Urbackup installed mysteriously, where has my data been going?

Hello, I’m on a Windows 10 Lenovo laptop and I just noticed that “UrBackupClient” was listed as an “enabled” Startup App under Settings>Startup even though I have no memory of installing it and my computer has never been out of my physical possession. I just disabled it to run on startup now. I do not know how Urbackup works, so apologies if my questions below sound paranoid.

Basically I’m wondering where those backups have been going and who controls/has access to them. There is no UrBackup in my start menu or when I search the whole machine, so it doesn’t seem to be a program I can manually run or configure. Nothing about Urbackup is in my stored passwords. Under Settings>Apps & Features I do find “UrBackup (remove only)” listed with the date 9/25/2020, which I assume is the installation date, but my only option if I click on it is “Uninstall”. I have not yet uninstalled as I’m hoping to understand where the program came from and what it has been doing. Could UrBackupClient have been remote-installed piggybacking on another program installation, and if so is this a hostile installation?

The same 9/25/2020 date listed for Urbackup is shared with several other apps I very plausibly installed, most likely soon after buying the computer: Adobe Audition 2020, Adobe Creative Cloud, Adobe Digital Editions 4.5, Adobe Illustrator CC 2018, Cisco AnyConnect Secure Mobility Client, Drawful 2, GPL Ghostscript, GSview 5.0, PokerStars.net, Scrivener, Steam, Tabletop Simulator, Tabletopia, TAP-NordVPN 9.21.2, Tokaido.
Maybe PokerStars is dangerous? Or another gaming app?
There are also some programs with the 9/25/2020 date I don’t recall, but they sound harmless to me: Intel PROSet Wireless software, Microsoft Visual C++ Redistributable (6 versions), Mozilla Maintenance service, VLC media player, Vulkan Run Time Libraries 1.0.33.0, Windows Driver Package - Lenovo Monitor (08/16/2018 6.09.01.0).

Thank you in advance for any information!

Yeah, unfortunately UrBackup (by design) can be used to (silently) exfiltrate data. One needs admin permissions to install it, of course. I’m not aware of any other software it is being bundled with or this being actually used for this purpose, though.

Looking at

“C:\Program Files\UrBackup\session_idents.txt”

You can see the IP of the local server (if any) it has been backing up to.

At

“C:\Program Files\UrBackup\urbackup\data\settings.cfg”

you can see the Internet UrBackup server it backs up to (key internet_server_name, if any).

Thank you so much, uroni, for your extremely helpful reply. Based on your tips and further digging, I was able to discern that somehow a bunch of UrBackup files got copied to my machine in a defunct state four years ago, and mysteriously the program “woke up” and started trying to perform backups two years ago. It seems to have been configured to back up my previous machine to a central server at my work. Apparently our IT folks had attempted to get UrBackup running and tested it on my old machine but failed to get it working and abandoned it. How a partial setup got copied to my new machine 4 yr ago and why it started running in the background 2 yr ago despite never being properly installed remains a mystery, but at least it was only trying to back up to a non-hostile server. I’ve uninstalled and fully eradicated it now and am breathing much easier. Thanks again, I truly appreciate your help!