilege_escalation upx mydoom worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e402d9779e3b3399479a69016a0912d2b5f705f33c2aa98dd2c819ac0829e28

Threat Level: Known bad

The file 17-10-2024__20.rar was found to be: Known bad.

Malicious Activity Summary

discovery persistence evasion privilege_escalation upx mydoom worm

Modifies visibility of file extensions in Explorer

MyDoom

Mydoom family

Detects MyDoom family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Deletes itself

Checks installed software on the system

Adds Run key to start application

Maps connected drives based on registry

Network Share Discovery

UPX packed file

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Event Triggered Execution: Accessibility Features

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious behavior: MapViewOfSection

Modifies system certificate store

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-16 22:34

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\assemblychange.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{f4t8gf8r786tv76y6-45850o-eg8t4r98f7r8188} = "C:\\Users\\Admin\\AppData\\Local\\Temp\\17-10-2024 #20\\assemblychange.exe" C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\assemblychange.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\assemblychange.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\assemblychange.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\assemblychange.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\assemblychange.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.gunnylaumienphi2017.com udp
VN 103.92.25.194:443 www.gunnylaumienphi2017.com tcp
US 8.8.8.8:53 194.25.92.103.in-addr.arpa udp
VN 103.92.25.194:443 www.gunnylaumienphi2017.com tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/3016-0-0x0000000074D72000-0x0000000074D73000-memory.dmp

memory/3016-1-0x0000000074D70000-0x0000000075321000-memory.dmp

memory/3016-2-0x0000000074D70000-0x0000000075321000-memory.dmp

memory/3016-3-0x0000000074D72000-0x0000000074D73000-memory.dmp

memory/3016-4-0x0000000074D70000-0x0000000075321000-memory.dmp

memory/3016-5-0x0000000074D70000-0x0000000075321000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:34

Platform

win10v2004-20241007-en

Max time kernel

0s

Max time network

1s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 52.191.219.104:443 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

134s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

Checks installed software on the system

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3228 -ip 3228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3228-0-0x0000000002150000-0x00000000021EB000-memory.dmp

memory/3228-1-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3228-2-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3228-3-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3228-7-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3228-6-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3228-5-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3228-4-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3228-8-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3228-9-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3228-12-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3228-13-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3228-14-0x0000000002150000-0x00000000021EB000-memory.dmp

memory/3228-15-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3228-11-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3228-10-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3228-16-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3228-18-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3228-17-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3228-19-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3228-20-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3424-23-0x0000000002600000-0x0000000002602000-memory.dmp

memory/3424-24-0x0000000002600000-0x0000000002602000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c4cfbe60

MD5 c0022e058e3944aecadabafd07ee0e69
SHA1 60ea6b17ee1185f20ccd4e61ff65991b343c0722
SHA256 54694c14dd11001c69c546124173393a1e9ae235309afcbe44ae357064345aaa
SHA512 b128bf855392e30162d35952e28dbd240cb9bb121c920f310cbb2329a3ae5e21be3ee4fef9e4ea6dd2e8e0ff2b709c96ed32558db89b086e60d84be2d4520bff

memory/3228-29-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3228-30-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3228-31-0x0000000000400000-0x000000000049A000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\TSULoader.exe"

Signatures

Checks installed software on the system

discovery

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\TSULoader.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\TSULoader.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\TSULoader.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\TSULoader.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\TSULoader.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\TSULoader.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\TSULoader.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 r1.stylezip.info udp
US 8.8.8.8:53 c1.stylezip.info udp
US 8.8.8.8:53 c2.stylemy.info udp
US 8.8.8.8:53 r2.stylemy.info udp

Files

\Users\Admin\AppData\Local\Temp\Tsu4ECCFB23.dll

MD5 af7ce801c8471c5cd19b366333c153c4
SHA1 4267749d020a362edbd25434ad65f98b073581f1
SHA256 cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e
SHA512 88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

\Users\Admin\AppData\Local\Temp\{5F19B156-FDA4-430D-A1E6-B58684FA93A0}\_Setup.dll

MD5 03c0118365077ca9ab839b7fa3d961fe
SHA1 d201e52c3e25bda0e7cde1371527f3f24b365b2c
SHA256 9b7f1db242c5377628c02229acf7f930b53848aba9fb5e6b03bd9846d493bb4e
SHA512 9625c2e172705e582b6f54c336ff7245cd60e71b9ada6f2370fb3932d218c95411970a18d198b0a64b8c41dc7bb723ab007503d817a9794e88d9a0f063e1f9be

\Users\Admin\AppData\Local\Temp\{5F19B156-FDA4-430D-A1E6-B58684FA93A0}\Custom.dll

MD5 0edf27eff845a13f2202d3a9052e754b
SHA1 5a80cc0c2fb645817da0b18df5444d634c31667a
SHA256 b5aa66dba46922adfebc057650f8df0bb6dc8b6048f6d86be7cf0a55722b4054
SHA512 653fa430bb81d067be71aa8a846265b75aa63d88cfe08c2c174168f9dd99d9dd835384bf0b6afb836247bd91c0cffd1364f78241934d090a04f9f3469a6939b2

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\UtilMan.exe"

Signatures

Event Triggered Execution: Accessibility Features

persistence privilege_escalation

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\UtilMan.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\UtilMan.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\UtilMan.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Butcher Crypter.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Butcher Crypter.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Butcher Crypter.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Butcher Crypter.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Butcher Crypter.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Dynamer.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Dynamer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Dynamer.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Dynamer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 552 -ip 552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 1116

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win7-20240903-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\assemblychange.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\{f4t8gf8r786tv76y6-45850o-eg8t4r98f7r8188} = "C:\\Users\\Admin\\AppData\\Local\\Temp\\17-10-2024 #20\\assemblychange.exe" C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\assemblychange.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\assemblychange.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\assemblychange.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\assemblychange.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\assemblychange.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\assemblychange.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.gunnylaumienphi2017.com udp
VN 103.92.25.194:443 www.gunnylaumienphi2017.com tcp
VN 103.92.25.194:443 www.gunnylaumienphi2017.com tcp

Files

memory/2120-0-0x00000000748D1000-0x00000000748D2000-memory.dmp

memory/2120-1-0x00000000748D0000-0x0000000074E7B000-memory.dmp

memory/2120-2-0x00000000748D0000-0x0000000074E7B000-memory.dmp

memory/2120-3-0x00000000748D0000-0x0000000074E7B000-memory.dmp

memory/2120-4-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\TSULoader.exe"

Signatures

Checks installed software on the system

discovery

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\TSULoader.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\TSULoader.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\TSULoader.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\TSULoader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\TSULoader.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\TSULoader.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\TSULoader.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 r1.stylezip.info udp
US 8.8.8.8:53 c1.stylezip.info udp
US 8.8.8.8:53 r2.stylemy.info udp
US 8.8.8.8:53 c2.stylemy.info udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 c1.stylezip.info udp
US 8.8.8.8:53 c2.stylemy.info udp
US 8.8.8.8:53 c1.stylezip.info udp
US 8.8.8.8:53 c2.stylemy.info udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Tsu304972CA.dll

MD5 af7ce801c8471c5cd19b366333c153c4
SHA1 4267749d020a362edbd25434ad65f98b073581f1
SHA256 cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e
SHA512 88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

C:\Users\Admin\AppData\Local\Temp\{DF77DE3F-0809-45F3-A718-402B0494FCC9}\_Setup.dll

MD5 03c0118365077ca9ab839b7fa3d961fe
SHA1 d201e52c3e25bda0e7cde1371527f3f24b365b2c
SHA256 9b7f1db242c5377628c02229acf7f930b53848aba9fb5e6b03bd9846d493bb4e
SHA512 9625c2e172705e582b6f54c336ff7245cd60e71b9ada6f2370fb3932d218c95411970a18d198b0a64b8c41dc7bb723ab007503d817a9794e88d9a0f063e1f9be

C:\Users\Admin\AppData\Local\Temp\{DF77DE3F-0809-45F3-A718-402B0494FCC9}\Custom.dll

MD5 0edf27eff845a13f2202d3a9052e754b
SHA1 5a80cc0c2fb645817da0b18df5444d634c31667a
SHA256 b5aa66dba46922adfebc057650f8df0bb6dc8b6048f6d86be7cf0a55722b4054
SHA512 653fa430bb81d067be71aa8a846265b75aa63d88cfe08c2c174168f9dd99d9dd835384bf0b6afb836247bd91c0cffd1364f78241934d090a04f9f3469a6939b2

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win7-20240903-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\UtilMan.exe"

Signatures

Event Triggered Execution: Accessibility Features

persistence privilege_escalation

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\UtilMan.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\UtilMan.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\UtilMan.exe"

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win7-20240903-en

Max time kernel

144s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\InstallCore.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\InstallCore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\InstallCore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\InstallCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\InstallCore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\InstallCore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\InstallCore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\InstallCore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\InstallCore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\InstallCore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\InstallCore.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\InstallCore.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 os.baixakialtcdn.com udp
US 8.8.8.8:53 dl.cdn.baixaki.com.br udp
US 8.8.8.8:53 partner.googleadservices.com udp
US 8.8.8.8:53 www.baixaki.com.br udp
US 8.8.8.8:53 www.googletagservices.com udp
GB 216.58.201.98:80 www.googletagservices.com tcp
GB 142.250.180.2:80 partner.googleadservices.com tcp
GB 216.58.201.98:443 www.googletagservices.com tcp
GB 179.191.165.65:80 www.baixaki.com.br tcp
GB 179.191.165.65:80 www.baixaki.com.br tcp
GB 179.191.165.65:443 www.baixaki.com.br tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 os2.baixakialtcdn.com udp
US 8.8.8.8:53 rp.baixakialtcdn.com udp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.71:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 23.192.22.93:80 www.microsoft.com tcp

Files

memory/2356-0-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-5-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-6-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2356-3-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-4-0x0000000000401000-0x000000000040A000-memory.dmp

memory/2356-106-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-107-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-109-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-108-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-110-0x0000000001D10000-0x0000000001E56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ish259442595\bootstrap_21045.html

MD5 1ea9e5b417811379e874ad4870d5c51a
SHA1 a4bd01f828454f3619a815dbe5423b181ec4051c
SHA256 f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a
SHA512 965c10d2aa5312602153338da873e8866d2782e0cf633befe5a552b770e08abf47a4d2e007cdef7010c212ebcb9fefea5610c41c7ed1553440eaeab7ddd72daa

C:\Users\Admin\AppData\Local\Temp\ish259442595\css\sdk-ui\progress-bar.css

MD5 5335f1c12201b5f7cf5f8b4f5692e3d1
SHA1 13807a10369f7ff9ab3f9aba18135bccb98bec2d
SHA256 974cd89e64bdaa85bf36ed2a50af266d245d781a8139f5b45d7c55a0b0841dda
SHA512 0d4e54d2ffe96ccf548097f7812e3608537b4dae9687816983fddfb73223c196159cc6a39fcdc000784c79b2ced878efbc7a5b5f6e057973bf25b128124510df

C:\Users\Admin\AppData\Local\Temp\ish259442595\css\main.css

MD5 0860a940abec13648eec1333b3c3f786
SHA1 42395eda7237e488e1103ff3eb87dc0ff0ca09fc
SHA256 0a19ecb9efd9e6f3488171620dabb9a14a19995b662afba81b432338c6e2b503
SHA512 f7ed99b99af1e0e6a71d09af6fc5136ac5180a3edbc52bcceb25864247cb86a19868c4452ff0481a2624142c6af9d8cd64dba85ebc67258e7885c4e95780d344

memory/2356-136-0x0000000001D10000-0x0000000001E56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ish259442595\images\bg_new.png

MD5 d2db1177cee2d41ac3cd41fee6c3ece8
SHA1 e48ed73c184e23e5bda2ab5938a821134b538972
SHA256 df04b7308a83b09f4ed58b0696aa0e12995924696d8e8b79736e781198e971cd
SHA512 d19ace601b6f2a6b8d34588b293705462ecab656a99c578c3561f19e94ce46d3fd78ce947e3656cff6cf75c69e98ad511cf2b51ffc8687083b172a879ff6265d

C:\Users\Admin\AppData\Local\Temp\ish259442595\images\close.png

MD5 11145975e3e0e33c7ddf3fd28edbd3f8
SHA1 fe1fbfd9ffe72637c87f07bb46e75956309fdf20
SHA256 8caba3304d24488a8d88ee9b1aee3fcafd409bdfedf075b66abd66a55d38ab43
SHA512 f6d74a61eb788fc9c65c20b94a80dc810bb3270cd4919193086644a97ad17824cae97d4c1d7a9a080445dea09d4a7ad30a529d9905cee51710f41f0f5bef7458

memory/2356-141-0x0000000001D10000-0x0000000001E56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ish259442595\images\color_btn.png

MD5 ccfbcbb51598a1946b19ff56c4ae9bd1
SHA1 83c5a77c766253d2c22e3b893408fe60acb46113
SHA256 7ec494b43d8c70c338929fd88af752e117bb924a4284b93567e7b8c9cb79be9f
SHA512 4a7b08a008350460beeb60e9473e497ab1c67d5ef60e927bb35a8cae574fd177b2c1a8e2df26d655e28b4ec4726d5616938ed4a612cbfcfa8f52f82d0de94426

C:\Users\Admin\AppData\Local\Temp\ish259442595\images\resume_btn.png

MD5 5f8dcbf4ebc42ad95cfc4d9401283972
SHA1 e4060ea37daa2953bfdf8a773e447143f6365e75
SHA256 931193720d26f0007ad223fca1a440f4866047a0ca96f5d29de3e62e7ba6a731
SHA512 f918c4b834dff01c82f4b0063708d9155aef87b40fa3ae101d5d0a761ed17a348ff6ba4fb5f1e6ba4921698dcbb3e8291a25e48d180092107cb05660d948a61d

C:\Users\Admin\AppData\Local\Temp\ish259442595\images\pause_btn.png

MD5 818b8908ace0ccc5fecbca20f2919587
SHA1 e599b4229d622c36bc6cd5b155c94c50d1a68b86
SHA256 ad2ec992fc336af09f7be4a652d240936a08bf522d10ff7fbec5dbfe0c4d332d
SHA512 7d63287a12f519524146f7ed620aee6724489fa351752e7eb64e99fae098e524e744e570d2b7abc21f89064cff2bdaa9864f7f0cda9fb9ca861d1df9a45bcd9f

C:\Users\Admin\AppData\Local\Temp\ish259442595\images\progress.png

MD5 35a600a752d3074501de31a516860499
SHA1 51eac62cf77a0b88a3e9cb9ee6f85def21fd4bcf
SHA256 14e064857751b23da7bbe40861ef4caf99b2496227507b8e3108fbac6d901f75
SHA512 046ec179571d239bfb2d51be9837f96d9afebf2e5db77bba0f4a25ce8716d37581a3f9753bd2dbb04c47711699a9d93987bceb71df0b8becf8c577d660320069

C:\Users\Admin\AppData\Local\Temp\ish259442595\images\progress_bar.png

MD5 eabb61abba55f80af418fa1128d1548d
SHA1 a5ee1d55de2cc60966039120c830fc19cefb0351
SHA256 717f3f02f5d5fd1478b6d2ec44acef6e70bb8f1adcf2dc030c08b92e851737e1
SHA512 d232072c9540bf0e2fd56f353c2cc83518eabf8282cc02d9f8bec81c0341287ada29ba79f2a515d68722658686b6cce97be138a48f44409562d9a567af200bd6

C:\Users\Admin\AppData\Local\Temp\ish259442595\images\loader.gif

MD5 57ca1a2085d82f0574e3ef740b9a5ead
SHA1 2974f4bf37231205a256f2648189a461e74869c0
SHA256 476a7b1085cc64de1c0eb74a6776fa8385d57eb18774f199df83fc4d7bbcc24e
SHA512 2d50b9095d06ffd15eeeccf0eb438026ca8d09ba57141fed87a60edd2384e2139320fb5539144a2f16de885c49b0919a93690974f32b73654debca01d9d7d55c

C:\Users\Admin\AppData\Local\Temp\ish259442595\images\grey_btn.png

MD5 124bc01ea52af57ca245837d87460f4b
SHA1 d2726285b847e7d43c937f304b16b2cbce059662
SHA256 f12fd05169348634a4fead731020fea3b9db80a1b1738b5db8488b45ef480475
SHA512 e2f9006f8a0126ef9927a502dc1088a60af1fd36bd64deb5193e5abe2beaaeeb3c0bc47135070d7aa949205df592221e7b0bc62c3b5c420b59778b0dafa498ee

C:\Users\Admin\AppData\Local\Temp\ish259442595\images\sheild.png

MD5 85fc7769fe307fc06b911ca91ca6c67a
SHA1 30dbf2c943538c8fcffe54a8b4e93c325d39c76a
SHA256 a4eacd03722984aaf404ac709b767bec7acd47f0f4dd1bc9b4f2615aaa0e1420
SHA512 31c60db83b2b93b716b6c5270f8304692bc405a94df414017c6be8c231aca1d8f01bcf013a94ff2894afae7c8a1248c56579e5199acad60c09a33b300d24a5ba

C:\Users\Admin\AppData\Local\Temp\ish259442595\images\welcome_prod_box.png

MD5 07cd59b954e8495ad6cd6a7c11d2de86
SHA1 787aeda3eee8053705fb208a6b399b8340820b82
SHA256 6e6b964fd79b4a3461f128e2ed145b9b641d108b8616695f36387661cae995bb
SHA512 0159aca0c2a49393fd91acd4b6819217e67f8fd01e220297eb3e0fdd8132fad794fc317f5cc5e2b761d4123da71478b97df776908de6740eb6d54187c6c00754

C:\Users\Admin\AppData\Local\Temp\ish259442595\locale\ES.locale

MD5 2fdabf60db133e5a35b708ae152ab377
SHA1 c1052419d3f7640d6f800b470190df29c79aff4a
SHA256 1142c1bb69d221869bb3a04fc19f86e6a5b4b6ffafcbe2224aac5705a9492ce2
SHA512 b47339a11abc18aea7bc5eb3d80ea055702464f1cdbfeb16459134824f7423b91bb994d93ac85a1f8a5dcaa6c965227a808f08ee10031c337337e2bc291b58b7

memory/2356-154-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-166-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-167-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-168-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-169-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-171-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-178-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-180-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-181-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-182-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-186-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-200-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-201-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-205-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-207-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-209-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-211-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-212-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-213-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-214-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-215-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-216-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-218-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-219-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-217-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-221-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-223-0x0000000001D10000-0x0000000001E56000-memory.dmp

memory/2356-222-0x0000000001D10000-0x0000000001E56000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win7-20240903-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MulDrop.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sfx1\_bbg.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MulDrop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sfx1\_bbg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sfx1\_bbg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MulDrop.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MulDrop.exe"

C:\Users\Admin\AppData\Local\Temp\sfx1\_bbg.exe

C:\Users\Admin\AppData\Local\Temp\sfx1\_bbg.exe /sfxv:3.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\sfx1\_bbg.exe

MD5 f7a897d1732db96df3339644257ffdf5
SHA1 ff844b877dea6f74978067c606c6ef4b161e9afc
SHA256 7761b022a2f03d7965c189d28a7c5cfc773e691a4dd20af23ed8ec2b73c9e199
SHA512 0958e6ad3925178a5ff67f174b1f29f510c84a99840b8d97f0538f625666baa6363bfdedc66f2d2d8b566c36b192cd39d5984738675a59ad153db5871789f8d9

\??\c:\Users\Admin\AppData\Local\Temp\sfx1\BB40eng.dix

MD5 a8ffd569876199f144568bb7767d2b6f
SHA1 517dc551ba76d5565a4b2dac49951073553af265
SHA256 845bdef261b041fddd45a44b3b05b52bd16d4b9f423b5e52654a168452ec2930
SHA512 5abd433d8f97ce5a3686333ced77c0e5cc02147874fdecb08c3b2352b9840b3ac4dccfae242fdf0f8a5e5a41c4ba64f9dd9c840b9fd4a2607e656d6f60fbc473

\??\c:\Users\Admin\AppData\Local\Temp\sfx1\tex_def.jpg

MD5 8a8fa3d4bcbaa146d6d992cb41a17cb6
SHA1 ba029352f097f5091cbe7edd16f596f0e648472d
SHA256 03a9b3d2b445a8e4aeae2076c550d6acff401cbc331d29928ab4a33e0e7fda0a
SHA512 c776834e5613a62a3361a82c9c5cf1bef8e6c1f774a696315c05c2f17e13a3cc30db167b7696f57c134a232efc7e0feb2f8dc9a91522b4aee9b6417acba8dc80

\??\c:\users\admin\appdata\local\temp\sfx1\bbgift.puz

MD5 200648833c230b76686bda1c0df905e5
SHA1 85f83493ecdd04dcce193f710b39a8475474e084
SHA256 a6e044bf66f82c2f2e669f7402704a16a35e5703c25fc2deafb077976e677934
SHA512 d61808f1c408a047646ed9fd49785f99dead9a601b28df17fb72c79ffb468d3898c4176364dd46b0b825415406271269fb49afd0d4bbc2993c349a4e78d5e68c

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Zombie.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Zombie.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Zombie.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

memory/2988-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2988-1-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

34s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Explore.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Internet Explorer\ja-JP\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Common Files\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\dotnet\host\fxr\7.0.16\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Common Files\System\de-DE\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\update.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\appcompat\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Java\jdk-1.8\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Internet Explorer\uk-UA\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\apppatch\fr-FR\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\update.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Java\jre-1.8\lib\cmm\System Restore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Common Files\System\es-ES\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Java\jdk-1.8\jre\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Common Files\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\dotnet\host\data.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\backup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\backup.exe N/A
N/A N/A C:\PerfLogs\backup.exe N/A
N/A N/A C:\Program Files\backup.exe N/A
N/A N/A C:\Program Files\7-Zip\backup.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\backup.exe N/A
N/A N/A C:\Program Files\Common Files\backup.exe N/A
N/A N/A C:\Program Files\Common Files\DESIGNER\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\en-GB\update.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\et-EE\update.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\update.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\update.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\lt-LT\update.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\tr-TR\update.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe N/A

Network Share Discovery

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\backup.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe C:\Program Files\Common Files\microsoft shared\ink\backup.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\backup.exe C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\backup.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\backup.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\data.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe C:\Program Files\Common Files\microsoft shared\ink\backup.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\backup.exe C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\backup.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\backup.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\backup.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe C:\Program Files\Common Files\microsoft shared\ink\backup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe C:\Program Files\Common Files\microsoft shared\ink\backup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe C:\Program Files\Common Files\microsoft shared\ink\backup.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\backup.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\backup.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System Restore.exe C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\backup.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe C:\Program Files\Common Files\microsoft shared\backup.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\backup.exe C:\Program Files\Common Files\System\backup.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\update.exe C:\Program Files\Common Files\System\Ole DB\backup.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe C:\Program Files\Common Files\System\Ole DB\backup.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\backup.exe C:\Program Files\Common Files\backup.exe N/A
File opened for modification C:\Program Files\Common Files\Services\System Restore.exe C:\Program Files\Common Files\backup.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\backup.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\update.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe C:\Program Files\Common Files\microsoft shared\ink\backup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\update.exe C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe N/A
File opened for modification C:\Program Files\Internet Explorer\de-DE\data.exe C:\Program Files\Internet Explorer\backup.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Acrobat\data.exe C:\Program Files (x86)\Common Files\Adobe\backup.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\backup.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\backup.exe C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\backup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe C:\Program Files\Common Files\microsoft shared\ink\backup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe C:\Program Files\Common Files\microsoft shared\ink\backup.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\fr-FR\backup.exe C:\Program Files\Common Files\System\ado\backup.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe C:\Program Files\Java\jre-1.8\legal\backup.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\backup.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\backup.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\backup.exe C:\Program Files\Java\jdk-1.8\backup.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\backup.exe C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\backup.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\System Restore.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\backup.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\backup.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\backup.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\backup.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\update.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe C:\Program Files\Common Files\microsoft shared\ink\backup.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\backup.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\System Restore.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\data.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\backup.exe C:\Program Files\7-Zip\backup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe C:\Program Files\Common Files\microsoft shared\ink\backup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe C:\Program Files\Common Files\microsoft shared\backup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\apppatch\ja-JP\update.exe C:\Windows\apppatch\backup.exe N/A
File opened for modification C:\Windows\assembly\backup.exe C:\Windows\backup.exe N/A
File opened for modification C:\Windows\assembly\GAC\Extensibility\update.exe C:\Windows\assembly\GAC\backup.exe N/A
File opened for modification C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\backup.exe N/A
File opened for modification C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\backup.exe N/A
File opened for modification C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\System Restore.exe C:\Windows\assembly\GAC\mscomctl\backup.exe N/A
File opened for modification C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\backup.exe N/A
File opened for modification C:\Windows\appcompat\backup.exe C:\Windows\backup.exe N/A
File opened for modification C:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\backup.exe N/A
File opened for modification C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\backup.exe N/A
File opened for modification C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\backup.exe N/A
File opened for modification C:\Windows\backup.exe C:\backup.exe N/A
File opened for modification C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\backup.exe N/A
File opened for modification C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\backup.exe N/A
File opened for modification C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\backup.exe N/A
File opened for modification C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\backup.exe N/A
File opened for modification C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\backup.exe N/A
File opened for modification C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\backup.exe N/A
File opened for modification C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\backup.exe N/A
File opened for modification C:\Windows\apppatch\it-IT\backup.exe C:\Windows\apppatch\backup.exe N/A
File opened for modification C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\backup.exe N/A
File opened for modification C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\backup.exe N/A
File opened for modification C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe N/A
File opened for modification C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\update.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe N/A
File opened for modification C:\Windows\addins\backup.exe C:\Windows\backup.exe N/A
File opened for modification C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\backup.exe N/A
File opened for modification C:\Windows\apppatch\backup.exe C:\Windows\backup.exe N/A
File opened for modification C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\backup.exe N/A
File opened for modification C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\backup.exe N/A
File opened for modification C:\Windows\AppReadiness\backup.exe C:\Windows\backup.exe N/A
File opened for modification C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\update.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System Restore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Adobe\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\Videos\update.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\update.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Java\jre-1.8\lib\deploy\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Internet Explorer\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\System\msadc\en-US\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\dotnet\host\fxr\7.0.16\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\data.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Favorites\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Java\jdk-1.8\include\win32\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\update.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Crashpad\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\update.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\System\uk-UA\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Explore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Explore.exe N/A
N/A N/A C:\backup.exe N/A
N/A N/A C:\PerfLogs\backup.exe N/A
N/A N/A C:\Program Files\backup.exe N/A
N/A N/A C:\Program Files\7-Zip\backup.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\backup.exe N/A
N/A N/A C:\Program Files\Common Files\backup.exe N/A
N/A N/A C:\Program Files\Common Files\DESIGNER\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\en-GB\update.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\et-EE\update.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\update.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\update.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\lt-LT\update.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\tr-TR\update.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3544 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Explore.exe C:\backup.exe
PID 3544 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Explore.exe C:\backup.exe
PID 3544 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Explore.exe C:\backup.exe
PID 4528 wrote to memory of 4420 N/A C:\backup.exe C:\PerfLogs\backup.exe
PID 4528 wrote to memory of 4420 N/A C:\backup.exe C:\PerfLogs\backup.exe
PID 4528 wrote to memory of 4420 N/A C:\backup.exe C:\PerfLogs\backup.exe
PID 4528 wrote to memory of 1492 N/A C:\backup.exe C:\Program Files\backup.exe
PID 4528 wrote to memory of 1492 N/A C:\backup.exe C:\Program Files\backup.exe
PID 4528 wrote to memory of 1492 N/A C:\backup.exe C:\Program Files\backup.exe
PID 1492 wrote to memory of 2408 N/A C:\Program Files\backup.exe C:\Program Files\7-Zip\backup.exe
PID 1492 wrote to memory of 2408 N/A C:\Program Files\backup.exe C:\Program Files\7-Zip\backup.exe
PID 1492 wrote to memory of 2408 N/A C:\Program Files\backup.exe C:\Program Files\7-Zip\backup.exe
PID 2408 wrote to memory of 1200 N/A C:\Program Files\7-Zip\backup.exe C:\Program Files\7-Zip\Lang\backup.exe
PID 2408 wrote to memory of 1200 N/A C:\Program Files\7-Zip\backup.exe C:\Program Files\7-Zip\Lang\backup.exe
PID 2408 wrote to memory of 1200 N/A C:\Program Files\7-Zip\backup.exe C:\Program Files\7-Zip\Lang\backup.exe
PID 1492 wrote to memory of 2348 N/A C:\Program Files\backup.exe C:\Program Files\Common Files\backup.exe
PID 1492 wrote to memory of 2348 N/A C:\Program Files\backup.exe C:\Program Files\Common Files\backup.exe
PID 1492 wrote to memory of 2348 N/A C:\Program Files\backup.exe C:\Program Files\Common Files\backup.exe
PID 2348 wrote to memory of 3392 N/A C:\Program Files\Common Files\backup.exe C:\Program Files\Common Files\DESIGNER\backup.exe
PID 2348 wrote to memory of 3392 N/A C:\Program Files\Common Files\backup.exe C:\Program Files\Common Files\DESIGNER\backup.exe
PID 2348 wrote to memory of 3392 N/A C:\Program Files\Common Files\backup.exe C:\Program Files\Common Files\DESIGNER\backup.exe
PID 2348 wrote to memory of 4316 N/A C:\Program Files\Common Files\backup.exe C:\Program Files\Common Files\microsoft shared\backup.exe
PID 2348 wrote to memory of 4316 N/A C:\Program Files\Common Files\backup.exe C:\Program Files\Common Files\microsoft shared\backup.exe
PID 2348 wrote to memory of 4316 N/A C:\Program Files\Common Files\backup.exe C:\Program Files\Common Files\microsoft shared\backup.exe
PID 4316 wrote to memory of 4212 N/A C:\Program Files\Common Files\microsoft shared\backup.exe C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
PID 4316 wrote to memory of 4212 N/A C:\Program Files\Common Files\microsoft shared\backup.exe C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
PID 4316 wrote to memory of 4212 N/A C:\Program Files\Common Files\microsoft shared\backup.exe C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
PID 4316 wrote to memory of 1848 N/A C:\Program Files\Common Files\microsoft shared\backup.exe C:\Program Files\Common Files\microsoft shared\ink\backup.exe
PID 4316 wrote to memory of 1848 N/A C:\Program Files\Common Files\microsoft shared\backup.exe C:\Program Files\Common Files\microsoft shared\ink\backup.exe
PID 4316 wrote to memory of 1848 N/A C:\Program Files\Common Files\microsoft shared\backup.exe C:\Program Files\Common Files\microsoft shared\ink\backup.exe
PID 1848 wrote to memory of 4900 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
PID 1848 wrote to memory of 4900 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
PID 1848 wrote to memory of 4900 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
PID 1848 wrote to memory of 4540 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
PID 1848 wrote to memory of 4540 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
PID 1848 wrote to memory of 4540 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
PID 1848 wrote to memory of 840 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
PID 1848 wrote to memory of 840 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
PID 1848 wrote to memory of 840 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
PID 1848 wrote to memory of 928 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe
PID 1848 wrote to memory of 928 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe
PID 1848 wrote to memory of 928 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe
PID 1848 wrote to memory of 224 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
PID 1848 wrote to memory of 224 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
PID 1848 wrote to memory of 224 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
PID 1848 wrote to memory of 68 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
PID 1848 wrote to memory of 68 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
PID 1848 wrote to memory of 68 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
PID 1848 wrote to memory of 5000 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\en-GB\update.exe
PID 1848 wrote to memory of 5000 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\en-GB\update.exe
PID 1848 wrote to memory of 5000 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\en-GB\update.exe
PID 1848 wrote to memory of 3232 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
PID 1848 wrote to memory of 3232 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
PID 1848 wrote to memory of 3232 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
PID 1848 wrote to memory of 1676 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
PID 1848 wrote to memory of 1676 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
PID 1848 wrote to memory of 1676 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
PID 1848 wrote to memory of 2980 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
PID 1848 wrote to memory of 2980 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
PID 1848 wrote to memory of 2980 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
PID 1848 wrote to memory of 2756 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\et-EE\update.exe
PID 1848 wrote to memory of 2756 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\et-EE\update.exe
PID 1848 wrote to memory of 2756 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\et-EE\update.exe
PID 1848 wrote to memory of 3328 N/A C:\Program Files\Common Files\microsoft shared\ink\backup.exe C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\Common Files\microsoft shared\VGX\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\Internet Explorer\fr-FR\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\Java\jdk-1.8\jre\lib\management\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\Internet Explorer\fr-FR\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Public\Videos\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\Common Files\microsoft shared\ink\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\data.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\System Restore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Public\Pictures\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\Common Files\System\ja-JP\System Restore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files (x86)\Common Files\Java\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\apppatch\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System Restore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\Pictures\Saved Pictures\data.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Public\Music\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\Crashpad\reports\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Windows\apppatch\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\Common Files\System\msadc\it-IT\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\update.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Explore.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Explore.exe"

C:\backup.exe

\backup.exe \

C:\PerfLogs\backup.exe

C:\PerfLogs\backup.exe C:\PerfLogs\

C:\Program Files\backup.exe

"C:\Program Files\backup.exe" C:\Program Files\

C:\Program Files\7-Zip\backup.exe

"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\

C:\Program Files\7-Zip\Lang\backup.exe

"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\

C:\Program Files\Common Files\backup.exe

"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\

C:\Program Files\Common Files\DESIGNER\backup.exe

"C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\

C:\Program Files\Common Files\microsoft shared\backup.exe

"C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\

C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

"C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\

C:\Program Files\Common Files\microsoft shared\ink\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\

C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\

C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\

C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\

C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe

"C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\

C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\

C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\

C:\Program Files\Common Files\microsoft shared\ink\en-GB\update.exe

"C:\Program Files\Common Files\microsoft shared\ink\en-GB\update.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\

C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\

C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\

C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\

C:\Program Files\Common Files\microsoft shared\ink\et-EE\update.exe

"C:\Program Files\Common Files\microsoft shared\ink\et-EE\update.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\

C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\

C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\

C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\update.exe

"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\update.exe

"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\

C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\

C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\

C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\

C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\

C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\

C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\

C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\

C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\

C:\Program Files\Common Files\microsoft shared\ink\lt-LT\update.exe

"C:\Program Files\Common Files\microsoft shared\ink\lt-LT\update.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\

C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\

C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\

C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\

C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\

C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\

C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\

C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\

C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\

C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\

C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\

C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\

C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\

C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\

C:\Program Files\Common Files\microsoft shared\ink\tr-TR\update.exe

"C:\Program Files\Common Files\microsoft shared\ink\tr-TR\update.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\

C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\

C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\

C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe

"C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\

C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

"C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\

C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe

"C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\

C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe

"C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\

C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe

"C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\

C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\update.exe

"C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\update.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\

C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe

"C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\

C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe

"C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\

C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\backup.exe

"C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\

C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe

"C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\

C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe

"C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\

C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe

"C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\

C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe

"C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\

C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe

"C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\

C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe

"C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\

C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe

"C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\

C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe

"C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\

C:\Program Files\Common Files\microsoft shared\Triedit\en-US\data.exe

"C:\Program Files\Common Files\microsoft shared\Triedit\en-US\data.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\

C:\Program Files\Common Files\microsoft shared\VC\backup.exe

"C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\

C:\Program Files\Common Files\microsoft shared\VGX\backup.exe

"C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\

C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe

"C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe

"C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe

"C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\

C:\Program Files\Common Files\Services\System Restore.exe

"C:\Program Files\Common Files\Services\System Restore.exe" C:\Program Files\Common Files\Services\

C:\Program Files\Common Files\System\backup.exe

"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\

C:\Program Files\Common Files\System\ado\backup.exe

"C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\

C:\Program Files\Common Files\System\ado\de-DE\backup.exe

"C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\

C:\Program Files\Common Files\System\ado\en-US\System Restore.exe

"C:\Program Files\Common Files\System\ado\en-US\System Restore.exe" C:\Program Files\Common Files\System\ado\en-US\

C:\Program Files\Common Files\System\ado\es-ES\backup.exe

"C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\

C:\Program Files\Common Files\System\ado\fr-FR\backup.exe

"C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\

C:\Program Files\Common Files\System\ado\it-IT\data.exe

"C:\Program Files\Common Files\System\ado\it-IT\data.exe" C:\Program Files\Common Files\System\ado\it-IT\

C:\Program Files\Common Files\System\ado\ja-JP\backup.exe

"C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\

C:\Program Files\Common Files\System\de-DE\backup.exe

"C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\

C:\Program Files\Common Files\System\en-US\backup.exe

"C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\

C:\Program Files\Common Files\System\es-ES\backup.exe

"C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\

C:\Program Files\Common Files\System\fr-FR\backup.exe

"C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\

C:\Program Files\Common Files\System\it-IT\backup.exe

"C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\

C:\Program Files\Common Files\System\ja-JP\System Restore.exe

"C:\Program Files\Common Files\System\ja-JP\System Restore.exe" C:\Program Files\Common Files\System\ja-JP\

C:\Program Files\Common Files\System\msadc\System Restore.exe

"C:\Program Files\Common Files\System\msadc\System Restore.exe" C:\Program Files\Common Files\System\msadc\

C:\Program Files\Common Files\System\msadc\de-DE\backup.exe

"C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\

C:\Program Files\Common Files\System\msadc\en-US\backup.exe

"C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\

C:\Program Files\Common Files\System\msadc\es-ES\backup.exe

"C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\

C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe

"C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\

C:\Program Files\Common Files\System\msadc\it-IT\backup.exe

"C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\

C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe

"C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\

C:\Program Files\Common Files\System\Ole DB\backup.exe

"C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\

C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe

"C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\

C:\Program Files (x86)\backup.exe

"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\

C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe

"C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\

C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe

"C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\

C:\Program Files (x86)\Adobe\backup.exe

"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\

C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe

"C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\

C:\Program Files\Crashpad\backup.exe

"C:\Program Files\Crashpad\backup.exe" C:\Program Files\Crashpad\

C:\Program Files\Common Files\System\Ole DB\it-IT\update.exe

"C:\Program Files\Common Files\System\Ole DB\it-IT\update.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\

C:\Program Files\Crashpad\attachments\backup.exe

"C:\Program Files\Crashpad\attachments\backup.exe" C:\Program Files\Crashpad\attachments\

C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe

"C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\update.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\

C:\Program Files\Crashpad\reports\backup.exe

"C:\Program Files\Crashpad\reports\backup.exe" C:\Program Files\Crashpad\reports\

C:\Program Files\Common Files\System\uk-UA\backup.exe

"C:\Program Files\Common Files\System\uk-UA\backup.exe" C:\Program Files\Common Files\System\uk-UA\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\

C:\Program Files\dotnet\backup.exe

"C:\Program Files\dotnet\backup.exe" C:\Program Files\dotnet\

C:\Program Files\dotnet\host\data.exe

"C:\Program Files\dotnet\host\data.exe" C:\Program Files\dotnet\host\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\

C:\Program Files\dotnet\host\fxr\backup.exe

"C:\Program Files\dotnet\host\fxr\backup.exe" C:\Program Files\dotnet\host\fxr\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\

C:\Program Files\dotnet\host\fxr\6.0.27\backup.exe

"C:\Program Files\dotnet\host\fxr\6.0.27\backup.exe" C:\Program Files\dotnet\host\fxr\6.0.27\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\update.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\

C:\Program Files\dotnet\host\fxr\7.0.16\backup.exe

"C:\Program Files\dotnet\host\fxr\7.0.16\backup.exe" C:\Program Files\dotnet\host\fxr\7.0.16\

C:\Program Files\dotnet\host\fxr\8.0.2\backup.exe

"C:\Program Files\dotnet\host\fxr\8.0.2\backup.exe" C:\Program Files\dotnet\host\fxr\8.0.2\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\

C:\Program Files\dotnet\shared\backup.exe

"C:\Program Files\dotnet\shared\backup.exe" C:\Program Files\dotnet\shared\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.NETCore.App\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\data.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\data.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\data.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\data.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\data.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\update.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\data.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\data.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\data.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\data.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System Restore.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System Restore.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\update.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\update.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\System Restore.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System Restore.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System Restore.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\update.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\update.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\backup.exe

"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\

C:\Program Files\dotnet\swidtag\backup.exe

"C:\Program Files\dotnet\swidtag\backup.exe" C:\Program Files\dotnet\swidtag\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\

C:\Program Files\Google\backup.exe

"C:\Program Files\Google\backup.exe" C:\Program Files\Google\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\

C:\Program Files\Google\Chrome\backup.exe

"C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\

C:\Program Files\Google\Chrome\Application\backup.exe

"C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\

C:\Program Files\Google\Chrome\Application\123.0.6312.123\backup.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\

C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\backup.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\backup.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\backup.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\backup.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\

C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\backup.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\

C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\backup.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\update.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\

C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\data.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\data.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\

C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\backup.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\

C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\backup.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\

C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe

"C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\

C:\Program Files\Internet Explorer\backup.exe

"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\

C:\Program Files\Internet Explorer\de-DE\data.exe

"C:\Program Files\Internet Explorer\de-DE\data.exe" C:\Program Files\Internet Explorer\de-DE\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\

C:\Program Files\Internet Explorer\en-US\backup.exe

"C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\

C:\Program Files\Internet Explorer\es-ES\backup.exe

"C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\

C:\Program Files\Internet Explorer\fr-FR\backup.exe

"C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\

C:\Users\backup.exe

C:\Users\backup.exe C:\Users\

C:\Program Files\Internet Explorer\images\backup.exe

"C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\

C:\Users\Admin\backup.exe

C:\Users\Admin\backup.exe C:\Users\Admin\

C:\Program Files (x86)\Common Files\backup.exe

"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\

C:\Users\Admin\3D Objects\backup.exe

"C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\

C:\Program Files\Internet Explorer\it-IT\System Restore.exe

"C:\Program Files\Internet Explorer\it-IT\System Restore.exe" C:\Program Files\Internet Explorer\it-IT\

C:\Program Files (x86)\Common Files\Adobe\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\

C:\Program Files (x86)\Common Files\Adobe\Acrobat\data.exe

"C:\Program Files (x86)\Common Files\Adobe\Acrobat\data.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\

C:\Program Files\Internet Explorer\ja-JP\backup.exe

"C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\

C:\Users\Admin\Contacts\backup.exe

C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\

C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\

C:\Program Files\Internet Explorer\SIGNUP\backup.exe

"C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\

C:\Users\Admin\Desktop\backup.exe

C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\

C:\Program Files\Internet Explorer\uk-UA\backup.exe

"C:\Program Files\Internet Explorer\uk-UA\backup.exe" C:\Program Files\Internet Explorer\uk-UA\

C:\Users\Admin\Documents\backup.exe

C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\System Restore.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\

C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\System Restore.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\

C:\Program Files\Java\backup.exe

"C:\Program Files\Java\backup.exe" C:\Program Files\Java\

C:\Users\Admin\Documents\OneNote Notebooks\backup.exe

"C:\Users\Admin\Documents\OneNote Notebooks\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\

C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe

"C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\

C:\Program Files\Java\jdk-1.8\backup.exe

"C:\Program Files\Java\jdk-1.8\backup.exe" C:\Program Files\Java\jdk-1.8\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\

C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\

C:\Users\Admin\Downloads\backup.exe

C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\

C:\Program Files\Java\jdk-1.8\bin\backup.exe

"C:\Program Files\Java\jdk-1.8\bin\backup.exe" C:\Program Files\Java\jdk-1.8\bin\

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\

C:\Users\Admin\Favorites\backup.exe

C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\

C:\Users\Admin\Links\backup.exe

C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\

C:\Program Files\Java\jdk-1.8\include\backup.exe

"C:\Program Files\Java\jdk-1.8\include\backup.exe" C:\Program Files\Java\jdk-1.8\include\

C:\Users\Admin\Music\update.exe

C:\Users\Admin\Music\update.exe C:\Users\Admin\Music\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\

C:\Program Files\Java\jdk-1.8\include\win32\backup.exe

"C:\Program Files\Java\jdk-1.8\include\win32\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\OneDrive\System Restore.exe

"C:\Users\Admin\OneDrive\System Restore.exe" C:\Users\Admin\OneDrive\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\System Restore.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\

C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe

"C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\bridge\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\data.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\

C:\Program Files\Java\jdk-1.8\jre\backup.exe

"C:\Program Files\Java\jdk-1.8\jre\backup.exe" C:\Program Files\Java\jdk-1.8\jre\

C:\Users\Admin\Pictures\backup.exe

C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\

C:\Users\Admin\Pictures\Camera Roll\data.exe

"C:\Users\Admin\Pictures\Camera Roll\data.exe" C:\Users\Admin\Pictures\Camera Roll\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\

C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe

"C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\

C:\Users\Admin\Pictures\Saved Pictures\data.exe

"C:\Users\Admin\Pictures\Saved Pictures\data.exe" C:\Users\Admin\Pictures\Saved Pictures\

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\

C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe

"C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\

C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\System Restore.exe

"C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\System Restore.exe" C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\

C:\Users\Admin\Saved Games\backup.exe

"C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\

C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe

"C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\server\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\

C:\Users\Admin\Searches\System Restore.exe

"C:\Users\Admin\Searches\System Restore.exe" C:\Users\Admin\Searches\

C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe

"C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\

C:\Users\Admin\Videos\backup.exe

C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\data.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\

C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe

"C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\javafx\

C:\Users\Public\backup.exe

C:\Users\Public\backup.exe C:\Users\Public\

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\

C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe

"C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\jdk\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\

C:\Users\Public\Documents\backup.exe

C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\update.exe

"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\

C:\Users\Public\Downloads\data.exe

C:\Users\Public\Downloads\data.exe C:\Users\Public\Downloads\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\

C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe

"C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\

C:\Users\Public\Music\backup.exe

C:\Users\Public\Music\backup.exe C:\Users\Public\Music\

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\

C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe

"C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\amd64\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\

C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe

"C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\applet\

C:\Users\Public\Pictures\backup.exe

C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\

C:\Users\Public\Videos\update.exe

C:\Users\Public\Videos\update.exe C:\Users\Public\Videos\

C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe

"C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\cmm\

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\

C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe

"C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\deploy\

C:\Windows\backup.exe

C:\Windows\backup.exe C:\Windows\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\

C:\Windows\addins\backup.exe

C:\Windows\addins\backup.exe C:\Windows\addins\

C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe

"C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\ext\

C:\Program Files (x86)\Common Files\Java\backup.exe

"C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\

C:\Windows\appcompat\backup.exe

C:\Windows\appcompat\backup.exe C:\Windows\appcompat\

C:\Program Files\Java\jdk-1.8\jre\lib\fonts\backup.exe

"C:\Program Files\Java\jdk-1.8\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\fonts\

C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe

"C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\

C:\Windows\appcompat\appraiser\backup.exe

C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\

C:\Program Files\Java\jdk-1.8\jre\lib\images\backup.exe

"C:\Program Files\Java\jdk-1.8\jre\lib\images\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\images\

C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\

C:\Windows\appcompat\appraiser\Telemetry\backup.exe

C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe

"C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\

C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\

C:\Windows\appcompat\encapsulation\backup.exe

C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Program Files\Java\jdk-1.8\jre\lib\jfr\backup.exe

"C:\Program Files\Java\jdk-1.8\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\jfr\

C:\Windows\appcompat\Programs\backup.exe

C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\

C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\

C:\Program Files\Java\jdk-1.8\jre\lib\management\backup.exe

"C:\Program Files\Java\jdk-1.8\jre\lib\management\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\management\

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\

C:\Windows\apppatch\backup.exe

C:\Windows\apppatch\backup.exe C:\Windows\apppatch\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\

C:\Windows\apppatch\AppPatch64\backup.exe

C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\update.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\

C:\Program Files\Java\jdk-1.8\jre\lib\security\update.exe

"C:\Program Files\Java\jdk-1.8\jre\lib\security\update.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\

C:\Windows\apppatch\Custom\backup.exe

C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\

C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\backup.exe

"C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\

C:\Windows\apppatch\Custom\Custom64\backup.exe

C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\

C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\backup.exe

"C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\

C:\Windows\apppatch\CustomSDB\backup.exe

C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\

C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\update.exe

"C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\update.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\

C:\Windows\apppatch\de-DE\backup.exe

C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\

C:\Program Files\Java\jdk-1.8\legal\backup.exe

"C:\Program Files\Java\jdk-1.8\legal\backup.exe" C:\Program Files\Java\jdk-1.8\legal\

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\

C:\Windows\apppatch\en-US\backup.exe

C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\

C:\Program Files\Java\jdk-1.8\legal\javafx\backup.exe

"C:\Program Files\Java\jdk-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\legal\javafx\

C:\Windows\apppatch\es-ES\backup.exe

C:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\es-ES\

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\update.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\

C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe

"C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\legal\jdk\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\System Restore.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\

C:\Windows\apppatch\fr-FR\backup.exe

C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\fr-FR\

C:\Windows\apppatch\it-IT\backup.exe

C:\Windows\apppatch\it-IT\backup.exe C:\Windows\apppatch\it-IT\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\

C:\Program Files\Java\jdk-1.8\lib\backup.exe

"C:\Program Files\Java\jdk-1.8\lib\backup.exe" C:\Program Files\Java\jdk-1.8\lib\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\

C:\Windows\apppatch\ja-JP\update.exe

C:\Windows\apppatch\ja-JP\update.exe C:\Windows\apppatch\ja-JP\

C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\

C:\Program Files\Java\jre-1.8\backup.exe

"C:\Program Files\Java\jre-1.8\backup.exe" C:\Program Files\Java\jre-1.8\

C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\

C:\Windows\AppReadiness\backup.exe

C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\

C:\Program Files\Java\jre-1.8\bin\backup.exe

"C:\Program Files\Java\jre-1.8\bin\backup.exe" C:\Program Files\Java\jre-1.8\bin\

C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe

"C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe" C:\Program Files\Java\jre-1.8\bin\dtplugin\

C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\

C:\Windows\assembly\backup.exe

C:\Windows\assembly\backup.exe C:\Windows\assembly\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\

C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe

"C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe" C:\Program Files\Java\jre-1.8\bin\plugin2\

C:\Windows\assembly\GAC\backup.exe

C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\

C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\

C:\Windows\assembly\GAC\ADODB\backup.exe

C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\

C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\

C:\Program Files\Java\jre-1.8\bin\server\backup.exe

"C:\Program Files\Java\jre-1.8\bin\server\backup.exe" C:\Program Files\Java\jre-1.8\bin\server\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\

C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\

C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\

C:\Program Files\Java\jre-1.8\legal\backup.exe

"C:\Program Files\Java\jre-1.8\legal\backup.exe" C:\Program Files\Java\jre-1.8\legal\

C:\Windows\assembly\GAC\Extensibility\update.exe

C:\Windows\assembly\GAC\Extensibility\update.exe C:\Windows\assembly\GAC\Extensibility\

C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe

"C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jre-1.8\legal\javafx\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\

C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\

C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe

"C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jre-1.8\legal\jdk\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\System Restore.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\

C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\data.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\data.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\

C:\Program Files\Java\jre-1.8\lib\backup.exe

"C:\Program Files\Java\jre-1.8\lib\backup.exe" C:\Program Files\Java\jre-1.8\lib\

C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\

C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe

C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\

C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\

C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe

"C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe" C:\Program Files\Java\jre-1.8\lib\amd64\

C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VC\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\

C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe

C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\

C:\Program Files\Java\jre-1.8\lib\applet\backup.exe

"C:\Program Files\Java\jre-1.8\lib\applet\backup.exe" C:\Program Files\Java\jre-1.8\lib\applet\

C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\update.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\

C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\update.exe

C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\update.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\System Restore.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\

C:\Windows\assembly\GAC\mscomctl\backup.exe

C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\

C:\Program Files\Java\jre-1.8\lib\cmm\System Restore.exe

"C:\Program Files\Java\jre-1.8\lib\cmm\System Restore.exe" C:\Program Files\Java\jre-1.8\lib\cmm\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\

C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\System Restore.exe

"C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\System Restore.exe" C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\

C:\Program Files\Java\jre-1.8\lib\deploy\backup.exe

"C:\Program Files\Java\jre-1.8\lib\deploy\backup.exe" C:\Program Files\Java\jre-1.8\lib\deploy\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\

C:\Program Files\Java\jre-1.8\lib\ext\backup.exe

"C:\Program Files\Java\jre-1.8\lib\ext\backup.exe" C:\Program Files\Java\jre-1.8\lib\ext\

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\

C:\Windows\assembly\GAC\MSDATASRC\backup.exe

C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\

C:\Program Files\Java\jre-1.8\lib\fonts\backup.exe

"C:\Program Files\Java\jre-1.8\lib\fonts\backup.exe" C:\Program Files\Java\jre-1.8\lib\fonts\

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\data.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\data.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\

C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\data.exe

C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\data.exe C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Google\backup.exe

"C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\data.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\

C:\Program Files\Java\jre-1.8\lib\images\backup.exe

"C:\Program Files\Java\jre-1.8\lib\images\backup.exe" C:\Program Files\Java\jre-1.8\lib\images\

C:\Windows\assembly\GAC\stdole\backup.exe

C:\Windows\assembly\GAC\stdole\backup.exe C:\Windows\assembly\GAC\stdole\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\

C:\Program Files (x86)\Google\Temp\backup.exe

"C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\

C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\

C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe

"C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe" C:\Program Files\Java\jre-1.8\lib\images\cursors\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\

C:\Program Files (x86)\Google\Update\backup.exe

"C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\

C:\Program Files\Java\jre-1.8\lib\jfr\backup.exe

"C:\Program Files\Java\jre-1.8\lib\jfr\backup.exe" C:\Program Files\Java\jre-1.8\lib\jfr\

C:\Program Files (x86)\Google\Update\1.3.36.371\backup.exe

"C:\Program Files (x86)\Google\Update\1.3.36.371\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.371\

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\

C:\Windows\assembly\GAC_32\backup.exe

C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\

C:\Program Files\Java\jre-1.8\lib\management\backup.exe

"C:\Program Files\Java\jre-1.8\lib\management\backup.exe" C:\Program Files\Java\jre-1.8\lib\management\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\

C:\Program Files (x86)\Google\Update\Download\backup.exe

"C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\

C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe

C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe

"C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\

C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\

C:\Program Files\Java\jre-1.8\lib\security\backup.exe

"C:\Program Files\Java\jre-1.8\lib\security\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\

C:\Program Files\Microsoft Office\backup.exe

"C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\backup.exe

"C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\

C:\Program Files\Java\jre-1.8\lib\security\policy\backup.exe

"C:\Program Files\Java\jre-1.8\lib\security\policy\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\

C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe

C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\backup.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\

C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\System Restore.exe

"C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\System Restore.exe" C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\System Restore.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\System Restore.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\

C:\Program Files\Microsoft Office\Office16\System Restore.exe

"C:\Program Files\Microsoft Office\Office16\System Restore.exe" C:\Program Files\Microsoft Office\Office16\

C:\Program Files\Java\jre-1.8\lib\security\policy\limited\backup.exe

"C:\Program Files\Java\jre-1.8\lib\security\policy\limited\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\limited\

C:\Program Files (x86)\Google\Update\Install\backup.exe

"C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\

C:\Program Files (x86)\Common Files\Oracle\backup.exe

"C:\Program Files (x86)\Common Files\Oracle\backup.exe" C:\Program Files (x86)\Common Files\Oracle\

C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\

C:\Program Files\Microsoft Office\PackageManifests\update.exe

"C:\Program Files\Microsoft Office\PackageManifests\update.exe" C:\Program Files\Microsoft Office\PackageManifests\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\

C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe

"C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\

C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\backup.exe

"C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\

C:\Program Files (x86)\Google\Update\Install\{AFD1DC19-D740-4861-ADFA-3BC6A9F6A223}\backup.exe

"C:\Program Files (x86)\Google\Update\Install\{AFD1DC19-D740-4861-ADFA-3BC6A9F6A223}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{AFD1DC19-D740-4861-ADFA-3BC6A9F6A223}\

C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\

C:\Program Files\Microsoft Office\root\update.exe

"C:\Program Files\Microsoft Office\root\update.exe" C:\Program Files\Microsoft Office\root\

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe

"C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\javapath\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\

C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\

C:\Program Files (x86)\Google\Update\Offline\backup.exe

"C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\

C:\Program Files\Microsoft Office\root\Client\backup.exe

"C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\

C:\Program Files (x86)\Common Files\Services\backup.exe

"C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\

C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\

C:\Program Files (x86)\Internet Explorer\backup.exe

"C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\

C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe

"C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\

C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe

"C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\

C:\Program Files (x86)\Common Files\System\backup.exe

"C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\

C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\

C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe

"C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\

C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Internet Explorer\en-US\backup.exe

"C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\

C:\Program Files (x86)\Common Files\System\ado\backup.exe

"C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\

C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe

"C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\

C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe

"C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\

C:\Windows\assembly\GAC_32\MSBuild\System Restore.exe

"C:\Windows\assembly\GAC_32\MSBuild\System Restore.exe" C:\Windows\assembly\GAC_32\MSBuild\

C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe

"C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\

C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe

"C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\

C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe

"C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\

C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\

C:\Program Files\Microsoft Office\root\fre\backup.exe

"C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\

C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe

"C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\

C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe

"C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\

C:\Program Files (x86)\Internet Explorer\images\backup.exe

"C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\

C:\Windows\assembly\GAC_32\mscorlib\backup.exe

C:\Windows\assembly\GAC_32\mscorlib\backup.exe C:\Windows\assembly\GAC_32\mscorlib\

C:\Program Files\Microsoft Office\root\Integration\update.exe

"C:\Program Files\Microsoft Office\root\Integration\update.exe" C:\Program Files\Microsoft Office\root\Integration\

C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\data.exe

C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\data.exe C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\

C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe

"C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\

C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe

"C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\

C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe

"C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\

C:\Windows\assembly\GAC_32\PresentationCore\data.exe

C:\Windows\assembly\GAC_32\PresentationCore\data.exe C:\Windows\assembly\GAC_32\PresentationCore\

C:\Program Files (x86)\Common Files\System\ado\it-IT\update.exe

"C:\Program Files (x86)\Common Files\System\ado\it-IT\update.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\

C:\Program Files (x86)\Internet Explorer\ja-JP\System Restore.exe

"C:\Program Files (x86)\Internet Explorer\ja-JP\System Restore.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\

C:\Program Files\Microsoft Office\root\Licenses\backup.exe

"C:\Program Files\Microsoft Office\root\Licenses\backup.exe" C:\Program Files\Microsoft Office\root\Licenses\

C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\

C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe

"C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\

C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\

C:\Windows\assembly\GAC_32\srmlib\backup.exe

C:\Windows\assembly\GAC_32\srmlib\backup.exe C:\Windows\assembly\GAC_32\srmlib\

C:\Program Files\Microsoft Office\root\Licenses16\backup.exe

"C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\

C:\Program Files (x86)\Common Files\System\de-DE\backup.exe

"C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\

C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\

C:\Program Files (x86)\Common Files\System\en-US\backup.exe

"C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\

C:\Program Files (x86)\Internet Explorer\uk-UA\backup.exe

"C:\Program Files (x86)\Internet Explorer\uk-UA\backup.exe" C:\Program Files (x86)\Internet Explorer\uk-UA\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\

C:\Program Files\Microsoft Office\root\loc\backup.exe

"C:\Program Files\Microsoft Office\root\loc\backup.exe" C:\Program Files\Microsoft Office\root\loc\

C:\Program Files (x86)\Microsoft\backup.exe

"C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\

C:\Windows\assembly\GAC_32\System.Data\data.exe

C:\Windows\assembly\GAC_32\System.Data\data.exe C:\Windows\assembly\GAC_32\System.Data\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\

C:\Program Files (x86)\Common Files\System\es-ES\backup.exe

"C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\

C:\Program Files\Microsoft Office\root\Office15\backup.exe

"C:\Program Files\Microsoft Office\root\Office15\backup.exe" C:\Program Files\Microsoft Office\root\Office15\

C:\Program Files (x86)\Microsoft\Edge\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\

C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe

"C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\

C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\backup.exe

C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\

C:\Program Files\Microsoft Office\root\Office16\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\

C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\

C:\Program Files (x86)\Common Files\System\it-IT\backup.exe

"C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\

C:\Windows\assembly\GAC_32\System.Data.OracleClient\backup.exe

C:\Windows\assembly\GAC_32\System.Data.OracleClient\backup.exe C:\Windows\assembly\GAC_32\System.Data.OracleClient\

C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\

C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe

"C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\

C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\backup.exe

C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\

C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\

C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\

C:\Windows\assembly\GAC_32\System.EnterpriseServices\backup.exe

C:\Windows\assembly\GAC_32\System.EnterpriseServices\backup.exe C:\Windows\assembly\GAC_32\System.EnterpriseServices\

C:\Program Files (x86)\Common Files\System\msadc\System Restore.exe

"C:\Program Files (x86)\Common Files\System\msadc\System Restore.exe" C:\Program Files (x86)\Common Files\System\msadc\

C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe

"C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\de-DE\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\

C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\

C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\update.exe

"C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\update.exe" C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\

C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe

"C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\en-US\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\

C:\Windows\assembly\GAC_32\System.Printing\backup.exe

C:\Windows\assembly\GAC_32\System.Printing\backup.exe C:\Windows\assembly\GAC_32\System.Printing\

C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1036\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\

C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\

C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe

"C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\es-ES\

C:\Windows\assembly\GAC_32\System.Transactions\update.exe

C:\Windows\assembly\GAC_32\System.Transactions\update.exe C:\Windows\assembly\GAC_32\System.Transactions\

C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe" C:\Program Files\Microsoft Office\root\Office16\3082\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\

C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\backup.exe

C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe

"C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\fr-FR\

C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\

C:\Windows\assembly\GAC_32\System.Web\backup.exe

C:\Windows\assembly\GAC_32\System.Web\backup.exe C:\Windows\assembly\GAC_32\System.Web\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\

C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe

"C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\it-IT\

C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\

C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe

"C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\ja-JP\

C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\System Restore.exe

"C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\

C:\Windows\assembly\GAC_64\backup.exe

C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\

C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe

"C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\

C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\

C:\Windows\assembly\GAC_64\CustomMarshalers\data.exe

C:\Windows\assembly\GAC_64\CustomMarshalers\data.exe C:\Windows\assembly\GAC_64\CustomMarshalers\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\

C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\

C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe

"C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\

C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe

"C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\en-US\

C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe

C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\

C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\

C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\update.exe

"C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\update.exe" C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\

C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\data.exe

"C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\data.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\

C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe

C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Ink\

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe

"C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\

C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\

C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe

"C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe

"C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\

C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe

C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\

C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\

C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\

C:\Program Files (x86)\Common Files\System\uk-UA\update.exe

"C:\Program Files (x86)\Common Files\System\uk-UA\update.exe" C:\Program Files (x86)\Common Files\System\uk-UA\

C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\

C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\backup.exe

C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\

C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe" C:\Program Files\Microsoft Office\root\Office16\AugLoop\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\

C:\Program Files\Microsoft Office\root\Office16\Bibliography\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\

C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\

C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\

C:\Windows\assembly\GAC_64\MSBuild\backup.exe

C:\Windows\assembly\GAC_64\MSBuild\backup.exe C:\Windows\assembly\GAC_64\MSBuild\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\

C:\Windows\bcastdvr\update.exe

C:\Windows\bcastdvr\update.exe C:\Windows\bcastdvr\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\

C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\

C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\

C:\Windows\Branding\backup.exe

C:\Windows\Branding\backup.exe C:\Windows\Branding\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\

C:\Windows\Branding\Basebrd\backup.exe

C:\Windows\Branding\Basebrd\backup.exe C:\Windows\Branding\Basebrd\

C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\BORDERS\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\

C:\Windows\assembly\GAC_64\mscorlib\backup.exe

C:\Windows\assembly\GAC_64\mscorlib\backup.exe C:\Windows\assembly\GAC_64\mscorlib\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\

C:\Windows\Branding\Basebrd\de-DE\backup.exe

C:\Windows\Branding\Basebrd\de-DE\backup.exe C:\Windows\Branding\Basebrd\de-DE\

C:\Program Files\Microsoft Office\root\Office16\Configuration\System Restore.exe

"C:\Program Files\Microsoft Office\root\Office16\Configuration\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\Configuration\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\

C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe

C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\

C:\Windows\Branding\Basebrd\en-US\backup.exe

C:\Windows\Branding\Basebrd\en-US\backup.exe C:\Windows\Branding\Basebrd\en-US\

C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\

C:\Windows\assembly\GAC_64\PresentationCore\update.exe

C:\Windows\assembly\GAC_64\PresentationCore\update.exe C:\Windows\assembly\GAC_64\PresentationCore\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\

C:\Windows\Branding\Basebrd\es-ES\backup.exe

C:\Windows\Branding\Basebrd\es-ES\backup.exe C:\Windows\Branding\Basebrd\es-ES\

C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\

C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\

C:\Windows\Branding\Basebrd\fr-FR\backup.exe

C:\Windows\Branding\Basebrd\fr-FR\backup.exe C:\Windows\Branding\Basebrd\fr-FR\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\

C:\Windows\assembly\GAC_64\srmlib\update.exe

C:\Windows\assembly\GAC_64\srmlib\update.exe C:\Windows\assembly\GAC_64\srmlib\

C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\

C:\Windows\Branding\Basebrd\it-IT\System Restore.exe

"C:\Windows\Branding\Basebrd\it-IT\System Restore.exe" C:\Windows\Branding\Basebrd\it-IT\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\update.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\

C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\

C:\Windows\Branding\Basebrd\ja-JP\backup.exe

C:\Windows\Branding\Basebrd\ja-JP\backup.exe C:\Windows\Branding\Basebrd\ja-JP\

C:\Program Files\Microsoft Office\root\Office16\FPA_f14\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\FPA_f14\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f14\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\

C:\Program Files\Microsoft Office\root\Office16\FPA_f2\data.exe

"C:\Program Files\Microsoft Office\root\Office16\FPA_f2\data.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f2\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\

C:\Windows\Branding\Basebrd\uk-UA\backup.exe

C:\Windows\Branding\Basebrd\uk-UA\backup.exe C:\Windows\Branding\Basebrd\uk-UA\

C:\Windows\assembly\GAC_64\System.Data\backup.exe

C:\Windows\assembly\GAC_64\System.Data\backup.exe C:\Windows\assembly\GAC_64\System.Data\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\

C:\Windows\Branding\shellbrd\backup.exe

C:\Windows\Branding\shellbrd\backup.exe C:\Windows\Branding\shellbrd\

C:\Program Files\Microsoft Office\root\Office16\FPA_f3\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\FPA_f3\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f3\

C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\backup.exe

C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\

C:\Windows\CbsTemp\backup.exe

C:\Windows\CbsTemp\backup.exe C:\Windows\CbsTemp\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\

C:\Program Files\Microsoft Office\root\Office16\FPA_f33\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\FPA_f33\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f33\

C:\Windows\assembly\GAC_64\System.Data.OracleClient\backup.exe

C:\Windows\assembly\GAC_64\System.Data.OracleClient\backup.exe C:\Windows\assembly\GAC_64\System.Data.OracleClient\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\

C:\Windows\Containers\backup.exe

C:\Windows\Containers\backup.exe C:\Windows\Containers\

C:\Program Files\Microsoft Office\root\Office16\FPA_f4\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\FPA_f4\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f4\

C:\Windows\assembly\GAC_64\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\backup.exe

C:\Windows\assembly\GAC_64\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_64\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\

C:\Windows\Containers\serviced\backup.exe

C:\Windows\Containers\serviced\backup.exe C:\Windows\Containers\serviced\

C:\Program Files\Microsoft Office\root\Office16\FPA_f7\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\FPA_f7\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f7\

C:\Windows\assembly\GAC_64\System.EnterpriseServices\backup.exe

C:\Windows\assembly\GAC_64\System.EnterpriseServices\backup.exe C:\Windows\assembly\GAC_64\System.EnterpriseServices\

C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\

C:\Windows\Cursors\backup.exe

C:\Windows\Cursors\backup.exe C:\Windows\Cursors\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\

C:\Program Files\Microsoft Office 15\backup.exe

"C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\

C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\

C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\

C:\Program Files\Microsoft Office 15\ClientX64\backup.exe

"C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\

C:\Windows\assembly\GAC_64\System.Printing\backup.exe

C:\Windows\assembly\GAC_64\System.Printing\backup.exe C:\Windows\assembly\GAC_64\System.Printing\

C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\update.exe

"C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\update.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\

C:\Windows\debug\backup.exe

C:\Windows\debug\backup.exe C:\Windows\debug\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\

C:\Program Files\Mozilla Firefox\backup.exe

"C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\

C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\

C:\Windows\de-DE\backup.exe

C:\Windows\de-DE\backup.exe C:\Windows\de-DE\

C:\Windows\assembly\GAC_64\System.Printing\3.0.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_64\System.Printing\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\System.Printing\3.0.0.0__31bf3856ad364e35\

C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\

C:\Program Files\Mozilla Firefox\browser\backup.exe

"C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\

C:\Program Files\Microsoft Office\Updates\backup.exe

"C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\

C:\Program Files\Mozilla Firefox\browser\features\backup.exe

"C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\

C:\Program Files\Microsoft Office\Updates\Apply\backup.exe

"C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\update.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\update.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\

C:\Windows\DiagTrack\backup.exe

C:\Windows\DiagTrack\backup.exe C:\Windows\DiagTrack\

C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\

C:\Windows\assembly\GAC_64\System.Transactions\backup.exe

C:\Windows\assembly\GAC_64\System.Transactions\backup.exe C:\Windows\assembly\GAC_64\System.Transactions\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\

C:\Windows\DiagTrack\Scenarios\backup.exe

C:\Windows\DiagTrack\Scenarios\backup.exe C:\Windows\DiagTrack\Scenarios\

C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System Restore.exe

"C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System Restore.exe" C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\

C:\Program Files\Microsoft Office\root\Office16\FPA_w1\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\FPA_w1\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_w1\

C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe

"C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\backup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\

C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe

"C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\update.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\

C:\Windows\DiagTrack\Settings\backup.exe

C:\Windows\DiagTrack\Settings\backup.exe C:\Windows\DiagTrack\Settings\

C:\Windows\assembly\GAC_64\System.Web\backup.exe

C:\Windows\assembly\GAC_64\System.Web\backup.exe C:\Windows\assembly\GAC_64\System.Web\

C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\backup.exe

"C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\

C:\Program Files\Microsoft Office\root\Office16\Library\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\Library\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Library\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\

C:\Program Files\Mozilla Firefox\defaults\backup.exe

"C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\

C:\Windows\assembly\GAC_64\System.Web\2.0.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_64\System.Web\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\System.Web\2.0.0.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\

C:\Windows\DigitalLocker\backup.exe

C:\Windows\DigitalLocker\backup.exe C:\Windows\DigitalLocker\

C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\

C:\Program Files\Microsoft Office\Updates\Download\backup.exe

"C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\

C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe

"C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\

C:\Windows\assembly\GAC_MSIL\backup.exe

C:\Windows\assembly\GAC_MSIL\backup.exe C:\Windows\assembly\GAC_MSIL\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\

C:\Windows\DigitalLocker\en-US\backup.exe

C:\Windows\DigitalLocker\en-US\backup.exe C:\Windows\DigitalLocker\en-US\

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\update.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\update.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\

C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\

C:\Windows\assembly\GAC_MSIL\Accessibility\data.exe

C:\Windows\assembly\GAC_MSIL\Accessibility\data.exe C:\Windows\assembly\GAC_MSIL\Accessibility\

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe

"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\

C:\Program Files\Mozilla Firefox\fonts\backup.exe

"C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\

C:\Windows\en-US\backup.exe

C:\Windows\en-US\backup.exe C:\Windows\en-US\

C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\backup.exe" C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\

C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Microsoft.NET\backup.exe

"C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\backup.exe

"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\

C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe

"C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\

C:\Windows\es-ES\data.exe

C:\Windows\es-ES\data.exe C:\Windows\es-ES\

C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\backup.exe" C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe

"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\

C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\backup.exe

C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\root\backup.exe

"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\root\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\root\

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe

"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\

C:\Windows\Fonts\backup.exe

C:\Windows\Fonts\backup.exe C:\Windows\Fonts\

C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\backup.exe" C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\

C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\System Restore.exe

"C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\System Restore.exe" C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe

"C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe" C:\Program Files (x86)\Microsoft.NET\RedistList\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\System Restore.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\

C:\Program Files\Mozilla Firefox\uninstall\backup.exe

"C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\root\vfs\update.exe

"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\root\vfs\update.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\root\vfs\

C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\

C:\Windows\fr-FR\backup.exe

C:\Windows\fr-FR\backup.exe C:\Windows\fr-FR\

C:\Program Files\Microsoft Office\root\Office16\LogoImages\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\LogoImages\backup.exe" C:\Program Files\Microsoft Office\root\Office16\LogoImages\

C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\backup.exe

C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\

C:\Program Files\MSBuild\backup.exe

"C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\

C:\Program Files\Microsoft Office\root\rsod\backup.exe

"C:\Program Files\Microsoft Office\root\rsod\backup.exe" C:\Program Files\Microsoft Office\root\rsod\

C:\Program Files\Microsoft Office\root\Office16\MEDIA\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\MEDIA\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MEDIA\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\

C:\Windows\GameBarPresenceWriter\data.exe

C:\Windows\GameBarPresenceWriter\data.exe C:\Windows\GameBarPresenceWriter\

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\root\vfs\Windows\backup.exe

"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\root\vfs\Windows\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\root\vfs\Windows\

C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\logs\

C:\Program Files\MSBuild\Microsoft\backup.exe

"C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\

C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_de_b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_de_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_de_b03f5f7f11d50a3a\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\System Restore.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\

C:\Program Files\Microsoft Office\root\Office16\MSIPC\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\MSIPC\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\

C:\Program Files (x86)\MSBuild\backup.exe

"C:\Program Files (x86)\MSBuild\backup.exe" C:\Program Files (x86)\MSBuild\

C:\Windows\Globalization\backup.exe

C:\Windows\Globalization\backup.exe C:\Windows\Globalization\

C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_es_b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_es_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_es_b03f5f7f11d50a3a\

C:\Program Files\Microsoft Office\root\Templates\backup.exe

"C:\Program Files\Microsoft Office\root\Templates\backup.exe" C:\Program Files\Microsoft Office\root\Templates\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe

"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\root\vfs\Windows\assembly\backup.exe

"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\root\vfs\Windows\assembly\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\root\vfs\Windows\assembly\

C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\

C:\Program Files (x86)\MSBuild\Microsoft\backup.exe

"C:\Program Files (x86)\MSBuild\Microsoft\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\

C:\Windows\Globalization\ELS\backup.exe

C:\Windows\Globalization\ELS\backup.exe C:\Windows\Globalization\ELS\

C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\

C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe

"C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe

"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\root\vfs\Windows\assembly\GAC_MSIL\backup.exe

"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\root\vfs\Windows\assembly\GAC_MSIL\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\root\vfs\Windows\assembly\GAC_MSIL\

C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe

"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\

C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_it_b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_it_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_it_b03f5f7f11d50a3a\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\

C:\Windows\Globalization\ELS\Transliteration\data.exe

C:\Windows\Globalization\ELS\Transliteration\data.exe C:\Windows\Globalization\ELS\Transliteration\

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe

"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe

"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\

C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe

"C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\

C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\

C:\Windows\Globalization\ICU\backup.exe

C:\Windows\Globalization\ICU\backup.exe C:\Windows\Globalization\ICU\

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe

"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\

C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\update.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\backup.exe

"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\

C:\Program Files\Reference Assemblies\backup.exe

"C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\

C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\backup.exe

"C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\

C:\Windows\assembly\GAC_MSIL\ComSvcConfig\backup.exe

C:\Windows\assembly\GAC_MSIL\ComSvcConfig\backup.exe C:\Windows\assembly\GAC_MSIL\ComSvcConfig\

C:\Windows\Globalization\Sorting\backup.exe

C:\Windows\Globalization\Sorting\backup.exe C:\Windows\Globalization\Sorting\

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe

"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\

C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\

C:\Program Files\Reference Assemblies\Microsoft\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\

C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\backup.exe

"C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\

C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\

C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\

C:\Windows\Globalization\Time Zone\backup.exe

"C:\Windows\Globalization\Time Zone\backup.exe" C:\Windows\Globalization\Time Zone\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\

C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\backup.exe

"C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\

C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\

C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\

C:\Windows\assembly\GAC_MSIL\cscompmgd\backup.exe

C:\Windows\assembly\GAC_MSIL\cscompmgd\backup.exe C:\Windows\assembly\GAC_MSIL\cscompmgd\

C:\Program Files (x86)\Reference Assemblies\System Restore.exe

"C:\Program Files (x86)\Reference Assemblies\System Restore.exe" C:\Program Files (x86)\Reference Assemblies\

C:\Windows\Help\backup.exe

C:\Windows\Help\backup.exe C:\Windows\Help\

C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\

C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\

C:\Program Files (x86)\Reference Assemblies\Microsoft\backup.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\

C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\data.exe

"C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\data.exe" C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\data.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\data.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\

C:\Windows\Help\Corporate\backup.exe

C:\Windows\Help\Corporate\backup.exe C:\Windows\Help\Corporate\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\

C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\

C:\Windows\assembly\GAC_MSIL\dfsvc\System Restore.exe

"C:\Windows\assembly\GAC_MSIL\dfsvc\System Restore.exe" C:\Windows\assembly\GAC_MSIL\dfsvc\

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backup.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\

C:\Windows\Help\en-US\backup.exe

C:\Windows\Help\en-US\backup.exe C:\Windows\Help\en-US\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\

C:\Program Files\Microsoft Office\root\vfs\backup.exe

"C:\Program Files\Microsoft Office\root\vfs\backup.exe" C:\Program Files\Microsoft Office\root\vfs\

C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\

C:\Windows\Help\Help\backup.exe

C:\Windows\Help\Help\backup.exe C:\Windows\Help\Help\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\

C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\update.exe

C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\update.exe C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\

C:\Program Files\Microsoft Office\root\vfs\Common AppData\System Restore.exe

"C:\Program Files\Microsoft Office\root\vfs\Common AppData\System Restore.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\

C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\

C:\Windows\Help\mui\backup.exe

C:\Windows\Help\mui\backup.exe C:\Windows\Help\mui\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\

C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\

C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\backup.exe

"C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\

C:\Windows\assembly\GAC_MSIL\IEExecRemote\backup.exe

C:\Windows\assembly\GAC_MSIL\IEExecRemote\backup.exe C:\Windows\assembly\GAC_MSIL\IEExecRemote\

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\

C:\Windows\Help\mui\0407\backup.exe

C:\Windows\Help\mui\0407\backup.exe C:\Windows\Help\mui\0407\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\

C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\backup.exe

"C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\

C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\

C:\Windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\update.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\

C:\Windows\assembly\GAC_MSIL\IEHost\backup.exe

C:\Windows\assembly\GAC_MSIL\IEHost\backup.exe C:\Windows\assembly\GAC_MSIL\IEHost\

C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\backup.exe

"C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\

C:\Windows\Help\mui\0409\backup.exe

C:\Windows\Help\mui\0409\backup.exe C:\Windows\Help\mui\0409\

C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\

C:\Windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\

C:\Windows\Help\mui\040C\backup.exe

C:\Windows\Help\mui\040C\backup.exe C:\Windows\Help\mui\040C\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\

C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\backup.exe

"C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\

C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\System Restore.exe

"C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\

C:\Windows\Help\mui\0410\backup.exe

C:\Windows\Help\mui\0410\backup.exe C:\Windows\Help\mui\0410\

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\

C:\Windows\assembly\GAC_MSIL\IIEHost\System Restore.exe

"C:\Windows\assembly\GAC_MSIL\IIEHost\System Restore.exe" C:\Windows\assembly\GAC_MSIL\IIEHost\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\System Restore.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\

C:\Program Files\Microsoft Office\root\vfs\Fonts\data.exe

"C:\Program Files\Microsoft Office\root\vfs\Fonts\data.exe" C:\Program Files\Microsoft Office\root\vfs\Fonts\

C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\

C:\Windows\Help\mui\0411\backup.exe

C:\Windows\Help\mui\0411\backup.exe C:\Windows\Help\mui\0411\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\backup.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\

C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\

C:\Windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\

C:\Program Files\Microsoft Office\root\vfs\Fonts\private\update.exe

"C:\Program Files\Microsoft Office\root\vfs\Fonts\private\update.exe" C:\Program Files\Microsoft Office\root\vfs\Fonts\private\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\

C:\Windows\Help\mui\0422\backup.exe

C:\Windows\Help\mui\0422\backup.exe C:\Windows\Help\mui\0422\

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\update.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\update.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\

C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Conversion.v3.5\backup.exe

C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Conversion.v3.5\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Conversion.v3.5\

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\backup.exe

"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\

C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\

C:\Windows\Help\mui\0C0A\backup.exe

C:\Windows\Help\mui\0C0A\backup.exe C:\Windows\Help\mui\0C0A\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\

C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Conversion.v3.5\3.5.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Conversion.v3.5\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Conversion.v3.5\3.5.0.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\

C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\backup.exe

"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\

C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\backup.exe

C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\

C:\Windows\Help\OEM\backup.exe

C:\Windows\Help\OEM\backup.exe C:\Windows\Help\OEM\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\

C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\backup.exe

"C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\backup.exe" C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\backup.exe

"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\

C:\Windows\Help\OEM\ContentStore\backup.exe

C:\Windows\Help\OEM\ContentStore\backup.exe C:\Windows\Help\OEM\ContentStore\

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\backup.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\

C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\backup.exe

"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/3544-0-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\temp.zip

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\temp.zip

MD5 fafaaf37389ffd61307bf2260cabd266
SHA1 fb0687becbdf5d156aa785792be75a583ebed517
SHA256 cdbade4971e21522acf7f2ef5b14cc6509b1804f8e38ac315358d1b0f3b67fca
SHA512 8065f0c8008e9c8e1950648a403ee2609b3e9fc9b0b301f4d2aa13a61d15a0a02fbfa42f7918f4354d79f22dc2b2013eae6679b4391da878619e6aaaaa347afd

C:\backup.exe

MD5 3339a37116ff7566c183c07e6e3a95aa
SHA1 eb9073a0c74a7e8d65e86eb239e5685205977f94
SHA256 e69cc16f482ef6a7d2f311232e902c05dc14af29e88d3b2a3b3221f1eef12404
SHA512 fee2d3704a8d10000056563d3883a70b856fec27d696f2927dd81fb5c770e2a89447ecf5ef6ff50fd4d43fb042a9e2a48e47a626d908db0e3310f6fb7eaa6b9d

C:\PerfLogs\backup.exe

MD5 28c57dbc1cec24c62a64b421451c2b96
SHA1 d56edcb77331b0d452a27d1e805e656f757a5ae7
SHA256 daff6671d340669df7f486c39e9dfc9d73816b09663ac9afa7178778b95700d5
SHA512 74aaa5ffe06a0f83638e93dad9dac9caec86794d02c377611cb2c2166d20b4c1195ac4fbccb956e85bc1fb4489474f643c462a2f1fd919d681682e300bf8f106

C:\Program Files\7-Zip\backup.exe

MD5 f813f003875b9a8b449afbb3d08abc71
SHA1 d218558adacc6798627a4bc00b8c3e57c25d1ab4
SHA256 24bbb6eac1161ed6ca16359b20e5cd4fe28d4248d2834592b3984b7212ce01ef
SHA512 78a9604d362a662c453468e6510534995108fa8f91fccfcee8b61a3e310cdd4843d7ee20ede9e07317a56e6a58b41dd1cea1261bc74eb90dec67b1ffe943faa4

C:\Program Files\7-Zip\Lang\backup.exe

MD5 0933e4394001146c3bb5a7a80d8a9e38
SHA1 11f62ecfa088256e4d43300e625c73c1dd05768d
SHA256 2fb1c30e6580aa4d49248d726c0bac2cc8a485467b24852084bfb6a2f6877083
SHA512 010ebb25b2b6df18a20df17fbb95551092a4c8ea4b7b01beac6b97751cce7ed99fa7cd4829d8e3ad08ae8ffeef48c45f8773368815257b321b699f0cfe88db4e

memory/1200-52-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2408-53-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Program Files\Common Files\DESIGNER\backup.exe

MD5 84618f57767a156133c0410aff14d4d8
SHA1 d1f4b9fba7dc34c4b0a7ee0d4ef16fe86dee8bcb
SHA256 a03df8471404a3eb75496c6e71d8fdc253c14c14e8a115627a55fef9e8660c53
SHA512 8488cde4a3434bdcca04d10c840d8fa21f9f9bfba8ef0344fb5211c681d4bd296e547f7f52ff9365dde6fc59b033289886749b5e8447a3b0220ddfe78b63f8e0

memory/3392-66-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

MD5 d3f72114ebf93e33e21ff8f338dd0980
SHA1 3943d48d4c75e24b0b550830846994f347dbe8a3
SHA256 18cacfd70cbc43b23a5657a6a717cde83825b748bedffeae35b10bb85af39c06
SHA512 9e9d2601c47ddd3f1be6254f2612f55072967f275a061da35a4173982cc727a86686e41da366743c1746badb56c0ca88a796a92db52ee0617e73f518bfd0dc56

memory/4212-79-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

MD5 2cf47a9c199dd786fb4f649e8b1d0866
SHA1 a23b75ce9e06021226a121e0d8a3d21e18d63250
SHA256 771f58f7283532f86642f6ddd566bb8f81439646e1d4190c22ef805ce7cf027e
SHA512 19f60eb83ecd177e8b5b592fad434187868fb6c2272e997b15d77858cc1ccdbbfd25b28ce44fc0334905be84caf450731ea19e2389f6d0439f42bb536eb377d3

memory/4900-94-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4540-100-0x0000000000400000-0x0000000000415000-memory.dmp

memory/840-106-0x0000000000400000-0x0000000000415000-memory.dmp

memory/928-114-0x0000000000400000-0x0000000000415000-memory.dmp

memory/224-122-0x0000000000400000-0x0000000000415000-memory.dmp

memory/68-128-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ink\en-GB\update.exe

MD5 532981b70714b76846e807c7e319763d
SHA1 f3b869878187f1670eb8a3dab6a1af483e3f6930
SHA256 22710ab598808e5888a140f134785829600ab8909b332ee1e6ff90f659d79c7d
SHA512 5725a4596456fe67edbb4420be620b1484c08b7c6f9a5366444ceb52616ad0b2ae61a11633d55b03b681baf9024e0fb7cb286a3f50cf88aed131becd92c5e222

memory/5000-135-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3232-141-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1676-148-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2980-157-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2756-164-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3328-170-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1316-176-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe

MD5 2b8c55a9f5fb068d5eb927175dc7e4c6
SHA1 b8f0f399cde063b070d532e70304dd0ae9647e03
SHA256 ee7b3168b72bdadfee641ca8293ba18c24a2ec7ab918c065a6c8167be07d4d90
SHA512 d5a9ec694fda1d9a97bf584c6435b58a5eab0ec1b5a1ce0cbc1e9a5a3abd900a67912a153462c1419c7da7cdf35d494ad6f3d851f3041201db8a3aaa82a81320

memory/2696-183-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe

MD5 210041b403324d73eedafee8ccb44673
SHA1 aa07b52862a251a1c2fc1003ee5fcf04b646ccdb
SHA256 153b5e792f912a1016af6bd7f79756a457f1514398b5b75bf58343ba7560c1b3
SHA512 a10e0a8801910b5f25464f8427c10dc60fdf3202d75184e84814903e7129c374f97dd11f163b922806353312611940b27c9a67495d0861b72cdc6ef7608d00f7

memory/3472-197-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4304-203-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3940-210-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3256-219-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4020-226-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2328-233-0x0000000000400000-0x0000000000415000-memory.dmp

memory/396-239-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2768-244-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3068-249-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4672-253-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3464-255-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2408-256-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2408-260-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4956-265-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4460-271-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2316-275-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4100-280-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1532-285-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2268-290-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4892-296-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4788-300-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4052-306-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3008-310-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3180-316-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1412-320-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3588-326-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1068-331-0x0000000000400000-0x0000000000415000-memory.dmp

memory/516-336-0x0000000000400000-0x0000000000415000-memory.dmp

memory/5116-340-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2704-346-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2680-350-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2552-356-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3136-360-0x0000000000400000-0x0000000000415000-memory.dmp

memory/612-366-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1400-370-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2532-375-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1272-380-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4396-385-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1848-386-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4224-396-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3000-400-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2844-406-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2996-411-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2908-416-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3516-421-0x0000000000400000-0x0000000000415000-memory.dmp

memory/400-426-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4304-427-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4956-437-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4460-435-0x0000000000400000-0x0000000000415000-memory.dmp

memory/384-441-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3132-446-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4540-452-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4788-460-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4936-462-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3544-467-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3212-472-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2588-473-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1556-478-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4528-483-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1728-484-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4420-489-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1492-494-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4944-497-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2664-499-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4184-501-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4316-502-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2640-507-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2348-512-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3136-521-0x0000000000400000-0x0000000000415000-memory.dmp

memory/848-526-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3556-530-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2936-536-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1272-540-0x0000000000400000-0x0000000000415000-memory.dmp

memory/392-545-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3980-547-0x0000000000400000-0x0000000000415000-memory.dmp

memory/5024-552-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4224-557-0x0000000000400000-0x0000000000415000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win7-20241023-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\lohyryd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xapounq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~DFA1B1.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~DFA1B1.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe C:\Users\Admin\AppData\Local\Temp\xapounq.exe
PID 1736 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe C:\Users\Admin\AppData\Local\Temp\xapounq.exe
PID 1736 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe C:\Users\Admin\AppData\Local\Temp\xapounq.exe
PID 1736 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe C:\Users\Admin\AppData\Local\Temp\xapounq.exe
PID 1736 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\xapounq.exe C:\Users\Admin\AppData\Local\Temp\~DFA1B1.tmp
PID 2316 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\xapounq.exe C:\Users\Admin\AppData\Local\Temp\~DFA1B1.tmp
PID 2316 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\xapounq.exe C:\Users\Admin\AppData\Local\Temp\~DFA1B1.tmp
PID 2316 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\xapounq.exe C:\Users\Admin\AppData\Local\Temp\~DFA1B1.tmp
PID 2460 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\~DFA1B1.tmp C:\Users\Admin\AppData\Local\Temp\lohyryd.exe
PID 2460 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\~DFA1B1.tmp C:\Users\Admin\AppData\Local\Temp\lohyryd.exe
PID 2460 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\~DFA1B1.tmp C:\Users\Admin\AppData\Local\Temp\lohyryd.exe
PID 2460 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\~DFA1B1.tmp C:\Users\Admin\AppData\Local\Temp\lohyryd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe"

C:\Users\Admin\AppData\Local\Temp\xapounq.exe

C:\Users\Admin\AppData\Local\Temp\xapounq.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "

C:\Users\Admin\AppData\Local\Temp\~DFA1B1.tmp

C:\Users\Admin\AppData\Local\Temp\~DFA1B1.tmp OK

C:\Users\Admin\AppData\Local\Temp\lohyryd.exe

"C:\Users\Admin\AppData\Local\Temp\lohyryd.exe"

Network

Country Destination Domain Proto
JP 27.125.205.36:11170 tcp
KR 218.54.28.146:11180 tcp
JP 27.125.205.36:11170 tcp

Files

memory/1736-2-0x0000000000400000-0x00000000004E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\xapounq.exe

MD5 a429850d8a856a05b26fcbde2cc3c653
SHA1 df72f3905749999d61703d9c5926b48cf0f39823
SHA256 4330f158146d36be76074f53c3715085b20a26a3bb08a99e76212add02ecd863
SHA512 db7b6fe7772e2f5730a51d59f3f8a917c77b88cd258e6731b8f5938aa289a5fdcf752273f4c99c6b55a0d6471f1205896157f084ecfbdd42ed72b8d0fc650728

memory/1736-9-0x0000000001F40000-0x0000000002020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

MD5 fa241bb53d778e95e5d451463e580d58
SHA1 9f6a150272a3d231fd8f22befca20ce8ce285075
SHA256 1970ccc2659cbe5a7b9b3693ae82b69ead9014a14bfe9c566c09bda1ddb053f7
SHA512 c21b676da6372a06d30bb821dec597bc323edcc580ca6c34d1ca982d2b4a067a606301226a5bf7274267f49657084168a75b167502bb76e44206147bdf3adb95

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 705525ab9a15f55d8d58206c5cab7890
SHA1 03be9e16fa234405fec40b5ba2386cea30e68eb9
SHA256 0be8c5c9297b49016a47be7999986e0fd31df325b7736adc2edfb6b145e6dc06
SHA512 344c0065aca3d8e84d6a396008588e0cc660939508f7a60da02f9dfdd67f21e22bc12243839cb1d5a71d3868492175af346fb5d9b312099298c0f5724e3a0a7a

memory/1736-20-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/2316-22-0x0000000000400000-0x00000000004E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~DFA1B1.tmp

MD5 6258e261b42ab339d506c8a757400664
SHA1 1373f54b08c307facc66404cc865042579415b36
SHA256 f30bc43c49de521a1b042e69cdb6bfcaef6e8aee77d0afb45d06d2807cfbb303
SHA512 7e7c5b6c1cbf150f8125245720f6380b37fc6a1eec2eec3e422d1f2725889e63c2550c53997f73e4c77a9013f214569b2fb597b4fb6ddc4b9eb6294df36265da

memory/2460-29-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/2316-28-0x0000000002D40000-0x0000000002E20000-memory.dmp

memory/2316-32-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/1736-33-0x0000000001F40000-0x0000000002020000-memory.dmp

memory/2460-34-0x0000000000400000-0x00000000004E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\lohyryd.exe

MD5 22631c9d94a255c2c99d2ec867f63256
SHA1 9f59b244debc4f29d7b1594920bdd197a83e3a17
SHA256 52a11f86d374fc83908dd608f6a5fba1d7d2ae9cdd523042e294472209a9f433
SHA512 4e3d4d95c93af25a974ace8293870a7257d91d02cd77b0bab2b9f280a998407b2c8a186261ad9ffddedaf57909cedd005c6bc9055ad8b19dabaf47ab1e9a9de2

memory/2248-47-0x0000000000400000-0x000000000053E000-memory.dmp

memory/2460-46-0x0000000003E10000-0x0000000003F4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 86bb2dbeaef655893262f3c041f6afe2
SHA1 1b26ff1241c1353bd506c18bd0c11878076ba65d
SHA256 4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2
SHA512 58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

memory/2460-49-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/2248-50-0x0000000000400000-0x000000000053E000-memory.dmp

memory/2460-65-0x0000000003E10000-0x0000000003F4E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:34

Platform

win7-20240903-en

Max time kernel

0s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win7-20240903-en

Max time kernel

135s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A

Checks installed software on the system

discovery

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 retpolerta.com udp

Files

memory/2508-0-0x0000000001C40000-0x0000000001CDB000-memory.dmp

memory/2508-1-0x0000000000400000-0x000000000049A000-memory.dmp

memory/2508-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2508-3-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2508-6-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2508-5-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2508-4-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2508-7-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2508-9-0x0000000000400000-0x000000000049A000-memory.dmp

memory/2508-8-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2508-20-0x0000000001D80000-0x0000000001D81000-memory.dmp

memory/2508-19-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2508-18-0x0000000001D80000-0x0000000001D81000-memory.dmp

memory/2508-17-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2508-16-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2508-15-0x0000000001D80000-0x0000000001D81000-memory.dmp

memory/2508-14-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2508-13-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2508-12-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2508-11-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2508-10-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2508-21-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2508-22-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2508-23-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2508-24-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2508-25-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2508-26-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2508-27-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2508-28-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2508-29-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2508-30-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2508-31-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2508-36-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2508-35-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2508-34-0x0000000001D80000-0x0000000001D81000-memory.dmp

memory/2508-33-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2508-32-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2508-37-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2508-38-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2508-39-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2508-40-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2508-41-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2508-42-0x00000000002A0000-0x00000000002A1000-memory.dmp

\Users\Admin\AppData\Local\Temp\715cd7ac

MD5 d47ad2979d9f7bea7a63d2c7b234c8f6
SHA1 e138a3a6f8f1d7811be5920e6885a49846a0fce2
SHA256 dc2a53c03c8b0bbf66b177fdb758ef239633b0c6da79fd298b60749b1183a0af
SHA512 5223ee6a046c81f7d2ae02d75a416c8c8d721d4d4a6949006dbda8d1d593d12fccdb582db19d14e546b8177eda8188ed8f07ea13f664402fd7c065e1d44cc6f5

memory/2508-47-0x0000000000400000-0x000000000049A000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win7-20240903-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Dynamer.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Dynamer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Dynamer.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Dynamer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 432

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Adobe Reader.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Adobe Reader.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asih.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Adobe Reader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\asih.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Adobe Reader.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Adobe Reader.exe"

C:\Users\Admin\AppData\Local\Temp\asih.exe

"C:\Users\Admin\AppData\Local\Temp\asih.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 emrlogistics.com udp
US 3.19.116.195:443 emrlogistics.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 3.18.7.81:443 emrlogistics.com tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 3.19.116.195:443 emrlogistics.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 3.18.7.81:443 emrlogistics.com tcp
US 3.19.116.195:443 emrlogistics.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 3.18.7.81:443 emrlogistics.com tcp
US 3.19.116.195:443 emrlogistics.com tcp
US 3.18.7.81:443 emrlogistics.com tcp

Files

memory/3904-0-0x0000000000500000-0x000000000050F000-memory.dmp

memory/3904-1-0x00000000005E0000-0x00000000005E6000-memory.dmp

memory/3904-2-0x00000000005E0000-0x00000000005E6000-memory.dmp

memory/3904-3-0x0000000000600000-0x0000000000606000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\asih.exe

MD5 70ad66092dc58c51a3594b425f6ede37
SHA1 ccd729a8a6464fa4ba504798b6d82388f6d4db33
SHA256 cc5a7a4be50871408a20e53b38462ecf7201fcd05c0d53a66570182fb0005f41
SHA512 105ed1cbcbcb6f6ba765c3505acf86627260b99df5f984ea2a6104d6ba8e93f6d477b01b3fc04dc6a4cc4245ad69a0a925720486ed1b3d7a0c5279133f719a3e

memory/3904-18-0x0000000000500000-0x000000000050F000-memory.dmp

memory/4208-20-0x00000000004E0000-0x00000000004E6000-memory.dmp

memory/4208-26-0x00000000004C0000-0x00000000004C6000-memory.dmp

memory/4208-27-0x0000000000500000-0x000000000050F000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win7-20240903-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe"

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Mydoom family

mydoom

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\services.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.0.77.20:1034 tcp
N/A 172.16.1.116:1034 tcp
N/A 172.16.1.5:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.42.10:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 10.6.70.182:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 204.13.239.180:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 172.16.1.126:1034 tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
N/A 172.16.1.116:1034 tcp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 mx-in-vib.apple.com udp
US 8.8.8.8:53 unicode.org udp
DK 17.57.170.2:25 mx-in-vib.apple.com tcp
US 8.8.8.8:53 alt3.aspmx.l.google.com udp
FI 142.250.150.27:25 alt3.aspmx.l.google.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 www.altavista.com udp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 www.google.com udp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 88.221.134.89:80 r11.o.lencr.org tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 88.221.135.105:80 r11.o.lencr.org tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 email.apple.com udp
US 8.8.8.8:53 mx-in-hfd.apple.com udp
GB 172.217.16.228:80 www.google.com tcp
NL 17.57.165.2:25 mx-in-hfd.apple.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 lists.unicode.org udp
US 8.8.8.8:53 lists.unicode.org udp
US 8.8.8.8:53 corp.unicode.org udp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 corp.unicode.org udp
US 64.182.22.132:25 corp.unicode.org tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
N/A 10.150.78.55:1034 tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 mx-in-rn.apple.com udp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 17.56.176.6:25 mx-in-rn.apple.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 aspmx.l.google.com udp
BE 142.251.168.26:25 aspmx.l.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 mx-in.g.apple.com udp
NL 17.57.165.2:25 mx-in.g.apple.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 64.182.22.132:25 corp.unicode.org tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
N/A 10.218.249.159:1034 tcp
US 8.8.8.8:53 crl.microsoft.com udp
US 209.202.254.10:443 search.lycos.com tcp
GB 2.18.190.71:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 23.192.22.93:80 www.microsoft.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 tcp
US 209.202.254.10:443 tcp
GB 172.217.16.228:80 tcp
US 209.202.254.10:80 tcp

Files

memory/1716-0-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1716-3-0x0000000000220000-0x0000000000228000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2132-10-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1716-16-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1716-17-0x0000000000220000-0x0000000000228000-memory.dmp

memory/2132-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2132-20-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2132-25-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2132-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1716-31-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2132-32-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1716-36-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2132-37-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 abb7c5c40e301eabb5d6adf5d24979d2
SHA1 f1a0daf7a8ecebfaab27e7866b251550cfb1eddc
SHA256 4e6dd5f4c00ef6746122f16feb3763621bfdce08d5ebfb196f1a6436c1781f1d
SHA512 cf6ac5cc3d613079abbb7cd9d1804483843fb14746896bb47ee5fea9ded670c3ce297cf9704dbff7f48888130d68b2e5295b9222f2450efa2a8f08f7c624e1b5

C:\Users\Admin\AppData\Local\Temp\tmp254E.tmp

MD5 56c54807da77c38e3102080bf9185c18
SHA1 06708baf616e21fc532e4a79cc3a7d231a8db0a4
SHA256 e20886e6e547ffe26970ea784ed795a35f32967791e24531628f35fa65b75e73
SHA512 607e6fcdda969df83e6c6fdece5125e222c7a128abeb0f5ea6e9fbdf4d0bf882cb064d37cd7b9067a3ecb0262524dbae6b69f3b0ad71bc10a3aea3b49bd076b9

memory/1716-57-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2132-58-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2132-60-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1716-64-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2132-65-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1716-69-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2132-70-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1716-71-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2132-72-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2132-77-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 85af4261579468b14f65a62c1fd6bcb1
SHA1 e54cfc549527116aa325cbd9e153ca9aff3b020b
SHA256 aaae803e53bd000b68d07aeb509ebee74837d81da6451037fcfbe3f76666f8aa
SHA512 fb4a712ee27772638d387ab6645cf450f4e32c7d186b6db158fd8a96fb1e60c263323a2576d82dd922482dcafc7349072b96747328aa7268a7f5d3d932c81832

C:\Users\Admin\AppData\Local\Temp\Cab2353.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2366.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f297b1ff24a664ca8b6f0c10febba875
SHA1 d191196f3b6c74b7114245aa90e9e605ec360ae4
SHA256 969e808d819313eb78f96c83f3f8f9c91f43bd24ad9997ffda377dd4c0867583
SHA512 1070afe9a93ab15e5c638c28f46ffd596ab9226ae0e682af3adf0222988e35ef3d698f002d9a153bf5e81560d183864bf141737c1e90b859058924a7777d11a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6144a4f430de1cb26d4a961f1e91b2b
SHA1 1ec8badf4525e4167abec75060655b560fd497e2
SHA256 117c08ee83ab55d58bbaf10e6fb4f422fe1e80ffc2ae747bf5bfccbf3fb29f0c
SHA512 a0e7e582f69aea8255a4c4b07a485a21cba29b42600f90459325e1e042eef8c6f47dffad90c9f98fa03f82b473089d7921ddd692b4739da3f7bd68264d6a7126

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 79ac78dbfc257aa993d56b9478b84db9
SHA1 f811b57aaf3e6ff55a0153cde1eb5ae917254f10
SHA256 3c45367462d543e0ee189a3c1a8a1a51c767bb8637567f95a2b7adf92eb6859e
SHA512 3f5c563243d39177d766188eb408a573ac6f8eb71a7ad037908f828a2a943f61f4683b404b1c2c83aa0315386e90730180ebc4ce8ef26ae1abb473049ea98322

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4bc36dc815f33293a1ba117891dd92b1
SHA1 129f7802cf00ce45c45675426edf804aae2b07c6
SHA256 dbc0bb8c2b71ea38c12762a67223345b0babb6e0f66c6b1cee6ff48fbf8baef8
SHA512 dbeb539172c87413d2613df9f464abe1a9d1d192285efc72cbccef2f726985e08a19321c8edd465d9a7bd57f7870de7ff11d601b8bdc795af8ac094a42a4d1cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a9cf9bbb0f4e78c3b7fa9daec1a760a
SHA1 c3a51a4f0fdf060d412fdb755eb40feadb32ce4b
SHA256 c572cde82d872253b6a19d7c6dbeb6f7ec656a242ea52f830122a2bc5facd625
SHA512 25c5583fcaba6e3251ca7f0c5825012bf2a5eccc34f413eb858371dcb52ca04769575325bc8fc6bac6f586bb20adf133736c6e610b9363dce78a234e7e62b454

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\NWYU3UT1.htm

MD5 68189cba4db3931eacf86e39ccdd7f45
SHA1 7d7e5995bea403a6d356c2d3c010c74f74cd76fa
SHA256 22a1fe362e66ed4e42700343f73c1a3d005e10e8f190ddab741fad379f750fcc
SHA512 74ddf5d50dbb0f8ffb806e90d87fc5e81b5e8da8a3410f312c2bc1e0d246b9bdb5d982b8e19a6bfb42bf77c2c260b4266b3ae950ee323227f9a2d81f636d8f81

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 62be775b9c5cfc76051245f1718bcb7b
SHA1 45e4f96d61da2897cf26b63c2fbbd44f4221e5ae
SHA256 2f46beb33d523c0bb62688b2991f5775ca35557c8b11e6ed10de689e149e1777
SHA512 78b68279ad48f79ccb5ceae44d7995ebe17e10c3a599b24e7f440b0a8d2b87f59fc7060c39368f4e839f60e964dac41c6b23513294811daba8ef95acc69ae548

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\search[2].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

memory/1716-337-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2132-338-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\search[2].htm

MD5 3a6764322484d41302ef97d769af5429
SHA1 64518cd0c84a65d24b661a6842679f482964d809
SHA256 1c36d4a2256767c4bbeb524abff60d3a5c1fc05208605a32470df8998b25742e
SHA512 d107bfb2a37fae2802a4f3745367bfc9f609ccc6df2dbf34f35c4f5f708f9e95a8573e68199934fa14b273ba8195973f57d8d148494dc9d3647e891c38f25731

memory/1716-420-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2132-421-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1716-500-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2132-509-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\default[4].htm

MD5 ccfe63b884fe4225fa33f618a54ce37a
SHA1 bbb0778c1597eafe7fb9c5c65412f8ab04b2e311
SHA256 f7dd5bab49466a4cdb6a7f5a0e07a158f7a1567bd809ed745812469775b33112
SHA512 858f345503c89ba075b374764145fba5b1a9d3440d1628edeab0a3e02cc7cbfbe1119c20747026e69d630ed262d3c91c5073ef06823cf727dfcb11605c7c5ff8

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win7-20241010-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Zombie.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Zombie.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Zombie.exe"

Network

N/A

Files

memory/2900-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2900-2-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2452 wrote to memory of 1140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2452 wrote to memory of 1140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2452 wrote to memory of 1140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1140 wrote to memory of 2732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1140 wrote to memory of 2732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1140 wrote to memory of 2732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2732 wrote to memory of 2476 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2732 wrote to memory of 2476 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2732 wrote to memory of 2476 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2476 wrote to memory of 2428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2476 wrote to memory of 2428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2476 wrote to memory of 2428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2428 wrote to memory of 4812 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2428 wrote to memory of 4812 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2428 wrote to memory of 4812 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4812 wrote to memory of 4044 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4812 wrote to memory of 4044 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4812 wrote to memory of 4044 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4044 wrote to memory of 2296 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4044 wrote to memory of 2296 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4044 wrote to memory of 2296 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2296 wrote to memory of 1716 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2296 wrote to memory of 1716 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2296 wrote to memory of 1716 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1716 wrote to memory of 4000 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1716 wrote to memory of 4000 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1716 wrote to memory of 4000 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4000 wrote to memory of 400 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4000 wrote to memory of 400 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4000 wrote to memory of 400 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 400 wrote to memory of 3588 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 400 wrote to memory of 3588 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 400 wrote to memory of 3588 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3588 wrote to memory of 4464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3588 wrote to memory of 4464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3588 wrote to memory of 4464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4464 wrote to memory of 1292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4464 wrote to memory of 1292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4464 wrote to memory of 1292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1292 wrote to memory of 4112 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1292 wrote to memory of 4112 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1292 wrote to memory of 4112 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4112 wrote to memory of 3560 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4112 wrote to memory of 3560 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4112 wrote to memory of 3560 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3560 wrote to memory of 4128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3560 wrote to memory of 4128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3560 wrote to memory of 4128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4128 wrote to memory of 1164 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4128 wrote to memory of 1164 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4128 wrote to memory of 1164 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1164 wrote to memory of 660 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1164 wrote to memory of 660 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1164 wrote to memory of 660 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 660 wrote to memory of 3496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 660 wrote to memory of 3496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 660 wrote to memory of 3496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3496 wrote to memory of 4384 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3496 wrote to memory of 4384 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3496 wrote to memory of 4384 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4384 wrote to memory of 3464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4384 wrote to memory of 3464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4384 wrote to memory of 3464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3464 wrote to memory of 1900 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MSRATING.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/16904-0-0x0000000075660000-0x00000000758E4000-memory.dmp

memory/16888-1-0x0000000075660000-0x00000000758E4000-memory.dmp

memory/16864-3-0x0000000075660000-0x00000000758E4000-memory.dmp

memory/16876-2-0x0000000075660000-0x00000000758E4000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win7-20240903-en

Max time kernel

117s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Butcher Crypter.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Butcher Crypter.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Butcher Crypter.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Butcher Crypter.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Butcher Crypter.exe"

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\FloodFix.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\FloodFix.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\FloodFix.exe"

Network

N/A

Files

memory/3020-0-0x0000000000400000-0x0000000000413000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\FloodFix.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\FloodFix.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\FloodFix.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\FloodFix.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\InstallCore.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\InstallCore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\InstallCore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\InstallCore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\InstallCore.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\InstallCore.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 www.googletagservices.com udp
US 8.8.8.8:53 partner.googleadservices.com udp
GB 142.250.180.2:80 partner.googleadservices.com tcp
GB 216.58.201.98:80 www.googletagservices.com tcp
GB 216.58.201.98:443 www.googletagservices.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 2.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 98.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/5052-0-0x0000000000401000-0x000000000040A000-memory.dmp

memory/5052-4-0x00000000023B0000-0x00000000024F6000-memory.dmp

memory/5052-6-0x00000000023B0000-0x00000000024F6000-memory.dmp

memory/5052-5-0x0000000000400000-0x0000000000415000-memory.dmp

memory/5052-1-0x00000000023B0000-0x00000000024F6000-memory.dmp

memory/5052-106-0x00000000023B0000-0x00000000024F6000-memory.dmp

memory/5052-107-0x00000000023B0000-0x00000000024F6000-memory.dmp

memory/5052-109-0x00000000023B0000-0x00000000024F6000-memory.dmp

memory/5052-108-0x00000000023B0000-0x00000000024F6000-memory.dmp

memory/5052-110-0x00000000023B0000-0x00000000024F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ish240646921\bootstrap_57590.html

MD5 1ea9e5b417811379e874ad4870d5c51a
SHA1 a4bd01f828454f3619a815dbe5423b181ec4051c
SHA256 f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a
SHA512 965c10d2aa5312602153338da873e8866d2782e0cf633befe5a552b770e08abf47a4d2e007cdef7010c212ebcb9fefea5610c41c7ed1553440eaeab7ddd72daa

C:\Users\Admin\AppData\Local\Temp\ish240646921\css\sdk-ui\progress-bar.css

MD5 5335f1c12201b5f7cf5f8b4f5692e3d1
SHA1 13807a10369f7ff9ab3f9aba18135bccb98bec2d
SHA256 974cd89e64bdaa85bf36ed2a50af266d245d781a8139f5b45d7c55a0b0841dda
SHA512 0d4e54d2ffe96ccf548097f7812e3608537b4dae9687816983fddfb73223c196159cc6a39fcdc000784c79b2ced878efbc7a5b5f6e057973bf25b128124510df

C:\Users\Admin\AppData\Local\Temp\ish240646921\css\main.css

MD5 0860a940abec13648eec1333b3c3f786
SHA1 42395eda7237e488e1103ff3eb87dc0ff0ca09fc
SHA256 0a19ecb9efd9e6f3488171620dabb9a14a19995b662afba81b432338c6e2b503
SHA512 f7ed99b99af1e0e6a71d09af6fc5136ac5180a3edbc52bcceb25864247cb86a19868c4452ff0481a2624142c6af9d8cd64dba85ebc67258e7885c4e95780d344

C:\Users\Admin\AppData\Local\Temp\ish240646921\images\close.png

MD5 11145975e3e0e33c7ddf3fd28edbd3f8
SHA1 fe1fbfd9ffe72637c87f07bb46e75956309fdf20
SHA256 8caba3304d24488a8d88ee9b1aee3fcafd409bdfedf075b66abd66a55d38ab43
SHA512 f6d74a61eb788fc9c65c20b94a80dc810bb3270cd4919193086644a97ad17824cae97d4c1d7a9a080445dea09d4a7ad30a529d9905cee51710f41f0f5bef7458

C:\Users\Admin\AppData\Local\Temp\ish240646921\images\progress_bar.png

MD5 eabb61abba55f80af418fa1128d1548d
SHA1 a5ee1d55de2cc60966039120c830fc19cefb0351
SHA256 717f3f02f5d5fd1478b6d2ec44acef6e70bb8f1adcf2dc030c08b92e851737e1
SHA512 d232072c9540bf0e2fd56f353c2cc83518eabf8282cc02d9f8bec81c0341287ada29ba79f2a515d68722658686b6cce97be138a48f44409562d9a567af200bd6

C:\Users\Admin\AppData\Local\Temp\ish240646921\images\progress.png

MD5 35a600a752d3074501de31a516860499
SHA1 51eac62cf77a0b88a3e9cb9ee6f85def21fd4bcf
SHA256 14e064857751b23da7bbe40861ef4caf99b2496227507b8e3108fbac6d901f75
SHA512 046ec179571d239bfb2d51be9837f96d9afebf2e5db77bba0f4a25ce8716d37581a3f9753bd2dbb04c47711699a9d93987bceb71df0b8becf8c577d660320069

C:\Users\Admin\AppData\Local\Temp\ish240646921\images\loader.gif

MD5 57ca1a2085d82f0574e3ef740b9a5ead
SHA1 2974f4bf37231205a256f2648189a461e74869c0
SHA256 476a7b1085cc64de1c0eb74a6776fa8385d57eb18774f199df83fc4d7bbcc24e
SHA512 2d50b9095d06ffd15eeeccf0eb438026ca8d09ba57141fed87a60edd2384e2139320fb5539144a2f16de885c49b0919a93690974f32b73654debca01d9d7d55c

C:\Users\Admin\AppData\Local\Temp\ish240646921\images\color_btn.png

MD5 ccfbcbb51598a1946b19ff56c4ae9bd1
SHA1 83c5a77c766253d2c22e3b893408fe60acb46113
SHA256 7ec494b43d8c70c338929fd88af752e117bb924a4284b93567e7b8c9cb79be9f
SHA512 4a7b08a008350460beeb60e9473e497ab1c67d5ef60e927bb35a8cae574fd177b2c1a8e2df26d655e28b4ec4726d5616938ed4a612cbfcfa8f52f82d0de94426

C:\Users\Admin\AppData\Local\Temp\ish240646921\images\grey_btn.png

MD5 124bc01ea52af57ca245837d87460f4b
SHA1 d2726285b847e7d43c937f304b16b2cbce059662
SHA256 f12fd05169348634a4fead731020fea3b9db80a1b1738b5db8488b45ef480475
SHA512 e2f9006f8a0126ef9927a502dc1088a60af1fd36bd64deb5193e5abe2beaaeeb3c0bc47135070d7aa949205df592221e7b0bc62c3b5c420b59778b0dafa498ee

C:\Users\Admin\AppData\Local\Temp\ish240646921\images\sheild.png

MD5 85fc7769fe307fc06b911ca91ca6c67a
SHA1 30dbf2c943538c8fcffe54a8b4e93c325d39c76a
SHA256 a4eacd03722984aaf404ac709b767bec7acd47f0f4dd1bc9b4f2615aaa0e1420
SHA512 31c60db83b2b93b716b6c5270f8304692bc405a94df414017c6be8c231aca1d8f01bcf013a94ff2894afae7c8a1248c56579e5199acad60c09a33b300d24a5ba

C:\Users\Admin\AppData\Local\Temp\ish240646921\images\welcome_prod_box.png

MD5 07cd59b954e8495ad6cd6a7c11d2de86
SHA1 787aeda3eee8053705fb208a6b399b8340820b82
SHA256 6e6b964fd79b4a3461f128e2ed145b9b641d108b8616695f36387661cae995bb
SHA512 0159aca0c2a49393fd91acd4b6819217e67f8fd01e220297eb3e0fdd8132fad794fc317f5cc5e2b761d4123da71478b97df776908de6740eb6d54187c6c00754

C:\Users\Admin\AppData\Local\Temp\ish240646921\images\bg_new.png

MD5 d2db1177cee2d41ac3cd41fee6c3ece8
SHA1 e48ed73c184e23e5bda2ab5938a821134b538972
SHA256 df04b7308a83b09f4ed58b0696aa0e12995924696d8e8b79736e781198e971cd
SHA512 d19ace601b6f2a6b8d34588b293705462ecab656a99c578c3561f19e94ce46d3fd78ce947e3656cff6cf75c69e98ad511cf2b51ffc8687083b172a879ff6265d

C:\Users\Admin\AppData\Local\Temp\ish240646921\images\pause_btn.png

MD5 818b8908ace0ccc5fecbca20f2919587
SHA1 e599b4229d622c36bc6cd5b155c94c50d1a68b86
SHA256 ad2ec992fc336af09f7be4a652d240936a08bf522d10ff7fbec5dbfe0c4d332d
SHA512 7d63287a12f519524146f7ed620aee6724489fa351752e7eb64e99fae098e524e744e570d2b7abc21f89064cff2bdaa9864f7f0cda9fb9ca861d1df9a45bcd9f

C:\Users\Admin\AppData\Local\Temp\ish240646921\images\resume_btn.png

MD5 5f8dcbf4ebc42ad95cfc4d9401283972
SHA1 e4060ea37daa2953bfdf8a773e447143f6365e75
SHA256 931193720d26f0007ad223fca1a440f4866047a0ca96f5d29de3e62e7ba6a731
SHA512 f918c4b834dff01c82f4b0063708d9155aef87b40fa3ae101d5d0a761ed17a348ff6ba4fb5f1e6ba4921698dcbb3e8291a25e48d180092107cb05660d948a61d

memory/5052-148-0x00000000023B0000-0x00000000024F6000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\~DFA277.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quxevyk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~DFA277.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yzymdak.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~DFA277.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe C:\Users\Admin\AppData\Local\Temp\quxevyk.exe
PID 2132 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe C:\Users\Admin\AppData\Local\Temp\quxevyk.exe
PID 2132 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe C:\Users\Admin\AppData\Local\Temp\quxevyk.exe
PID 1756 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\quxevyk.exe C:\Users\Admin\AppData\Local\Temp\~DFA277.tmp
PID 1756 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\quxevyk.exe C:\Users\Admin\AppData\Local\Temp\~DFA277.tmp
PID 1756 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\quxevyk.exe C:\Users\Admin\AppData\Local\Temp\~DFA277.tmp
PID 2132 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\~DFA277.tmp C:\Users\Admin\AppData\Local\Temp\yzymdak.exe
PID 2092 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\~DFA277.tmp C:\Users\Admin\AppData\Local\Temp\yzymdak.exe
PID 2092 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\~DFA277.tmp C:\Users\Admin\AppData\Local\Temp\yzymdak.exe

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe"

C:\Users\Admin\AppData\Local\Temp\quxevyk.exe

C:\Users\Admin\AppData\Local\Temp\quxevyk.exe

C:\Users\Admin\AppData\Local\Temp\~DFA277.tmp

C:\Users\Admin\AppData\Local\Temp\~DFA277.tmp OK

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "

C:\Users\Admin\AppData\Local\Temp\yzymdak.exe

"C:\Users\Admin\AppData\Local\Temp\yzymdak.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
JP 27.125.205.36:11170 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
KR 218.54.28.146:11180 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
JP 27.125.205.36:11170 tcp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/2132-0-0x0000000000400000-0x00000000004E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\quxevyk.exe

MD5 cb399a631f49e6deaf5c823969bbde6c
SHA1 a6c84328f7ba2f9f67cc8aa267a1dbd5ef29287a
SHA256 61796bfb0195fcec587e823538afec4e9a91ef1d4f6e75d357b315ae8584319c
SHA512 5e9099907c55b09d2be8cc014d41ecda4fd6206478f5f0271e6cd50ca746219b8646b0a759d5c7c7aed05034ce76b0fde1cbdb63ac3cf5c68477caac713935f2

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 d68790deef9c319c28ab55f382d0f58a
SHA1 2eae1310049b800ef7122b972c70fc15bcff6753
SHA256 d1ff4ceae2ae163622fb73a2e73335983acc4552bc8ba9f6555d08411df0cacf
SHA512 4a0efb23467bc643b6a8452dd4e3aba32f6e2f438315288379df61b4283cf207dd35996c794ebc24e10711cb0f71fda2e272ff9ca7a0d2db24c71ae054abcca0

C:\Users\Admin\AppData\Local\Temp\~DFA277.tmp

MD5 f37a871176367bebaf2b096546a7041c
SHA1 641a6b7e5b54f3e60fe29b396257f842b1bab337
SHA256 ee7eca8422de3efade075befb9b5c5522bade8d2a849a70725030225cd53640f
SHA512 6cb5a347479c5632eb351eac34670c38422672ab39d96b44bb9b001db3f984fd451fc2984f5a68bd5799da70280f0141ea41da5f5f5381c0db694fa663cd8bd1

memory/2132-16-0x0000000000400000-0x00000000004E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

MD5 fa241bb53d778e95e5d451463e580d58
SHA1 9f6a150272a3d231fd8f22befca20ce8ce285075
SHA256 1970ccc2659cbe5a7b9b3693ae82b69ead9014a14bfe9c566c09bda1ddb053f7
SHA512 c21b676da6372a06d30bb821dec597bc323edcc580ca6c34d1ca982d2b4a067a606301226a5bf7274267f49657084168a75b167502bb76e44206147bdf3adb95

memory/1756-19-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/2092-21-0x0000000000400000-0x00000000004E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yzymdak.exe

MD5 25a878f3522cf3819bfe4c0561fce967
SHA1 a0e29f02406f9bca6aaf3faf37698d1e310675b8
SHA256 0ad6a9b72cbd668dbdf08dcbb7d7c94faa34177fdf6141b079f12c5038f5230f
SHA512 c79620b1696a052ad2b0900c81c4abebd3363ae0509dfd7f041e6aba1ecc9775d4515fdd3dfa2cfbabb714d1d48a7a199a25e4b4679c7c5ca41eff903be39f5d

memory/1636-36-0x0000000000400000-0x000000000053E000-memory.dmp

memory/1636-38-0x00000000001D0000-0x00000000001D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 86bb2dbeaef655893262f3c041f6afe2
SHA1 1b26ff1241c1353bd506c18bd0c11878076ba65d
SHA256 4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2
SHA512 58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

memory/2092-40-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/1636-42-0x00000000001D0000-0x00000000001D2000-memory.dmp

memory/1636-41-0x0000000000400000-0x000000000053E000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win7-20240903-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Adobe Reader.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asih.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Adobe Reader.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Adobe Reader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\asih.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Adobe Reader.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Adobe Reader.exe"

C:\Users\Admin\AppData\Local\Temp\asih.exe

"C:\Users\Admin\AppData\Local\Temp\asih.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 emrlogistics.com udp
US 34.205.242.146:443 emrlogistics.com tcp
US 54.161.222.85:443 emrlogistics.com tcp
US 34.205.242.146:443 emrlogistics.com tcp
US 54.161.222.85:443 emrlogistics.com tcp
US 34.205.242.146:443 emrlogistics.com tcp
US 54.161.222.85:443 emrlogistics.com tcp
US 34.205.242.146:443 emrlogistics.com tcp
US 54.161.222.85:443 emrlogistics.com tcp

Files

memory/2708-0-0x0000000000500000-0x000000000050F000-memory.dmp

memory/2708-3-0x00000000003F0000-0x00000000003F6000-memory.dmp

memory/2708-2-0x00000000001C0000-0x00000000001C6000-memory.dmp

memory/2708-1-0x00000000001C0000-0x00000000001C6000-memory.dmp

\Users\Admin\AppData\Local\Temp\asih.exe

MD5 70ad66092dc58c51a3594b425f6ede37
SHA1 ccd729a8a6464fa4ba504798b6d82388f6d4db33
SHA256 cc5a7a4be50871408a20e53b38462ecf7201fcd05c0d53a66570182fb0005f41
SHA512 105ed1cbcbcb6f6ba765c3505acf86627260b99df5f984ea2a6104d6ba8e93f6d477b01b3fc04dc6a4cc4245ad69a0a925720486ed1b3d7a0c5279133f719a3e

memory/2708-15-0x0000000000500000-0x000000000050F000-memory.dmp

memory/2672-18-0x0000000000500000-0x000000000050F000-memory.dmp

memory/2672-26-0x0000000000240000-0x0000000000246000-memory.dmp

memory/2672-19-0x0000000000480000-0x0000000000486000-memory.dmp

memory/2672-27-0x0000000000500000-0x000000000050F000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win7-20240729-en

Max time kernel

144s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Explore.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Common Files\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Internet Explorer\it-IT\update.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\assembly\GAC_32\MSBuild\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\VideoLAN\VLC\locale\as_IN\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Public\Recorded TV\Sample Media\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files\Mozilla Firefox\defaults\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\backup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\backup.exe N/A
N/A N/A C:\PerfLogs\backup.exe N/A
N/A N/A C:\PerfLogs\Admin\backup.exe N/A
N/A N/A C:\Program Files\backup.exe N/A
N/A N/A C:\Program Files\7-Zip\backup.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\backup.exe N/A
N/A N/A C:\Program Files\Common Files\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\data.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\System Restore.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\update.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\backup.exe N/A
N/A N/A C:\backup.exe N/A
N/A N/A C:\PerfLogs\backup.exe N/A
N/A N/A C:\PerfLogs\backup.exe N/A
N/A N/A C:\backup.exe N/A
N/A N/A C:\backup.exe N/A
N/A N/A C:\Program Files\backup.exe N/A
N/A N/A C:\Program Files\backup.exe N/A
N/A N/A C:\Program Files\7-Zip\backup.exe N/A
N/A N/A C:\Program Files\7-Zip\backup.exe N/A
N/A N/A C:\Program Files\backup.exe N/A
N/A N/A C:\Program Files\backup.exe N/A
N/A N/A C:\Program Files\Common Files\backup.exe N/A
N/A N/A C:\Program Files\Common Files\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A

Network Share Discovery

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\040C\backup.exe N/A N/A
File opened for modification C:\Windows\SysWOW64\AdvancedInstallers\backup.exe N/A N/A
File opened for modification C:\Windows\SysWOW64\ar-SA\backup.exe N/A N/A
File opened for modification C:\Windows\SysWOW64\catroot2\System Restore.exe N/A N/A
File opened for modification C:\Windows\SysWOW64\com\backup.exe N/A N/A
File opened for modification C:\Windows\SysWOW64\backup.exe C:\Windows\backup.exe N/A
File opened for modification C:\Windows\SysWOW64\0410\backup.exe N/A N/A
File opened for modification C:\Windows\SysWOW64\0411\backup.exe N/A N/A
File opened for modification C:\Windows\SysWOW64\0C0A\backup.exe N/A N/A
File opened for modification C:\Windows\SysWOW64\0407\backup.exe N/A N/A
File opened for modification C:\Windows\SysWOW64\bg-BG\backup.exe N/A N/A
File opened for modification C:\Windows\SysWOW64\catroot\backup.exe N/A N/A
File opened for modification C:\Windows\SysWOW64\com\de-DE\backup.exe N/A N/A
File opened for modification C:\Windows\SysWOW64\com\en-US\backup.exe N/A N/A
File opened for modification C:\Windows\SysWOW64\0409\System Restore.exe N/A N/A
File opened for modification C:\Windows\SysWOW64\com\es-ES\backup.exe N/A N/A
File opened for modification C:\Windows\SysWOW64\com\fr-FR\backup.exe N/A N/A
File opened for modification C:\Windows\SysWOW64\com\dmp\backup.exe N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\backup.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\backup.exe C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\backup.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe C:\Program Files\Microsoft Games\FreeCell\backup.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\backup.exe C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\backup.exe C:\Program Files\Microsoft Games\Multiplayer\Checkers\backup.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gl\backup.exe C:\Program Files\VideoLAN\VLC\locale\backup.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\data.exe N/A N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\backup.exe N/A N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\backup.exe N/A N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\backup.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe C:\Program Files\Common Files\Microsoft Shared\backup.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\data.exe C:\Program Files\VideoLAN\VLC\locale\backup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\backup.exe C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\backup.exe N/A
File opened for modification C:\Program Files\Windows Defender\es-ES\backup.exe N/A N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\backup.exe N/A N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\backup.exe N/A N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\backup.exe C:\Program Files\VideoLAN\VLC\locale\backup.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\backup.exe N/A N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\backup.exe C:\Program Files\VideoLAN\VLC\locale\gd\backup.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\is\backup.exe C:\Program Files\VideoLAN\VLC\locale\backup.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\backup.exe N/A N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\backup.exe C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\backup.exe C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\en-US\System Restore.exe N/A N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\backup.exe N/A N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\backup.exe N/A N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\backup.exe N/A N/A
File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\System Restore.exe N/A
File opened for modification C:\Program Files\Windows Journal\en-US\backup.exe N/A N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\backup.exe N/A N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\backup.exe C:\Program Files (x86)\backup.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\fr-FR\update.exe C:\Program Files\Microsoft Games\FreeCell\backup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\backup.exe N/A N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\backup.exe N/A N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\backup.exe N/A N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\backup.exe N/A N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\backup.exe N/A N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\data.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\backup.exe N/A N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\backup.exe N/A N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe C:\Program Files (x86)\Common Files\Adobe\backup.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\backup.exe C:\Program Files\Mozilla Firefox\update.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe C:\Program Files (x86)\backup.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\backup.exe N/A N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\backup.exe C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\backup.exe C:\Program Files (x86)\Common Files\microsoft shared\Triedit\backup.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\backup.exe C:\Program Files\VideoLAN\VLC\locale\es_MX\backup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\backup.exe N/A N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\backup.exe C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\backup.exe C:\Program Files\VideoLAN\VLC\locale\backup.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\backup.exe C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\backup.exe N/A N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\backup.exe N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\4a235e617ad0a4c3aecd3982f0e3c48a\update.exe N/A N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67#\backup.exe N/A N/A
File opened for modification C:\Windows\IME\en-US\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.GroupPoli#\0261a298f938ba71a7aab6f91dad326d\backup.exe N/A N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b#\5a3b5e8dacb3f7675f8f480243680feb\backup.exe N/A N/A
File opened for modification C:\Windows\PLA\Rules\ja-JP\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\0728af1479c3388cadf85ccfc2b12582\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.GroupPoli#\backup.exe N/A N/A
File opened for modification C:\Windows\inf\MSDTC Bridge 4.0.0.0\001F\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\c335a6ef5339fa917518475c286c8ca4\backup.exe N/A N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\update.exe N/A N/A
File opened for modification C:\Windows\Help\Help\es-ES\backup.exe N/A N/A
File opened for modification C:\Windows\inf\ASP.NET_4.0.30319\0019\backup.exe N/A N/A
File opened for modification C:\Windows\Prefetch\ReadyBoot\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\backup.exe N/A
File opened for modification C:\Windows\ehome\en-US\backup.exe N/A N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\backup.exe N/A N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1028\update.exe N/A N/A
File opened for modification C:\Windows\assembly\GAC_64\MSBuild\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\MCESidebarCtrl\6.1.0.0__31bf3856ad364e35\backup.exe N/A N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Build.Fra#\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.InfoPath.Vsta\14.0.0.0__71e9bce111e9429c\backup.exe N/A N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MUI\0407\data.exe N/A N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded#\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17#\9c8de58d3f31e68eee4f90023d7ae37c\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\GAC_64\Policy.6.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\update.exe N/A N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\AspNetMMCExt\51f5ebc7dec87fb0c89540ed15a5c2b6\backup.exe N/A N/A
File opened for modification C:\Windows\inf\ASP.NET_4.0.30319\000E\backup.exe N/A N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\1041\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\stdole\backup.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\ehiProxy\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.MediaCenter.Bml\6.1.0.0__31bf3856ad364e35\backup.exe N/A N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\backup.exe N/A N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\AspNetMMCExt\System Restore.exe N/A N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\df459c0a2762c33e0699703f186b1751\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\1bc1ee3c3aa45d28dcf4657bceb2fcb4\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.InfoPath.FormControl\backup.exe N/A N/A
File opened for modification C:\Windows\inf\BITS\0411\backup.exe N/A N/A
File opened for modification C:\Windows\inf\BITS\0C0A\backup.exe N/A N/A
File opened for modification C:\Windows\Resources\Themes\Aero\Shell\NormalColor\fr-FR\backup.exe N/A N/A
File opened for modification C:\Windows\Resources\Themes\Aero\Shell\NormalColor\ja-JP\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Security.#\backup.exe N/A N/A
File opened for modification C:\Windows\inf\it-IT\backup.exe N/A N/A
File opened for modification C:\Windows\inf\TermService\0409\backup.exe N/A N/A
File opened for modification C:\Windows\Help\Help\ja-JP\backup.exe N/A N/A
File opened for modification C:\Windows\IME\IMEJP10\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment\update.exe N/A N/A
File opened for modification C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe N/A
File opened for modification C:\Windows\Fonts\backup.exe C:\Windows\backup.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\de-DE\backup.exe N/A N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\it-IT\backup.exe N/A N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\de\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\ehiiTV\6.1.0.0__31bf3856ad364e35\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\mcstoredb\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\backup.exe N/A N/A
File opened for modification C:\Windows\inf\ASP.NET\0015\backup.exe N/A N/A
File opened for modification C:\Windows\inf\MSDTC Bridge 4.0.0.0\0011\backup.exe N/A N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\backup.exe N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\VideoLAN\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\System Restore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Internet Explorer\SIGNUP\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\VideoLAN\VLC\locale\es_MX\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\update.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Internet Explorer\it-IT\update.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Explore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Explore.exe N/A
N/A N/A C:\backup.exe N/A
N/A N/A C:\PerfLogs\backup.exe N/A
N/A N/A C:\PerfLogs\Admin\backup.exe N/A
N/A N/A C:\Program Files\backup.exe N/A
N/A N/A C:\Program Files\7-Zip\backup.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\backup.exe N/A
N/A N/A C:\Program Files\Common Files\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\data.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\System Restore.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2464 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Explore.exe C:\backup.exe
PID 2464 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Explore.exe C:\backup.exe
PID 2464 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Explore.exe C:\backup.exe
PID 2464 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Explore.exe C:\backup.exe
PID 2768 wrote to memory of 1448 N/A C:\backup.exe C:\PerfLogs\backup.exe
PID 2768 wrote to memory of 1448 N/A C:\backup.exe C:\PerfLogs\backup.exe
PID 2768 wrote to memory of 1448 N/A C:\backup.exe C:\PerfLogs\backup.exe
PID 2768 wrote to memory of 1448 N/A C:\backup.exe C:\PerfLogs\backup.exe
PID 1448 wrote to memory of 1952 N/A C:\PerfLogs\backup.exe C:\PerfLogs\Admin\backup.exe
PID 1448 wrote to memory of 1952 N/A C:\PerfLogs\backup.exe C:\PerfLogs\Admin\backup.exe
PID 1448 wrote to memory of 1952 N/A C:\PerfLogs\backup.exe C:\PerfLogs\Admin\backup.exe
PID 1448 wrote to memory of 1952 N/A C:\PerfLogs\backup.exe C:\PerfLogs\Admin\backup.exe
PID 2768 wrote to memory of 2664 N/A C:\backup.exe C:\Program Files\backup.exe
PID 2768 wrote to memory of 2664 N/A C:\backup.exe C:\Program Files\backup.exe
PID 2768 wrote to memory of 2664 N/A C:\backup.exe C:\Program Files\backup.exe
PID 2768 wrote to memory of 2664 N/A C:\backup.exe C:\Program Files\backup.exe
PID 2664 wrote to memory of 2224 N/A C:\Program Files\backup.exe C:\Program Files\7-Zip\backup.exe
PID 2664 wrote to memory of 2224 N/A C:\Program Files\backup.exe C:\Program Files\7-Zip\backup.exe
PID 2664 wrote to memory of 2224 N/A C:\Program Files\backup.exe C:\Program Files\7-Zip\backup.exe
PID 2664 wrote to memory of 2224 N/A C:\Program Files\backup.exe C:\Program Files\7-Zip\backup.exe
PID 2224 wrote to memory of 1572 N/A C:\Program Files\7-Zip\backup.exe C:\Program Files\7-Zip\Lang\backup.exe
PID 2224 wrote to memory of 1572 N/A C:\Program Files\7-Zip\backup.exe C:\Program Files\7-Zip\Lang\backup.exe
PID 2224 wrote to memory of 1572 N/A C:\Program Files\7-Zip\backup.exe C:\Program Files\7-Zip\Lang\backup.exe
PID 2224 wrote to memory of 1572 N/A C:\Program Files\7-Zip\backup.exe C:\Program Files\7-Zip\Lang\backup.exe
PID 2664 wrote to memory of 1720 N/A C:\Program Files\backup.exe C:\Program Files\Common Files\backup.exe
PID 2664 wrote to memory of 1720 N/A C:\Program Files\backup.exe C:\Program Files\Common Files\backup.exe
PID 2664 wrote to memory of 1720 N/A C:\Program Files\backup.exe C:\Program Files\Common Files\backup.exe
PID 2664 wrote to memory of 1720 N/A C:\Program Files\backup.exe C:\Program Files\Common Files\backup.exe
PID 1720 wrote to memory of 1960 N/A C:\Program Files\Common Files\backup.exe C:\Program Files\Common Files\Microsoft Shared\backup.exe
PID 1720 wrote to memory of 1960 N/A C:\Program Files\Common Files\backup.exe C:\Program Files\Common Files\Microsoft Shared\backup.exe
PID 1720 wrote to memory of 1960 N/A C:\Program Files\Common Files\backup.exe C:\Program Files\Common Files\Microsoft Shared\backup.exe
PID 1720 wrote to memory of 1960 N/A C:\Program Files\Common Files\backup.exe C:\Program Files\Common Files\Microsoft Shared\backup.exe
PID 1960 wrote to memory of 2984 N/A C:\Program Files\Common Files\Microsoft Shared\backup.exe C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
PID 1960 wrote to memory of 2984 N/A C:\Program Files\Common Files\Microsoft Shared\backup.exe C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
PID 1960 wrote to memory of 2984 N/A C:\Program Files\Common Files\Microsoft Shared\backup.exe C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
PID 1960 wrote to memory of 2984 N/A C:\Program Files\Common Files\Microsoft Shared\backup.exe C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
PID 1960 wrote to memory of 2384 N/A C:\Program Files\Common Files\Microsoft Shared\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
PID 1960 wrote to memory of 2384 N/A C:\Program Files\Common Files\Microsoft Shared\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
PID 1960 wrote to memory of 2384 N/A C:\Program Files\Common Files\Microsoft Shared\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
PID 1960 wrote to memory of 2384 N/A C:\Program Files\Common Files\Microsoft Shared\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
PID 2384 wrote to memory of 2372 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
PID 2384 wrote to memory of 2372 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
PID 2384 wrote to memory of 2372 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
PID 2384 wrote to memory of 2372 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
PID 2384 wrote to memory of 1252 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
PID 2384 wrote to memory of 1252 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
PID 2384 wrote to memory of 1252 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
PID 2384 wrote to memory of 1252 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
PID 2384 wrote to memory of 588 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
PID 2384 wrote to memory of 588 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
PID 2384 wrote to memory of 588 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
PID 2384 wrote to memory of 588 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
PID 2384 wrote to memory of 1420 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
PID 2384 wrote to memory of 1420 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
PID 2384 wrote to memory of 1420 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
PID 2384 wrote to memory of 1420 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
PID 2384 wrote to memory of 2360 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
PID 2384 wrote to memory of 2360 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
PID 2384 wrote to memory of 2360 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
PID 2384 wrote to memory of 2360 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
PID 2384 wrote to memory of 1944 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
PID 2384 wrote to memory of 1944 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
PID 2384 wrote to memory of 1944 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
PID 2384 wrote to memory of 1944 N/A C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\Google\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\Microsoft Games\More Games\de-DE\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\Java\jre7\lib\jfr\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Windows\assembly\GAC\stdole\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files\VideoLAN\VLC\locale\ga\backup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Program Files (x86)\Common Files\microsoft shared\VBA\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\14.0.0.0__71e9bce111e9429c\backup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Explore.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Explore.exe"

C:\backup.exe

\backup.exe \

C:\PerfLogs\backup.exe

C:\PerfLogs\backup.exe C:\PerfLogs\

C:\PerfLogs\Admin\backup.exe

C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\

C:\Program Files\backup.exe

"C:\Program Files\backup.exe" C:\Program Files\

C:\Program Files\7-Zip\backup.exe

"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\

C:\Program Files\7-Zip\Lang\backup.exe

"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\

C:\Program Files\Common Files\backup.exe

"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\

C:\Program Files\Common Files\Microsoft Shared\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\

C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\

C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\

C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\

C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\

C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\

C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\

C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\

C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\

C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\

C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\

C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\

C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\

C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\data.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\

C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\

C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\

C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\

C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\

C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\

C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\

C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\

C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\

C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\

C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\

C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\

C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\

C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\

C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\

C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\

C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\System Restore.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\

C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\

C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\

C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\

C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\

C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\

C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\

C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\

C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\

C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\

C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\

C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\

C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\

C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\

C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\

C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\update.exe

"C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\

C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\

C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\

C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\

C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\

C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\

C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\

C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\

C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\

C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\

C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\

C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\

C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\

C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\

C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\

C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\

C:\Program Files\Common Files\Microsoft Shared\VC\data.exe

"C:\Program Files\Common Files\Microsoft Shared\VC\data.exe" C:\Program Files\Common Files\Microsoft Shared\VC\

C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\

C:\Program Files\Common Files\Microsoft Shared\VSTO\update.exe

"C:\Program Files\Common Files\Microsoft Shared\VSTO\update.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\

C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\

C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe

"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\

C:\Program Files\Common Files\Services\backup.exe

"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\

C:\Program Files\Common Files\SpeechEngines\backup.exe

"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\

C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe

"C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\

C:\Program Files\Common Files\System\backup.exe

"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\

C:\Program Files\Common Files\System\ado\backup.exe

"C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\

C:\Program Files\Common Files\System\ado\de-DE\backup.exe

"C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\

C:\Program Files\Common Files\System\ado\en-US\backup.exe

"C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\

C:\Program Files\Common Files\System\ado\es-ES\backup.exe

"C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\

C:\Program Files\Common Files\System\ado\fr-FR\backup.exe

"C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\

C:\Program Files\Common Files\System\ado\it-IT\backup.exe

"C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\

C:\Program Files\Common Files\System\ado\ja-JP\backup.exe

"C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\

C:\Program Files\Common Files\System\de-DE\backup.exe

"C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\

C:\Program Files\Common Files\System\en-US\System Restore.exe

"C:\Program Files\Common Files\System\en-US\System Restore.exe" C:\Program Files\Common Files\System\en-US\

C:\Program Files\Common Files\System\es-ES\backup.exe

"C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\

C:\Program Files\Common Files\System\fr-FR\backup.exe

"C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\

C:\Program Files\Common Files\System\it-IT\backup.exe

"C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\

C:\Program Files\Common Files\System\ja-JP\backup.exe

"C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\

C:\Program Files\Common Files\System\msadc\backup.exe

"C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\

C:\Program Files\Common Files\System\msadc\de-DE\backup.exe

"C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\

C:\Program Files\Common Files\System\msadc\en-US\backup.exe

"C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\

C:\Program Files\Common Files\System\msadc\es-ES\backup.exe

"C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\

C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe

"C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\

C:\Program Files\Common Files\System\msadc\it-IT\System Restore.exe

"C:\Program Files\Common Files\System\msadc\it-IT\System Restore.exe" C:\Program Files\Common Files\System\msadc\it-IT\

C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe

"C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\

C:\Program Files\Common Files\System\Ole DB\backup.exe

"C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\

C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe

"C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\

C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe

"C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\

C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe

"C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\

C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe

"C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\

C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe

"C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\

C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe

"C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\

C:\Program Files\DVD Maker\backup.exe

"C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\

C:\Program Files\DVD Maker\de-DE\backup.exe

"C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\

C:\Program Files\DVD Maker\en-US\backup.exe

"C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\

C:\Program Files\DVD Maker\es-ES\backup.exe

"C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\

C:\Program Files\DVD Maker\fr-FR\backup.exe

"C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\

C:\Program Files\DVD Maker\it-IT\backup.exe

"C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\

C:\Program Files\DVD Maker\ja-JP\backup.exe

"C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\

C:\Program Files\DVD Maker\Shared\backup.exe

"C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\

C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe

"C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe

"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\System Restore.exe

"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\

C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe

"C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\

C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe

"C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\

C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe

"C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe

"C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\

C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe

"C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\

C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe

"C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\

C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe

"C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\

C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe

"C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\

C:\Program Files\DVD Maker\Shared\DvdStyles\Push\System Restore.exe

"C:\Program Files\DVD Maker\Shared\DvdStyles\Push\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\

C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe

"C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\

C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe

"C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\

C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe

"C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\

C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe

"C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\

C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe

"C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\

C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe

"C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\

C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe

"C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\

C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe

"C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\

C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe

"C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\

C:\Program Files\Google\backup.exe

"C:\Program Files\Google\backup.exe" C:\Program Files\Google\

C:\Program Files\Google\Chrome\System Restore.exe

"C:\Program Files\Google\Chrome\System Restore.exe" C:\Program Files\Google\Chrome\

C:\Program Files\Google\Chrome\Application\backup.exe

"C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\

C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\

C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\update.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\update.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\

C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\

C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\update.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\update.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\

C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\

C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\

C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\data.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\data.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\

C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe

"C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\

C:\Program Files\Internet Explorer\backup.exe

"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\

C:\Program Files\Internet Explorer\de-DE\backup.exe

"C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\

C:\Program Files\Internet Explorer\en-US\backup.exe

"C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\

C:\Program Files\Internet Explorer\es-ES\backup.exe

"C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\

C:\Program Files\Internet Explorer\fr-FR\update.exe

"C:\Program Files\Internet Explorer\fr-FR\update.exe" C:\Program Files\Internet Explorer\fr-FR\

C:\Program Files\Internet Explorer\images\backup.exe

"C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\

C:\Program Files\Internet Explorer\it-IT\update.exe

"C:\Program Files\Internet Explorer\it-IT\update.exe" C:\Program Files\Internet Explorer\it-IT\

C:\Program Files\Internet Explorer\ja-JP\data.exe

"C:\Program Files\Internet Explorer\ja-JP\data.exe" C:\Program Files\Internet Explorer\ja-JP\

C:\Program Files\Internet Explorer\SIGNUP\backup.exe

"C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\

C:\Program Files\Java\backup.exe

"C:\Program Files\Java\backup.exe" C:\Program Files\Java\

C:\Program Files\Java\jdk1.7.0_80\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\

C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\

C:\Program Files\Java\jdk1.7.0_80\db\System Restore.exe

"C:\Program Files\Java\jdk1.7.0_80\db\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\db\

C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\bin\

C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\lib\

C:\Program Files\Java\jdk1.7.0_80\include\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\include\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\

C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\

C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\update.exe

"C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\update.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\

C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\

C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\

C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\

C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\update.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\update.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\

C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\System Restore.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\System Restore.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\

C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\data.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\update.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\System Restore.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\System Restore.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\

C:\Program Files (x86)\backup.exe

"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\

C:\Program Files (x86)\Adobe\backup.exe

"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\

C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\

C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\System Restore.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\update.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\update.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\update.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\update.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\data.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\update.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\data.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\update.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\data.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\data.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\System Restore.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\System Restore.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\

C:\Program Files (x86)\Common Files\backup.exe

"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\

C:\Program Files (x86)\Common Files\Adobe\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\

C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\

C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\

C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe

"C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\

C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe

"C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\System Restore.exe

"C:\Program Files (x86)\Common Files\Adobe AIR\Versions\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\System Restore.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe

"C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\

C:\Program Files (x86)\Common Files\DESIGNER\backup.exe

"C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\

C:\Program Files (x86)\Common Files\microsoft shared\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\

C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\

C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\

C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\

C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\

C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\

C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\

C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\

C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\

C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\

C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\

C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\

C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\

C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\System Restore.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\

C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\

C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\backup.exe

"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\

C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\

C:\Program Files\Java\jre7\backup.exe

"C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\

C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\

C:\Program Files\Java\jre7\bin\System Restore.exe

"C:\Program Files\Java\jre7\bin\System Restore.exe" C:\Program Files\Java\jre7\bin\

C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\

C:\Program Files\Java\jre7\bin\dtplugin\backup.exe

"C:\Program Files\Java\jre7\bin\dtplugin\backup.exe" C:\Program Files\Java\jre7\bin\dtplugin\

C:\Program Files\Java\jre7\bin\plugin2\backup.exe

"C:\Program Files\Java\jre7\bin\plugin2\backup.exe" C:\Program Files\Java\jre7\bin\plugin2\

C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\data.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\

C:\Program Files\Java\jre7\bin\server\data.exe

"C:\Program Files\Java\jre7\bin\server\data.exe" C:\Program Files\Java\jre7\bin\server\

C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\

C:\Program Files\Java\jre7\lib\backup.exe

"C:\Program Files\Java\jre7\lib\backup.exe" C:\Program Files\Java\jre7\lib\

C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\

C:\Program Files\Java\jre7\lib\amd64\backup.exe

"C:\Program Files\Java\jre7\lib\amd64\backup.exe" C:\Program Files\Java\jre7\lib\amd64\

C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\

C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\

C:\Program Files\Java\jre7\lib\applet\backup.exe

"C:\Program Files\Java\jre7\lib\applet\backup.exe" C:\Program Files\Java\jre7\lib\applet\

C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\System Restore.exe

"C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\

C:\Program Files\Java\jre7\lib\cmm\System Restore.exe

"C:\Program Files\Java\jre7\lib\cmm\System Restore.exe" C:\Program Files\Java\jre7\lib\cmm\

C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\

C:\Program Files\Java\jre7\lib\deploy\backup.exe

"C:\Program Files\Java\jre7\lib\deploy\backup.exe" C:\Program Files\Java\jre7\lib\deploy\

C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\

C:\Program Files\Java\jre7\lib\ext\backup.exe

"C:\Program Files\Java\jre7\lib\ext\backup.exe" C:\Program Files\Java\jre7\lib\ext\

C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\

C:\Program Files\Java\jre7\lib\fonts\backup.exe

"C:\Program Files\Java\jre7\lib\fonts\backup.exe" C:\Program Files\Java\jre7\lib\fonts\

C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\

C:\Program Files\Java\jre7\lib\images\System Restore.exe

"C:\Program Files\Java\jre7\lib\images\System Restore.exe" C:\Program Files\Java\jre7\lib\images\

C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\

C:\Program Files\Java\jre7\lib\images\cursors\backup.exe

"C:\Program Files\Java\jre7\lib\images\cursors\backup.exe" C:\Program Files\Java\jre7\lib\images\cursors\

C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\

C:\Program Files\Java\jre7\lib\jfr\backup.exe

"C:\Program Files\Java\jre7\lib\jfr\backup.exe" C:\Program Files\Java\jre7\lib\jfr\

C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\

C:\Program Files\Java\jre7\lib\management\backup.exe

"C:\Program Files\Java\jre7\lib\management\backup.exe" C:\Program Files\Java\jre7\lib\management\

C:\Program Files\Java\jre7\lib\security\System Restore.exe

"C:\Program Files\Java\jre7\lib\security\System Restore.exe" C:\Program Files\Java\jre7\lib\security\

C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\

C:\Program Files\Java\jre7\lib\zi\backup.exe

"C:\Program Files\Java\jre7\lib\zi\backup.exe" C:\Program Files\Java\jre7\lib\zi\

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\

C:\Program Files\Java\jre7\lib\zi\Africa\backup.exe

"C:\Program Files\Java\jre7\lib\zi\Africa\backup.exe" C:\Program Files\Java\jre7\lib\zi\Africa\

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\

C:\Program Files\Java\jre7\lib\zi\America\backup.exe

"C:\Program Files\Java\jre7\lib\zi\America\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\

C:\Program Files\Java\jre7\lib\zi\America\Argentina\backup.exe

"C:\Program Files\Java\jre7\lib\zi\America\Argentina\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Argentina\

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\

C:\Program Files\Java\jre7\lib\zi\America\Indiana\backup.exe

"C:\Program Files\Java\jre7\lib\zi\America\Indiana\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Indiana\

C:\Program Files\Java\jre7\lib\zi\America\Kentucky\backup.exe

"C:\Program Files\Java\jre7\lib\zi\America\Kentucky\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Kentucky\

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\

C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\backup.exe

"C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\

C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe

"C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe" C:\Program Files\Java\jre7\lib\zi\Antarctica\

C:\Program Files\Java\jre7\lib\zi\Asia\update.exe

"C:\Program Files\Java\jre7\lib\zi\Asia\update.exe" C:\Program Files\Java\jre7\lib\zi\Asia\

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\

C:\Program Files\Java\jre7\lib\zi\Atlantic\backup.exe

"C:\Program Files\Java\jre7\lib\zi\Atlantic\backup.exe" C:\Program Files\Java\jre7\lib\zi\Atlantic\

C:\Program Files\Java\jre7\lib\zi\Australia\backup.exe

"C:\Program Files\Java\jre7\lib\zi\Australia\backup.exe" C:\Program Files\Java\jre7\lib\zi\Australia\

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\

C:\Program Files\Java\jre7\lib\zi\Etc\backup.exe

"C:\Program Files\Java\jre7\lib\zi\Etc\backup.exe" C:\Program Files\Java\jre7\lib\zi\Etc\

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\

C:\Program Files\Java\jre7\lib\zi\Europe\backup.exe

"C:\Program Files\Java\jre7\lib\zi\Europe\backup.exe" C:\Program Files\Java\jre7\lib\zi\Europe\

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\data.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\

C:\Program Files\Java\jre7\lib\zi\Indian\backup.exe

"C:\Program Files\Java\jre7\lib\zi\Indian\backup.exe" C:\Program Files\Java\jre7\lib\zi\Indian\

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\

C:\Program Files\Java\jre7\lib\zi\Pacific\backup.exe

"C:\Program Files\Java\jre7\lib\zi\Pacific\backup.exe" C:\Program Files\Java\jre7\lib\zi\Pacific\

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\

C:\Program Files\Java\jre7\lib\zi\SystemV\backup.exe

"C:\Program Files\Java\jre7\lib\zi\SystemV\backup.exe" C:\Program Files\Java\jre7\lib\zi\SystemV\

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\

C:\Program Files\Microsoft Games\backup.exe

"C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\

C:\Program Files\Microsoft Games\Chess\backup.exe

"C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\

C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe

"C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\

C:\Program Files\Microsoft Games\Chess\en-US\backup.exe

"C:\Program Files\Microsoft Games\Chess\en-US\backup.exe" C:\Program Files\Microsoft Games\Chess\en-US\

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\

C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe

"C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe" C:\Program Files\Microsoft Games\Chess\es-ES\

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\update.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\

C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe

"C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\

C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe

"C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe" C:\Program Files\Microsoft Games\Chess\it-IT\

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\

C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe

"C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Chess\ja-JP\

C:\Program Files\Microsoft Games\FreeCell\backup.exe

"C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\

C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe

"C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe" C:\Program Files\Microsoft Games\FreeCell\de-DE\

C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\System Restore.exe

"C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\

C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe

"C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe" C:\Program Files\Microsoft Games\FreeCell\en-US\

C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\

C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe

"C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe" C:\Program Files\Microsoft Games\FreeCell\es-ES\

C:\Program Files\Microsoft Games\FreeCell\fr-FR\update.exe

"C:\Program Files\Microsoft Games\FreeCell\fr-FR\update.exe" C:\Program Files\Microsoft Games\FreeCell\fr-FR\

C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\

C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\PROOF\

C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe

"C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe" C:\Program Files\Microsoft Games\FreeCell\it-IT\

C:\Program Files\Microsoft Games\FreeCell\ja-JP\data.exe

"C:\Program Files\Microsoft Games\FreeCell\ja-JP\data.exe" C:\Program Files\Microsoft Games\FreeCell\ja-JP\

C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\update.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\

C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\

C:\Program Files\Microsoft Games\Hearts\backup.exe

"C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\

C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\

C:\Program Files\Microsoft Games\Hearts\de-DE\backup.exe

"C:\Program Files\Microsoft Games\Hearts\de-DE\backup.exe" C:\Program Files\Microsoft Games\Hearts\de-DE\

C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\

C:\Program Files\Microsoft Games\Hearts\en-US\backup.exe

"C:\Program Files\Microsoft Games\Hearts\en-US\backup.exe" C:\Program Files\Microsoft Games\Hearts\en-US\

C:\Program Files\Microsoft Games\Hearts\es-ES\backup.exe

"C:\Program Files\Microsoft Games\Hearts\es-ES\backup.exe" C:\Program Files\Microsoft Games\Hearts\es-ES\

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\update.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\

C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe

"C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Hearts\fr-FR\

C:\Program Files (x86)\Common Files\microsoft shared\Stationery\System Restore.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Stationery\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\Stationery\

C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe

"C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe" C:\Program Files\Microsoft Games\Hearts\it-IT\

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\

C:\Program Files\Microsoft Games\Hearts\ja-JP\backup.exe

"C:\Program Files\Microsoft Games\Hearts\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Hearts\ja-JP\

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\

C:\Program Files\Microsoft Games\Mahjong\backup.exe

"C:\Program Files\Microsoft Games\Mahjong\backup.exe" C:\Program Files\Microsoft Games\Mahjong\

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\

C:\Program Files\Microsoft Games\Mahjong\de-DE\backup.exe

"C:\Program Files\Microsoft Games\Mahjong\de-DE\backup.exe" C:\Program Files\Microsoft Games\Mahjong\de-DE\

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\

C:\Program Files\Microsoft Games\Mahjong\en-US\System Restore.exe

"C:\Program Files\Microsoft Games\Mahjong\en-US\System Restore.exe" C:\Program Files\Microsoft Games\Mahjong\en-US\

C:\Program Files\Microsoft Games\Mahjong\es-ES\backup.exe

"C:\Program Files\Microsoft Games\Mahjong\es-ES\backup.exe" C:\Program Files\Microsoft Games\Mahjong\es-ES\

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\

C:\Program Files\Microsoft Games\Mahjong\fr-FR\backup.exe

"C:\Program Files\Microsoft Games\Mahjong\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Mahjong\fr-FR\

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\

C:\Program Files\Microsoft Games\Mahjong\it-IT\backup.exe

"C:\Program Files\Microsoft Games\Mahjong\it-IT\backup.exe" C:\Program Files\Microsoft Games\Mahjong\it-IT\

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\

C:\Program Files\Microsoft Games\Mahjong\ja-JP\backup.exe

"C:\Program Files\Microsoft Games\Mahjong\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Mahjong\ja-JP\

C:\Program Files\Microsoft Games\Minesweeper\backup.exe

"C:\Program Files\Microsoft Games\Minesweeper\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\

C:\Program Files\Microsoft Games\Minesweeper\de-DE\backup.exe

"C:\Program Files\Microsoft Games\Minesweeper\de-DE\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\de-DE\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\

C:\Program Files\Microsoft Games\Minesweeper\en-US\backup.exe

"C:\Program Files\Microsoft Games\Minesweeper\en-US\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\en-US\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\

C:\Program Files\Microsoft Games\Minesweeper\es-ES\update.exe

"C:\Program Files\Microsoft Games\Minesweeper\es-ES\update.exe" C:\Program Files\Microsoft Games\Minesweeper\es-ES\

C:\Program Files\Microsoft Games\Minesweeper\fr-FR\backup.exe

"C:\Program Files\Microsoft Games\Minesweeper\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\fr-FR\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\

C:\Program Files\Microsoft Games\Minesweeper\it-IT\backup.exe

"C:\Program Files\Microsoft Games\Minesweeper\it-IT\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\it-IT\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\

C:\Program Files\Microsoft Games\Minesweeper\ja-JP\backup.exe

"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\ja-JP\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\

C:\Program Files\Microsoft Games\More Games\backup.exe

"C:\Program Files\Microsoft Games\More Games\backup.exe" C:\Program Files\Microsoft Games\More Games\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\

C:\Program Files\Microsoft Games\More Games\de-DE\backup.exe

"C:\Program Files\Microsoft Games\More Games\de-DE\backup.exe" C:\Program Files\Microsoft Games\More Games\de-DE\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\

C:\Program Files\Microsoft Games\More Games\en-US\backup.exe

"C:\Program Files\Microsoft Games\More Games\en-US\backup.exe" C:\Program Files\Microsoft Games\More Games\en-US\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\

C:\Program Files\Microsoft Games\More Games\es-ES\backup.exe

"C:\Program Files\Microsoft Games\More Games\es-ES\backup.exe" C:\Program Files\Microsoft Games\More Games\es-ES\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\

C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe

"C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe" C:\Program Files\Microsoft Games\More Games\fr-FR\

C:\Program Files\Microsoft Games\More Games\it-IT\backup.exe

"C:\Program Files\Microsoft Games\More Games\it-IT\backup.exe" C:\Program Files\Microsoft Games\More Games\it-IT\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\

C:\Program Files\Microsoft Games\More Games\ja-JP\backup.exe

"C:\Program Files\Microsoft Games\More Games\ja-JP\backup.exe" C:\Program Files\Microsoft Games\More Games\ja-JP\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\

C:\Program Files\Microsoft Games\Multiplayer\backup.exe

"C:\Program Files\Microsoft Games\Multiplayer\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\update.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\

C:\Program Files\Microsoft Games\Multiplayer\Backgammon\backup.exe

"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\

C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\backup.exe

"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\

C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\backup.exe

"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\

C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\backup.exe

"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\

C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\backup.exe

"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\data.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\

C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\backup.exe

"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\

C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\backup.exe

"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\

C:\Program Files\Microsoft Games\Multiplayer\Checkers\backup.exe

"C:\Program Files\Microsoft Games\Multiplayer\Checkers\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\

C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\backup.exe

"C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\

C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\backup.exe

"C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\System Restore.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\

C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\backup.exe

"C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\

C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\backup.exe

"C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\

C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\backup.exe

"C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\

C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\backup.exe

"C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\data.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\

C:\Program Files\Microsoft Games\Multiplayer\Spades\backup.exe

"C:\Program Files\Microsoft Games\Multiplayer\Spades\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\

C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\backup.exe

"C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\

C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\backup.exe

"C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\data.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\

C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\System Restore.exe

"C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\System Restore.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\

C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\backup.exe

"C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\

C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\update.exe

"C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\update.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\data.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\

C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\backup.exe

"C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\

C:\Program Files\Microsoft Games\Purble Place\backup.exe

"C:\Program Files\Microsoft Games\Purble Place\backup.exe" C:\Program Files\Microsoft Games\Purble Place\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\

C:\Program Files\Microsoft Games\Purble Place\de-DE\backup.exe

"C:\Program Files\Microsoft Games\Purble Place\de-DE\backup.exe" C:\Program Files\Microsoft Games\Purble Place\de-DE\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\

C:\Program Files\Microsoft Games\Purble Place\en-US\backup.exe

"C:\Program Files\Microsoft Games\Purble Place\en-US\backup.exe" C:\Program Files\Microsoft Games\Purble Place\en-US\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\

C:\Program Files\Microsoft Games\Purble Place\es-ES\backup.exe

"C:\Program Files\Microsoft Games\Purble Place\es-ES\backup.exe" C:\Program Files\Microsoft Games\Purble Place\es-ES\

C:\Program Files\Microsoft Games\Purble Place\fr-FR\backup.exe

"C:\Program Files\Microsoft Games\Purble Place\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Purble Place\fr-FR\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\

C:\Program Files\Microsoft Games\Purble Place\it-IT\backup.exe

"C:\Program Files\Microsoft Games\Purble Place\it-IT\backup.exe" C:\Program Files\Microsoft Games\Purble Place\it-IT\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\

C:\Program Files\Microsoft Games\Purble Place\ja-JP\backup.exe

"C:\Program Files\Microsoft Games\Purble Place\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Purble Place\ja-JP\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\

C:\Program Files\Microsoft Games\Solitaire\backup.exe

"C:\Program Files\Microsoft Games\Solitaire\backup.exe" C:\Program Files\Microsoft Games\Solitaire\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\

C:\Program Files\Microsoft Games\Solitaire\de-DE\backup.exe

"C:\Program Files\Microsoft Games\Solitaire\de-DE\backup.exe" C:\Program Files\Microsoft Games\Solitaire\de-DE\

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\

C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\

C:\Program Files\Microsoft Games\Solitaire\en-US\backup.exe

"C:\Program Files\Microsoft Games\Solitaire\en-US\backup.exe" C:\Program Files\Microsoft Games\Solitaire\en-US\

C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\data.exe

"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\

C:\Program Files\Microsoft Games\Solitaire\es-ES\backup.exe

"C:\Program Files\Microsoft Games\Solitaire\es-ES\backup.exe" C:\Program Files\Microsoft Games\Solitaire\es-ES\

C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\

C:\Program Files\Microsoft Games\Solitaire\fr-FR\backup.exe

"C:\Program Files\Microsoft Games\Solitaire\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Solitaire\fr-FR\

C:\Program Files\Microsoft Games\Solitaire\it-IT\backup.exe

"C:\Program Files\Microsoft Games\Solitaire\it-IT\backup.exe" C:\Program Files\Microsoft Games\Solitaire\it-IT\

C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\

C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\

C:\Program Files\Microsoft Games\Solitaire\ja-JP\backup.exe

"C:\Program Files\Microsoft Games\Solitaire\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Solitaire\ja-JP\

C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\

C:\Program Files\Microsoft Games\SpiderSolitaire\backup.exe

"C:\Program Files\Microsoft Games\SpiderSolitaire\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\

C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\backup.exe

"C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\

C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\

C:\Program Files (x86)\Common Files\microsoft shared\Triedit\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\

C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\backup.exe

"C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\

C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\backup.exe

"C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\

C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\

C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\backup.exe

"C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\

C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\

C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\

C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\backup.exe

"C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\

C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\backup.exe

"C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\

C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\

C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\

C:\Program Files\Microsoft Office\backup.exe

"C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\

C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\

C:\Program Files\Microsoft Office\Office14\backup.exe

"C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\

C:\Program Files\Microsoft Office\Office14\1033\backup.exe

"C:\Program Files\Microsoft Office\Office14\1033\backup.exe" C:\Program Files\Microsoft Office\Office14\1033\

C:\Program Files (x86)\Common Files\microsoft shared\VBA\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\VBA\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\

C:\Program Files\Mozilla Firefox\update.exe

"C:\Program Files\Mozilla Firefox\update.exe" C:\Program Files\Mozilla Firefox\

C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\

C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\

C:\Program Files\Mozilla Firefox\browser\data.exe

"C:\Program Files\Mozilla Firefox\browser\data.exe" C:\Program Files\Mozilla Firefox\browser\

C:\Program Files\Mozilla Firefox\browser\features\backup.exe

"C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\

C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\

C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe

"C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\

C:\Program Files (x86)\Common Files\microsoft shared\VC\data.exe

"C:\Program Files (x86)\Common Files\microsoft shared\VC\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\VC\

C:\Program Files (x86)\Common Files\microsoft shared\VGX\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VGX\

C:\Program Files\Mozilla Firefox\defaults\backup.exe

"C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\

C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe

"C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\update.exe

"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\

C:\Program Files\Mozilla Firefox\fonts\backup.exe

"C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\

C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe

"C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe

"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\

C:\Program Files\Mozilla Firefox\uninstall\data.exe

"C:\Program Files\Mozilla Firefox\uninstall\data.exe" C:\Program Files\Mozilla Firefox\uninstall\

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\update.exe

"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\

C:\Program Files\MSBuild\backup.exe

"C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\

C:\Program Files\MSBuild\Microsoft\backup.exe

"C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe

"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe

"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System Restore.exe

"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System Restore.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\

C:\Program Files\Reference Assemblies\backup.exe

"C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\

C:\Program Files (x86)\Common Files\microsoft shared\VSTO\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\

C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\

C:\Program Files\Reference Assemblies\Microsoft\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\

C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\

C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\

C:\Users\backup.exe

C:\Users\backup.exe C:\Users\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\

C:\Users\Admin\update.exe

C:\Users\Admin\update.exe C:\Users\Admin\

C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\

C:\Users\Admin\Contacts\backup.exe

C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\

C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\

C:\Users\Admin\Desktop\backup.exe

C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\

C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\

C:\Users\Admin\Documents\backup.exe

C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\

C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\

C:\Users\Admin\Downloads\backup.exe

C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\

C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\

C:\Users\Admin\Favorites\backup.exe

C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\

C:\Users\Admin\Links\backup.exe

C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\

C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\backup.exe

"C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\

C:\Users\Admin\Music\backup.exe

C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\

C:\Program Files (x86)\Common Files\Services\backup.exe

"C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\

C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe

"C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\

C:\Users\Admin\Pictures\backup.exe

C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\

C:\Users\Admin\Saved Games\backup.exe

"C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\

C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\System Restore.exe

"C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\System Restore.exe" C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\

C:\Program Files (x86)\Common Files\System\backup.exe

"C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\

C:\Users\Admin\Searches\System Restore.exe

"C:\Users\Admin\Searches\System Restore.exe" C:\Users\Admin\Searches\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\

C:\Users\Admin\Videos\backup.exe

C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\

C:\Program Files (x86)\Common Files\System\ado\backup.exe

"C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\

C:\Users\Public\backup.exe

C:\Users\Public\backup.exe C:\Users\Public\

C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe

"C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\

C:\Program Files\VideoLAN\backup.exe

"C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\

C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe

"C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\

C:\Users\Public\Documents\data.exe

C:\Users\Public\Documents\data.exe C:\Users\Public\Documents\

C:\Program Files\VideoLAN\VLC\backup.exe

"C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\

C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe

"C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\

C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe

"C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe" C:\Program Files\VideoLAN\VLC\hrtfs\

C:\Users\Public\Downloads\backup.exe

C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\

C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe

"C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\

C:\Program Files\VideoLAN\VLC\locale\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\backup.exe" C:\Program Files\VideoLAN\VLC\locale\

C:\Users\Public\Music\backup.exe

C:\Users\Public\Music\backup.exe C:\Users\Public\Music\

C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe

"C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\

C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\

C:\Users\Public\Music\Sample Music\backup.exe

"C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\

C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe

"C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\

C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\

C:\Program Files (x86)\Common Files\System\de-DE\backup.exe

"C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\

C:\Users\Public\Pictures\backup.exe

C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\

C:\Program Files\VideoLAN\VLC\locale\af\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\af\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\

C:\Program Files (x86)\Common Files\System\en-US\backup.exe

"C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\

C:\Users\Public\Pictures\Sample Pictures\backup.exe

"C:\Users\Public\Pictures\Sample Pictures\backup.exe" C:\Users\Public\Pictures\Sample Pictures\

C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\

C:\Program Files (x86)\Common Files\System\es-ES\backup.exe

"C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\

C:\Users\Public\Recorded TV\backup.exe

"C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\

C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe

"C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\

C:\Program Files\VideoLAN\VLC\locale\am\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\am\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\

C:\Users\Public\Recorded TV\Sample Media\backup.exe

"C:\Users\Public\Recorded TV\Sample Media\backup.exe" C:\Users\Public\Recorded TV\Sample Media\

C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\update.exe

"C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\update.exe" C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\

C:\Program Files (x86)\Common Files\System\it-IT\backup.exe

"C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\

C:\Users\Public\Videos\backup.exe

C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\

C:\Program Files\VideoLAN\VLC\locale\am_ET\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\am_ET\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am_ET\

C:\Users\Public\Videos\Sample Videos\backup.exe

"C:\Users\Public\Videos\Sample Videos\backup.exe" C:\Users\Public\Videos\Sample Videos\

C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe

"C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\

C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\

C:\Windows\backup.exe

C:\Windows\backup.exe C:\Windows\

C:\Program Files\VideoLAN\VLC\locale\an\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\an\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\

C:\Program Files (x86)\Common Files\System\msadc\backup.exe

"C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\

C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\

C:\Windows\addins\backup.exe

C:\Windows\addins\backup.exe C:\Windows\addins\

C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe

"C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\de-DE\

C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\

C:\Windows\AppCompat\backup.exe

C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\

C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe

"C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\en-US\

C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\

C:\Windows\AppPatch\backup.exe

C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\

C:\Program Files (x86)\Common Files\System\msadc\es-ES\System Restore.exe

"C:\Program Files (x86)\Common Files\System\msadc\es-ES\System Restore.exe" C:\Program Files (x86)\Common Files\System\msadc\es-ES\

C:\Program Files\VideoLAN\VLC\locale\as_IN\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\as_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\

C:\Windows\AppPatch\AppPatch64\backup.exe

C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\

C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe

"C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\fr-FR\

C:\Windows\AppPatch\Custom\update.exe

C:\Windows\AppPatch\Custom\update.exe C:\Windows\AppPatch\Custom\

C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe

"C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\it-IT\

C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\

C:\Windows\AppPatch\Custom\Custom64\backup.exe

C:\Windows\AppPatch\Custom\Custom64\backup.exe C:\Windows\AppPatch\Custom\Custom64\

C:\Windows\AppPatch\de-DE\backup.exe

C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe

"C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\ja-JP\

C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\

C:\Program Files (x86)\Common Files\System\MSMAPI\backup.exe

"C:\Program Files (x86)\Common Files\System\MSMAPI\backup.exe" C:\Program Files (x86)\Common Files\System\MSMAPI\

C:\Windows\AppPatch\en-US\backup.exe

C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\

C:\Program Files\VideoLAN\VLC\locale\be\System Restore.exe

"C:\Program Files\VideoLAN\VLC\locale\be\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\be\

C:\Program Files (x86)\Common Files\System\MSMAPI\1033\backup.exe

"C:\Program Files (x86)\Common Files\System\MSMAPI\1033\backup.exe" C:\Program Files (x86)\Common Files\System\MSMAPI\1033\

C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\System Restore.exe

"C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\

C:\Windows\AppPatch\es-ES\backup.exe

C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\

C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe

"C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\

C:\Program Files\VideoLAN\VLC\locale\bg\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\bg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bg\

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe

"C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\

C:\Windows\AppPatch\fr-FR\backup.exe

C:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe

"C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\en-US\

C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe

"C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\

C:\Windows\AppPatch\it-IT\backup.exe

C:\Windows\AppPatch\it-IT\backup.exe C:\Windows\AppPatch\it-IT\

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe

"C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\

C:\Program Files\VideoLAN\VLC\locale\bn\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\bn\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn\

C:\Windows\AppPatch\ja-JP\backup.exe

C:\Windows\AppPatch\ja-JP\backup.exe C:\Windows\AppPatch\ja-JP\

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe

"C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\

C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\

C:\Windows\assembly\backup.exe

C:\Windows\assembly\backup.exe C:\Windows\assembly\

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe

"C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\

C:\Program Files (x86)\Google\update.exe

"C:\Program Files (x86)\Google\update.exe" C:\Program Files (x86)\Google\

C:\Program Files\VideoLAN\VLC\locale\bn_IN\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\bn_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn_IN\

C:\Windows\assembly\GAC\backup.exe

C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\

C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\

C:\Windows\assembly\GAC\ADODB\backup.exe

C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\

C:\Program Files (x86)\Google\CrashReports\backup.exe

"C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\

C:\Program Files\VideoLAN\VLC\locale\br\data.exe

"C:\Program Files\VideoLAN\VLC\locale\br\data.exe" C:\Program Files\VideoLAN\VLC\locale\br\

C:\Program Files (x86)\Google\Temp\backup.exe

"C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\

C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Google\Update\backup.exe

"C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\

C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\

C:\Windows\assembly\GAC\Extensibility\backup.exe

C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\

C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe

"C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\

C:\Program Files\VideoLAN\VLC\locale\brx\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\brx\backup.exe" C:\Program Files\VideoLAN\VLC\locale\brx\

C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Google\Update\Download\backup.exe

"C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\

C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe

"C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\

C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe

C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\

C:\Program Files\VideoLAN\VLC\locale\bs\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\bs\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bs\

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe

"C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\

C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\

C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\

C:\Program Files\VideoLAN\VLC\locale\ca\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\ca\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca\

C:\Program Files (x86)\Google\Update\Install\backup.exe

"C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\

C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\

C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\

C:\Program Files (x86)\Google\Update\Install\{0AC99519-0FE0-4797-A0D6-2C21B93D4350}\backup.exe

"C:\Program Files (x86)\Google\Update\Install\{0AC99519-0FE0-4797-A0D6-2C21B93D4350}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{0AC99519-0FE0-4797-A0D6-2C21B93D4350}\

C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe

C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\

C:\Program Files (x86)\Google\Update\Offline\update.exe

"C:\Program Files (x86)\Google\Update\Offline\update.exe" C:\Program Files (x86)\Google\Update\Offline\

C:\Program Files\VideoLAN\VLC\locale\ca@valencia\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\ca@valencia\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca@valencia\

C:\Program Files (x86)\Internet Explorer\System Restore.exe

"C:\Program Files (x86)\Internet Explorer\System Restore.exe" C:\Program Files (x86)\Internet Explorer\

C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe

"C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\

C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\

C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe

C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\

C:\Program Files (x86)\Internet Explorer\en-US\backup.exe

"C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\

C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\

C:\Program Files\VideoLAN\VLC\locale\cgg\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\cgg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cgg\

C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe

"C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\

C:\Windows\assembly\GAC\mscomctl\backup.exe

C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\

C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe

"C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\

C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\

C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\

C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe

"C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\

C:\Windows\assembly\GAC\MSDATASRC\backup.exe

C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\

C:\Program Files (x86)\Internet Explorer\ja-JP\System Restore.exe

"C:\Program Files (x86)\Internet Explorer\ja-JP\System Restore.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\

C:\Program Files\VideoLAN\VLC\locale\co\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\co\backup.exe" C:\Program Files\VideoLAN\VLC\locale\co\

C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\

C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\

C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\

C:\Windows\assembly\GAC\stdole\backup.exe

C:\Windows\assembly\GAC\stdole\backup.exe C:\Windows\assembly\GAC\stdole\

C:\Program Files\VideoLAN\VLC\locale\cs\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\cs\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cs\

C:\Program Files (x86)\Microsoft Analysis Services\backup.exe

"C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\

C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\

C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\data.exe

"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\data.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\

C:\Program Files\VideoLAN\VLC\locale\cy\System Restore.exe

"C:\Program Files\VideoLAN\VLC\locale\cy\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\cy\

C:\Windows\assembly\GAC_32\backup.exe

C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\

C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe

"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\

C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\backup.exe

C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\backup.exe C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\

C:\Program Files\VideoLAN\VLC\locale\da\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\da\backup.exe" C:\Program Files\VideoLAN\VLC\locale\da\

C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\backup.exe

"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\

C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\

C:\Windows\assembly\GAC_32\BDATunePIA\backup.exe

C:\Windows\assembly\GAC_32\BDATunePIA\backup.exe C:\Windows\assembly\GAC_32\BDATunePIA\

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\data.exe

"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\data.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\

C:\Program Files\VideoLAN\VLC\locale\de\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\de\backup.exe" C:\Program Files\VideoLAN\VLC\locale\de\

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\backup.exe

"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\

C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\

C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\

C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe

C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\

C:\Program Files (x86)\Microsoft Office\backup.exe

"C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\

C:\Program Files\VideoLAN\VLC\locale\el\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\el\backup.exe" C:\Program Files\VideoLAN\VLC\locale\el\

C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Microsoft Office\CLIPART\update.exe

"C:\Program Files (x86)\Microsoft Office\CLIPART\update.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\

C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\

C:\Windows\assembly\GAC_32\ehexthost32\backup.exe

C:\Windows\assembly\GAC_32\ehexthost32\backup.exe C:\Windows\assembly\GAC_32\ehexthost32\

C:\Program Files\VideoLAN\VLC\locale\en_GB\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\en_GB\backup.exe" C:\Program Files\VideoLAN\VLC\locale\en_GB\

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\backup.exe

"C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\

C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\

C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\

C:\Program Files\VideoLAN\VLC\locale\eo\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\eo\backup.exe" C:\Program Files\VideoLAN\VLC\locale\eo\

C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\backup.exe

"C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\

C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\

C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe

C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\

C:\Program Files\VideoLAN\VLC\locale\es\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\es\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es\

C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\backup.exe

"C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\

C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\System Restore.exe

"C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\

C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe

"C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\

C:\Windows\assembly\GAC_32\mcstoredb\backup.exe

C:\Windows\assembly\GAC_32\mcstoredb\backup.exe C:\Windows\assembly\GAC_32\mcstoredb\

C:\Program Files\VideoLAN\VLC\locale\es_MX\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\es_MX\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es_MX\

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\backup.exe

"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\

C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\

C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\

C:\Program Files\VideoLAN\VLC\locale\et\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\et\backup.exe" C:\Program Files\VideoLAN\VLC\locale\et\

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\backup.exe

"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\

C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\backup.exe

"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\

C:\Program Files\VideoLAN\VLC\locale\eu\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\eu\backup.exe" C:\Program Files\VideoLAN\VLC\locale\eu\

C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe

"C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\

C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\

C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\backup.exe

"C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\

C:\Program Files\VideoLAN\VLC\locale\fa\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\fa\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fa\

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\

C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\backup.exe

"C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\

C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\backup.exe

"C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\

C:\Program Files\VideoLAN\VLC\locale\ff\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\ff\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ff\

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\backup.exe

"C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\

C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\backup.exe

"C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\backup.exe

"C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_ja_31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_ja_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_ja_31bf3856ad364e35\

C:\Program Files\VideoLAN\VLC\locale\fi\System Restore.exe

"C:\Program Files\VideoLAN\VLC\locale\fi\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\fi\

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\backup.exe

"C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\

C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\

C:\Program Files (x86)\Microsoft Office\Office14\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\

C:\Program Files\VideoLAN\VLC\locale\fr\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\fr\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fr\

C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\

C:\Program Files (x86)\Microsoft Office\Office14\1033\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\

C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\data.exe

"C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\data.exe" C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\

C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\

C:\Program Files\VideoLAN\VLC\locale\fur\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\fur\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fur\

C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\

C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\

C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\

C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\

C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\

C:\Program Files\VideoLAN\VLC\locale\fy\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\fy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fy\

C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\

C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\14.0.0.0__71e9bce111e9429c\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\14.0.0.0__71e9bce111e9429c\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\14.0.0.0__71e9bce111e9429c\

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\

C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\

C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\

C:\Program Files\VideoLAN\VLC\locale\ga\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\ga\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ga\

C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\14.0.0.0__71e9bce111e9429c\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\14.0.0.0__71e9bce111e9429c\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\14.0.0.0__71e9bce111e9429c\

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\

C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\

C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\

C:\Program Files\VideoLAN\VLC\locale\gd\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\gd\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gd\

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\

C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\14.0.0.0__71e9bce111e9429c\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\14.0.0.0__71e9bce111e9429c\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\14.0.0.0__71e9bce111e9429c\

C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\

C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\

C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\

C:\Program Files\VideoLAN\VLC\locale\gl\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\gl\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gl\

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\

C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\

C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\backup.exe C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\

C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\14.0.0.0__71e9bce111e9429c\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\14.0.0.0__71e9bce111e9429c\backup.exe C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\14.0.0.0__71e9bce111e9429c\

C:\Program Files\VideoLAN\VLC\locale\gu\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\gu\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gu\

C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\

C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\

C:\Program Files\VideoLAN\VLC\locale\he\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\he\backup.exe" C:\Program Files\VideoLAN\VLC\locale\he\

C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\

C:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\backup.exe C:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\

C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\update.exe

"C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\update.exe" C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\

C:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\8.0.0.0__b03f5f7f11d50a3a\update.exe

C:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\8.0.0.0__b03f5f7f11d50a3a\update.exe C:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\8.0.0.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\

C:\Program Files\VideoLAN\VLC\locale\hi\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\hi\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hi\

C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\

C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\

C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\

C:\Windows\assembly\GAC_32\MSBuild\backup.exe

C:\Windows\assembly\GAC_32\MSBuild\backup.exe C:\Windows\assembly\GAC_32\MSBuild\

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\

C:\Program Files\VideoLAN\VLC\locale\hr\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\hr\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hr\

C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe

C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\

C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\System Restore.exe

"C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\

C:\Windows\assembly\GAC_32\mscorlib\data.exe

C:\Windows\assembly\GAC_32\mscorlib\data.exe C:\Windows\assembly\GAC_32\mscorlib\

C:\Program Files\VideoLAN\VLC\locale\hu\data.exe

"C:\Program Files\VideoLAN\VLC\locale\hu\data.exe" C:\Program Files\VideoLAN\VLC\locale\hu\

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\

C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\

C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe

C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\

C:\Program Files\VideoLAN\VLC\locale\hy\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\hy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hy\

C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\

C:\Windows\assembly\GAC_32\napcrypt\backup.exe

C:\Windows\assembly\GAC_32\napcrypt\backup.exe C:\Windows\assembly\GAC_32\napcrypt\

C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\

C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\

C:\Windows\assembly\GAC_32\napcrypt\6.1.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\napcrypt\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\napcrypt\6.1.0.0__31bf3856ad364e35\

C:\Program Files\VideoLAN\VLC\locale\id\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\id\backup.exe" C:\Program Files\VideoLAN\VLC\locale\id\

C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\

C:\Windows\assembly\GAC_32\naphlpr\System Restore.exe

"C:\Windows\assembly\GAC_32\naphlpr\System Restore.exe" C:\Windows\assembly\GAC_32\naphlpr\

C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\

C:\Program Files (x86)\Microsoft Office\Office14\1036\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\1036\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1036\

C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\

C:\Program Files (x86)\Microsoft Office\Office14\3082\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\3082\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\3082\

C:\Program Files\VideoLAN\VLC\locale\ie\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\ie\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ie\

C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\System Restore.exe

"C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\System Restore.exe" C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\

C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\

C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\

C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\

C:\Program Files\VideoLAN\VLC\locale\is\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\is\backup.exe" C:\Program Files\VideoLAN\VLC\locale\is\

C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\System Restore.exe

"C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\System Restore.exe" C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\

C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\

C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Interop.Security.AzRoles\backup.exe

C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Interop.Security.AzRoles\

C:\Program Files\VideoLAN\VLC\locale\it\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\it\backup.exe" C:\Program Files\VideoLAN\VLC\locale\it\

C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\

C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\

C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Interop.Security.AzRoles\6.1.7600.16385__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Interop.Security.AzRoles\6.1.7600.16385__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Interop.Security.AzRoles\6.1.7600.16385__31bf3856ad364e35\

C:\Program Files\VideoLAN\VLC\locale\ja\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\ja\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ja\

C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\

C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\backup.exe

C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\

C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\

C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.1.7600.16385__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.1.7600.16385__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.1.7600.16385__31bf3856ad364e35\

C:\Program Files\VideoLAN\VLC\locale\ka\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\ka\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ka\

C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\

C:\Windows\assembly\GAC_32\Policy.1.7.Microsoft.Ink\backup.exe

C:\Windows\assembly\GAC_32\Policy.1.7.Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_32\Policy.1.7.Microsoft.Ink\

C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\backup.exe

"C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\

C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\backup.exe

"C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\

C:\Windows\assembly\GAC_32\Policy.1.7.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe

C:\Windows\assembly\GAC_32\Policy.1.7.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Policy.1.7.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\

Network

N/A

Files

memory/2464-0-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2464-7-0x0000000000810000-0x0000000000811000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\temp.zip

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\temp.zip

MD5 bb7ddc5a0e5bf2e8df7d604a6604aa5e
SHA1 6caf7ba1f25945149cbe8a3d68ed030663f79a30
SHA256 d9290983aaa1fcf0b58f7940de4ff93d717f2729d94e269f274ab1e54e938c89
SHA512 99d2a0c874caf4c3914131f4f8e116cd1df2fb9afecc0cda7eba5657066655e2f1fa69613954d55bf3944f646d2233f4308d3083f71c5a91103ba0fa305cdd8e

C:\backup.exe

MD5 bfe077ecdd6fce40a22d10f3fd893593
SHA1 63427270f8261e1dd3a305c2bdb4b63f33276c10
SHA256 8bcd26d7095cf4b638f89fab876695093bc13c1584e669b8f6b4cefbd91c7e08
SHA512 aac199e8c2d9367a88a9c0fbbd9f4d11d566d336d76cb335197bfecf7a861f0963230cca851627aaeb02ed3db75dd53d7077a90d0c2284eaa0acd3fc03622187

memory/2464-25-0x00000000026D0000-0x00000000026E5000-memory.dmp

\PerfLogs\backup.exe

MD5 158488438e73a03cf9bba81a9e1e8cb2
SHA1 c6cf9b0de1620489dee8b2cdcbb8c1538f13beec
SHA256 8912d62f2a84bfd7388c9e22831cc1a6011f5239ea264b58a615db37d16b4ccd
SHA512 2737f3aac21fe355105f2273735e1bc32c16ff3b85beea9df278eb007309155a7b2add435e759f9acd5f447b2c1756bd9303bd58950db162936c81d76952d24d

memory/2768-38-0x00000000002E0000-0x00000000002F5000-memory.dmp

\PerfLogs\Admin\backup.exe

MD5 2d3ed7e323e33c9ec9690f52911e1ee9
SHA1 ad6244b0b3e7355567fb95eb360af8497700d226
SHA256 8a597fb653719148aa5b85bc4834ca379255c6742d2deaba09065fabe6410a3d
SHA512 2a5d56f75fc13c4fae900744d8867f39cbbe8e52a989054498051a841b2ac36a5b28fa68d5b0a3c6fb20110c14efd91297eff00d37441d101319d5dad5709bdc

memory/1448-50-0x0000000000320000-0x0000000000335000-memory.dmp

memory/1448-51-0x0000000000320000-0x0000000000335000-memory.dmp

memory/2464-57-0x0000000000810000-0x0000000000811000-memory.dmp

memory/1448-55-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2664-65-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2768-64-0x00000000002E0000-0x00000000002F5000-memory.dmp

memory/2664-77-0x0000000000360000-0x0000000000375000-memory.dmp

memory/2664-78-0x0000000000360000-0x0000000000375000-memory.dmp

\Program Files\7-Zip\Lang\backup.exe

MD5 1a57298688d6ad84163fecabd3f9f485
SHA1 5c8ac12f2a43a098c947fa00633992a31e4744fe
SHA256 d45402b218ffe4a721045a8b3aea1159b4040e9b5dbfcd832f5a928e367d2f69
SHA512 2bf0824bb8caa3f40214d74a1b7a16a4fe60f53ef8ad0b2e2bbf7a762d8dbe44154a52e9d221dedfab50838c7340a0495659dab14d5b8fdb5aac682ce71cd778

memory/2224-89-0x0000000001D70000-0x0000000001D85000-memory.dmp

memory/1572-94-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2664-103-0x0000000000360000-0x0000000000375000-memory.dmp

memory/2224-97-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1720-115-0x0000000000390000-0x00000000003A5000-memory.dmp

\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

MD5 93395f1c6eae43b99875552478fae56e
SHA1 44b93938ec9b3440081d428737ed5f507e6e9f41
SHA256 ffdf67d439e9f3a37c420c8c22cc0d46dfce7fb9372720a5a8fdaa7d6960eb66
SHA512 72545398191df41d43428215a0384e5b1dcfdbb57f9b355738dcccf57e07dc63823d02158d2ddf3f7eb4017382dcae33768ecf747d919e92a8de0e2a893714ba

memory/1960-128-0x0000000000310000-0x0000000000325000-memory.dmp

memory/1960-127-0x0000000000310000-0x0000000000325000-memory.dmp

\Program Files\Common Files\Microsoft Shared\ink\backup.exe

MD5 18138b51bfcfb611986515843b84339a
SHA1 3248b6951789f79348913cd3e5f1dff4c3da5cef
SHA256 5c0be8f1318b70bc01c71be24928d69c59420aad7846b30e4d73646acf59c1e5
SHA512 5262799167b693bcb8b4558844d23225d97b1a3ad8b475ba1da94f3384b148cb2f06583cdaf4fb770d83656874ea919aed8fb62b9cc01347237ee95db1402621

memory/1960-140-0x0000000000310000-0x0000000000325000-memory.dmp

memory/2984-133-0x0000000000400000-0x0000000000415000-memory.dmp

\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

MD5 747a64f317d99024ed51b46240e5c102
SHA1 216b58459efe8f5e0770b097559ab3c8e15e7d9f
SHA256 03787efda57ae549bf5515b88d644a8cad594feae11f740f064c063763d070f7
SHA512 16a6e230dfbcb6620e1acbf97b59a0679a13b47f071e3454d40549ee8f555539afc8d126bbad172ab593621447802b5899590547501a3d63f6d3a20afbce7ed9

memory/2384-152-0x00000000005B0000-0x00000000005C5000-memory.dmp

memory/2372-158-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1252-173-0x0000000000400000-0x0000000000415000-memory.dmp

memory/588-180-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1420-189-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2384-197-0x00000000005B0000-0x00000000005C5000-memory.dmp

memory/2360-203-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2384-209-0x00000000005B0000-0x00000000005C5000-memory.dmp

memory/1944-213-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2384-221-0x00000000005B0000-0x00000000005C5000-memory.dmp

memory/2384-220-0x00000000005B0000-0x00000000005C5000-memory.dmp

memory/2384-234-0x00000000005B0000-0x00000000005C5000-memory.dmp

memory/316-228-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2608-238-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2384-246-0x00000000005B0000-0x00000000005C5000-memory.dmp

memory/1748-259-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2384-264-0x00000000005B0000-0x00000000005C5000-memory.dmp

memory/2384-273-0x00000000005B0000-0x00000000005C5000-memory.dmp

memory/2384-272-0x00000000005B0000-0x00000000005C5000-memory.dmp

memory/800-282-0x00000000003E0000-0x00000000003F5000-memory.dmp

memory/800-281-0x00000000003E0000-0x00000000003F5000-memory.dmp

memory/800-292-0x00000000003E0000-0x00000000003F5000-memory.dmp

memory/2316-291-0x0000000000400000-0x0000000000415000-memory.dmp

memory/800-290-0x00000000003E0000-0x00000000003F5000-memory.dmp

memory/800-301-0x00000000003E0000-0x00000000003F5000-memory.dmp

memory/1188-300-0x0000000000400000-0x0000000000415000-memory.dmp

memory/868-306-0x0000000000400000-0x0000000000415000-memory.dmp

memory/800-310-0x00000000003E0000-0x00000000003F5000-memory.dmp

memory/2232-314-0x0000000000400000-0x0000000000415000-memory.dmp

memory/800-319-0x00000000003E0000-0x00000000003F5000-memory.dmp

memory/800-327-0x00000000003E0000-0x00000000003F5000-memory.dmp

memory/1580-328-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2180-332-0x0000000000400000-0x0000000000415000-memory.dmp

memory/800-337-0x00000000003E0000-0x00000000003F5000-memory.dmp

memory/2152-345-0x0000000000400000-0x0000000000415000-memory.dmp

memory/800-354-0x00000000003E0000-0x00000000003F5000-memory.dmp

memory/2868-350-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2960-358-0x0000000000400000-0x0000000000415000-memory.dmp

memory/800-359-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2384-365-0x00000000005B0000-0x00000000005C5000-memory.dmp

memory/2464-361-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2464-373-0x00000000026D0000-0x00000000026E5000-memory.dmp

memory/2464-374-0x00000000026D0000-0x00000000026E5000-memory.dmp

memory/2768-382-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1796-386-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2384-391-0x00000000005B0000-0x00000000005C5000-memory.dmp

memory/1856-400-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1952-396-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2276-408-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2664-410-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2768-409-0x00000000002E0000-0x00000000002F5000-memory.dmp

memory/1376-415-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2384-420-0x00000000005B0000-0x00000000005C5000-memory.dmp

memory/2664-419-0x0000000000360000-0x0000000000375000-memory.dmp

memory/2384-428-0x00000000005B0000-0x00000000005C5000-memory.dmp

memory/1720-437-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2208-436-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2204-441-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1720-443-0x0000000000390000-0x00000000003A5000-memory.dmp

memory/1960-447-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1960-455-0x0000000000310000-0x0000000000325000-memory.dmp

memory/2384-462-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2384-464-0x00000000005B0000-0x00000000005C5000-memory.dmp

memory/2384-479-0x00000000005B0000-0x00000000005C5000-memory.dmp

memory/1592-494-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2364-502-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2384-503-0x00000000005B0000-0x00000000005C5000-memory.dmp

memory/2384-511-0x00000000005B0000-0x00000000005C5000-memory.dmp

memory/2384-520-0x00000000005B0000-0x00000000005C5000-memory.dmp

memory/2536-515-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2528-524-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1632-536-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2384-552-0x00000000005B0000-0x00000000005C5000-memory.dmp

memory/2384-551-0x00000000005B0000-0x00000000005C5000-memory.dmp

memory/1068-555-0x0000000000400000-0x0000000000415000-memory.dmp

memory/940-2345-0x0000000000220000-0x0000000000230000-memory.dmp

memory/804-2414-0x0000000000250000-0x0000000000260000-memory.dmp

memory/1760-2473-0x0000000000020000-0x0000000000035000-memory.dmp

memory/592-2560-0x0000000000250000-0x0000000000260000-memory.dmp

memory/2360-2620-0x0000000000230000-0x0000000000240000-memory.dmp

memory/1728-2842-0x0000000000300000-0x0000000000310000-memory.dmp

memory/1876-3360-0x0000000000220000-0x0000000000230000-memory.dmp

memory/988-3975-0x0000000000220000-0x0000000000230000-memory.dmp

memory/1124-4208-0x00000000001B0000-0x00000000001C0000-memory.dmp

memory/2680-4275-0x00000000002A0000-0x00000000002B0000-memory.dmp

memory/2680-4276-0x00000000002A0000-0x00000000002B0000-memory.dmp

memory/2208-4438-0x0000000000230000-0x0000000000240000-memory.dmp

memory/1736-4567-0x00000000001B0000-0x00000000001C0000-memory.dmp

memory/2848-4622-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2684-4636-0x0000000000230000-0x0000000000240000-memory.dmp

memory/896-4748-0x0000000000220000-0x0000000000230000-memory.dmp

memory/896-4744-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2372-4762-0x0000000000260000-0x0000000000270000-memory.dmp

memory/1684-4828-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2148-5124-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2148-5123-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2148-5405-0x0000000000260000-0x0000000000270000-memory.dmp

memory/2148-5404-0x0000000000260000-0x0000000000270000-memory.dmp

memory/2820-5494-0x00000000003D0000-0x00000000003E0000-memory.dmp

memory/2304-5550-0x00000000001B0000-0x00000000001C0000-memory.dmp

memory/1424-5564-0x00000000001B0000-0x00000000001C0000-memory.dmp

memory/2844-5776-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2168-5866-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2168-5864-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2200-5922-0x00000000001E0000-0x00000000001F0000-memory.dmp

memory/2216-5961-0x00000000001B0000-0x00000000001C0000-memory.dmp

memory/2216-5960-0x00000000001B0000-0x00000000001C0000-memory.dmp

memory/988-6003-0x00000000001B0000-0x00000000001C0000-memory.dmp

memory/988-6001-0x00000000001B0000-0x00000000001C0000-memory.dmp

memory/272-6109-0x0000000000220000-0x0000000000230000-memory.dmp

memory/1416-6155-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2180-6227-0x00000000001B0000-0x00000000001C0000-memory.dmp

memory/1912-6319-0x00000000001E0000-0x00000000001F0000-memory.dmp

memory/1700-6459-0x0000000000260000-0x0000000000270000-memory.dmp

memory/2716-6571-0x00000000001B0000-0x00000000001C0000-memory.dmp

memory/2716-6572-0x00000000001B0000-0x00000000001C0000-memory.dmp

memory/2248-6655-0x00000000001B0000-0x00000000001C0000-memory.dmp

memory/2248-6656-0x00000000001B0000-0x00000000001C0000-memory.dmp

memory/1700-6728-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2648-6726-0x0000000000230000-0x0000000000240000-memory.dmp

memory/2648-6725-0x0000000000230000-0x0000000000240000-memory.dmp

memory/996-6934-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2752-7062-0x00000000001B0000-0x00000000001C0000-memory.dmp

memory/2752-7063-0x00000000001B0000-0x00000000001C0000-memory.dmp

memory/2932-7089-0x00000000003B0000-0x00000000003C0000-memory.dmp

memory/2932-7090-0x00000000003B0000-0x00000000003C0000-memory.dmp

memory/996-7201-0x0000000000220000-0x0000000000230000-memory.dmp

memory/996-7202-0x0000000000220000-0x0000000000230000-memory.dmp

memory/1524-7216-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2676-7315-0x0000000000220000-0x0000000000230000-memory.dmp

memory/1804-7299-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2676-7314-0x0000000000220000-0x0000000000230000-memory.dmp

memory/1804-7300-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2096-7465-0x00000000001B0000-0x00000000001C0000-memory.dmp

memory/2096-7466-0x00000000001B0000-0x00000000001C0000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe"

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Mydoom family

mydoom

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe N/A
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\services.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe C:\Windows\services.exe
PID 2468 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe C:\Windows\services.exe
PID 2468 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe C:\Windows\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Flyagent.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.0.77.20:1034 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
N/A 172.16.1.116:1034 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
N/A 172.16.1.5:1034 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 10.6.70.182:1034 tcp
N/A 172.16.1.126:1034 tcp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
N/A 172.16.1.116:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 acm.org udp
GB 64.233.166.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 mail.mailroute.net udp
US 8.8.8.8:53 cs.stanford.edu udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.41.24:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 search.lycos.com udp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 88.221.134.89:80 r11.o.lencr.org tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 89.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 125.21.192.23.in-addr.arpa udp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 www.altavista.com udp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
N/A 10.150.78.55:1034 tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
US 8.8.8.8:53 acm.org udp
DE 142.251.9.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 104.17.79.30:25 acm.org tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 65.254.227.224:25 burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 204.13.239.180:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 10.218.249.159:1034 tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/2468-0-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2344-5-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2468-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2344-15-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2344-16-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2344-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2344-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2344-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2344-33-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2344-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2344-40-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2344-45-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2344-50-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2344-52-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2468-56-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2344-57-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2468-61-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2344-62-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 b81234702ac98fd7bf1d6f339b41f86a
SHA1 4d3eaaefa21cba6898c8f4ec0fe3ca8179a2b000
SHA256 7958cdc163d3c3ade4fd7c03cb71eb978e41ee39227359cffef8c835b4941f98
SHA512 a146d5c77f2b5d2a649b9195ac05b2a85afb45a2e8d4986dfdd7a470e2078b471e16560df00d5a78c45f48a7dbaff916c818523cb61d5c961b32de5e8c8ceb54

C:\Users\Admin\AppData\Local\Temp\tmp9DAD.tmp

MD5 243961aa882e8f8c4d0e18e2a9f4ead5
SHA1 811759a7bd2f4fc1dc75d8562ee4dd2e370d6097
SHA256 29d5fc260625d0898f2898b073d9df7560a4565bf0240dfc42f304731bc54e3a
SHA512 f779f0907822ea2a91faceaff840d7114200a7c9bb9efad956828b2d85907a4156570dfa3db4c898290b8f9c3aa96fc5206f4b72280f9e2acb224ddd9a1f9e29

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PTWQX4L2\search[1].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

memory/2468-153-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2344-154-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2468-174-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2344-175-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-16 22:34

Reported

2024-11-16 22:37

Platform

win7-20240903-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MulDrop.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sfx1\_bbg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MulDrop.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MulDrop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sfx1\_bbg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sfx1\_bbg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MulDrop.exe

"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\MulDrop.exe"

C:\Users\Admin\AppData\Local\Temp\sfx1\_bbg.exe

C:\Users\Admin\AppData\Local\Temp\sfx1\_bbg.exe /sfxv:3.1

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\sfx1\_bbg.exe

MD5 f7a897d1732db96df3339644257ffdf5
SHA1 ff844b877dea6f74978067c606c6ef4b161e9afc
SHA256 7761b022a2f03d7965c189d28a7c5cfc773e691a4dd20af23ed8ec2b73c9e199
SHA512 0958e6ad3925178a5ff67f174b1f29f510c84a99840b8d97f0538f625666baa6363bfdedc66f2d2d8b566c36b192cd39d5984738675a59ad153db5871789f8d9

\??\c:\Users\Admin\AppData\Local\Temp\sfx1\BB40eng.dix

MD5 a8ffd569876199f144568bb7767d2b6f
SHA1 517dc551ba76d5565a4b2dac49951073553af265
SHA256 845bdef261b041fddd45a44b3b05b52bd16d4b9f423b5e52654a168452ec2930
SHA512 5abd433d8f97ce5a3686333ced77c0e5cc02147874fdecb08c3b2352b9840b3ac4dccfae242fdf0f8a5e5a41c4ba64f9dd9c840b9fd4a2607e656d6f60fbc473

\??\c:\Users\Admin\AppData\Local\Temp\sfx1\tex_def.jpg

MD5 8a8fa3d4bcbaa146d6d992cb41a17cb6
SHA1 ba029352f097f5091cbe7edd16f596f0e648472d
SHA256 03a9b3d2b445a8e4aeae2076c550d6acff401cbc331d29928ab4a33e0e7fda0a
SHA512 c776834e5613a62a3361a82c9c5cf1bef8e6c1f774a696315c05c2f17e13a3cc30db167b7696f57c134a232efc7e0feb2f8dc9a91522b4aee9b6417acba8dc80

\??\c:\users\admin\appdata\local\temp\sfx1\bbgift.puz

MD5 200648833c230b76686bda1c0df905e5
SHA1 85f83493ecdd04dcce193f710b39a8475474e084
SHA256 a6e044bf66f82c2f2e669f7402704a16a35e5703c25fc2deafb077976e677934
SHA512 d61808f1c408a047646ed9fd49785f99dead9a601b28df17fb72c79ffb468d3898c4176364dd46b0b825415406271269fb49afd0d4bbc2993c349a4e78d5e68c