What is Backup.exe.P_S?

Backup.exe.P_S is usually located in the 'c:\Pre_Scan\Quarantine\D\' folder.

Some of the anti-virus scanners at VirusTotal detected Backup.exe.P_S.

If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.

Vendor and version information [?]

Backup.exe.P_S does not have any version or vendor information.

Digital signatures [?]

Backup.exe.P_S is not signed.

VirusTotal report

67 of the 71 anti-virus programs at VirusTotal detected the Backup.exe.P_S file. That's a 94% detection rate.

ScannerDetection Name
Ad-Aware Trojan.Scar.AG
AegisLab Trojan.Win32.Scar.lBEA
AhnLab-V3 Worm/Win32.WBNA.R77765
Alibaba Worm:Win32/Sulunch.28185aeb
ALYac Trojan.Scar.AG
Antiy-AVL Trojan/Win32.Scar
APEX Malicious
Arcabit Trojan.Scar.AG
Avast Win32:VB-AHPX [Trj]
AVG Win32:VB-AHPX [Trj]
Avira WORM/VB.Agent.vifat
Baidu Win32.Trojan.VB.ac
BitDefender Trojan.Scar.AG
BitDefenderTheta AI:Packer.D2F091AF1F
Bkav W32.FakeW7Folder.Fam.Trojan
CAT-QuickHeal Trojan.VB.Gen
ClamAV Win.Trojan.VBGeneric-6735824-0
Comodo TrojWare.Win32.WBNA.THR@59a7ea
CrowdStrike win/malicious_confidence_100% (W)
Cybereason malicious.38e0e1
Cynet Malicious (score: 100)
Cyren W32/Trojan.SATY-7156
DrWeb Trojan.MulDrop3.10901
eGambit Unsafe.AI_Score_99%
Emsisoft Trojan.Scar.AG (B)
Endgame malicious (high confidence)
ESET-NOD32 Win32/VB.OGG
F-Prot W32/Otorun.B
F-Secure Worm.WORM/VB.Agent.vifat
FireEye Generic.mg.bfbe53738e0e12eb
Fortinet W32/VB.QHS!tr
GData Trojan.Scar.AG
Invincea heuristic
Jiangmin Worm/WBNA.hgwu
K7AntiVirus P2PWorm ( 004d37d41 )
K7GW P2PWorm ( 004d37d41 )
Kaspersky Trojan.Win32.Scar.lpco
Malwarebytes Trojan.Scar
MAX malware (ai score=87)
McAfee Generic VB.b
McAfee-GW-Edition BehavesLike.Win32.VBObfus.lt
Microsoft Trojan:Win32/Sulunch!gmb
MicroWorld-eScan Trojan.Scar.AG
NANO-Antivirus Trojan.Win32.Scar.crgjex
Paloalto generic.ml
Panda Trj/Genetic.gen
Qihoo-360 Win32/Trojan.cc4
Rising Trojan.Vbex!1.99EE (CLOUD)
Sangfor Malware
SentinelOne DFI - Malicious PE
Sophos Mal/Agent-AFW
SUPERAntiSpyware Trojan.Agent/Gen-FraudPack
Symantec Infostealer
TACHYON Trojan/W32.VB-Scar.73728.L
Tencent Malware.Win32.Gencirc.10b8d12f
TotalDefense Win32/FakeFLDR_i
Trapmine malicious.moderate.ml.score
TrendMicro WORM_OTORUN.SM0
TrendMicro-HouseCall WORM_OTORUN.SM0
VBA32 TScope.Trojan.VB
VIPRE Trojan.Win32.Generic!BT
ViRobot Trojan.Win32.Scar.128768
Webroot W32.Trojan.Gen
Yandex TrojanSpy.Agent!SfeBDgjloco
Zillya Trojan.VB.Win32.69922
ZoneAlarm Trojan.Win32.Scar.lpco
Zoner Trojan.Win32.31594
67 of the 71 anti-virus programs detected the Backup.exe.P_S file.

Sandbox Report

The following information was gathered by executing the file inside Cuckoo Sandbox.

Summary

Successfully executed process in sandbox.

Summary

{
    "regkey_written": [
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Updates",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Backup"
    ],
    "dll_loaded": [
        "SXS.DLL",
        "ADVAPI32.dll",
        "kernel32.dll",
        "UxTheme.dll",
        "OLEAUT32.DLL",
        "dwmapi.dll",
        "comctl32",
        "OLEAUT32.dll"
    ],
    "file_opened": [
        "c:\\",
        "C:\\",
        "C:\\Windows\\Fonts\\staticcache.dat",
        "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
        "C:\\Users\\cuck\\AppData\\Local\\Temp",
        "C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui"
    ],
    "regkey_opened": [
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\MS Sans Serif",
        "HKEY_CURRENT_USER\\software\\microsoft\\windows\\currentversion\\run",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\System",
        "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\HTML Help",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\VBA\\Monitors",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Help",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\47f2f54497034d56407293bfe05c72fab964ee2dff4997d66bd46ef9e6075cf6.bin",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0"
    ],
    "file_exists": [
        "C:\\Windows\\System32\\C_936.NLS",
        "C:\\Windows\\System32\\C_932.NLS",
        "C:\\Windows\\System32\\.HLP",
        "C:\\Users\\cuck\\AppData\\Local\\Temp",
        "C:\\Windows\\System32\\C_949.NLS",
        "C:\\Windows\\Help\\.HLP",
        "C:\\Windows\\System32\\C_950.NLS"
    ],
    "file_failed": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\47f2f54497034d56407293bfe05c72fab964ee2dff4997d66bd46ef9e6075cf6.exe",
        "C:\\Windows\\WINHELP.INI"
    ],
    "command_line": [
        "reg  add HKCU\\software\\microsoft\\windows\\currentversion\\run \/v Backup \/t REG_SZ \/d D:\\Backup.exe \/f",
        "cmd \/c reg add HKCU\\software\\microsoft\\windows\\currentversion\\run \/v Backup \/t REG_SZ \/d D:\\Backup.exe \/f",
        "reg  add HKCU\\software\\microsoft\\windows\\currentversion\\run \/v Updates \/t REG_SZ \/d D:\\Updates.exe \/f",
        "cmd \/c reg add HKCU\\software\\microsoft\\windows\\currentversion\\run \/v Updates \/t REG_SZ \/d D:\\Updates.exe \/f"
    ],
    "file_read": [
        "C:\\Windows\\Fonts\\staticcache.dat"
    ],
    "regkey_read": [
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Backup",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\949",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\HTML Help\\.HLP",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\936",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\950",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\932",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Updates",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun"
    ],
    "directory_enumerated": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\*.*",
        "C:\\Windows\\System32\\reg.exe",
        "C:\\Users\\cuck\\AppData",
        "C:\\Windows\\System32\\reg.COM",
        "C:\\Windows\\System32\\reg.*",
        "C:\\Users\\cuck\\AppData\\Local\\Temp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\reg",
        "C:\\Users\\cuck",
        "C:\\Python27\\Scripts\\reg",
        "C:\\Python27\\Scripts\\reg.*",
        "C:\\Users",
        "C:\\Python27\\reg.*",
        "C:\\Python27\\reg",
        "C:\\Users\\cuck\\AppData\\Local",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\reg.*"
    ]
}

Generic

[
    {
        "process_path": "C:\\Windows\\SysWOW64\\reg.exe",
        "process_name": "reg.exe",
        "pid": 1504,
        "summary": {
            "file_opened": [
                "C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
                "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
            ],
            "regkey_opened": [
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
                "HKEY_CURRENT_USER\\software\\microsoft\\windows\\currentversion\\run"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Updates",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
            ],
            "dll_loaded": [
                "kernel32.dll"
            ],
            "regkey_written": [
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Updates"
            ]
        },
        "first_seen": 1592697189.327501,
        "ppid": 856
    },
    {
        "process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
        "process_name": "cmd.exe",
        "pid": 964,
        "summary": {
            "dll_loaded": [
                "kernel32.dll"
            ],
            "file_opened": [
                "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
            ],
            "regkey_opened": [
                "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
            ],
            "file_exists": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp"
            ],
            "command_line": [
                "reg  add HKCU\\software\\microsoft\\windows\\currentversion\\run \/v Backup \/t REG_SZ \/d D:\\Backup.exe \/f"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar"
            ],
            "directory_enumerated": [
                "C:\\Windows\\System32\\reg.exe",
                "C:\\Users\\cuck\\AppData",
                "C:\\Windows\\System32\\reg.COM",
                "C:\\Windows\\System32\\reg.*",
                "C:\\Users\\cuck\\AppData\\Local\\Temp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\reg",
                "C:\\Users\\cuck",
                "C:\\Python27\\Scripts\\reg",
                "C:\\Python27\\Scripts\\reg.*",
                "C:\\Users",
                "C:\\Python27\\reg.*",
                "C:\\Python27\\reg",
                "C:\\Users\\cuck\\AppData\\Local",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\reg.*"
            ]
        },
        "first_seen": 1592697189.108751,
        "ppid": 1268
    },
    {
        "process_path": "C:\\Windows\\SysWOW64\\reg.exe",
        "process_name": "reg.exe",
        "pid": 1424,
        "summary": {
            "file_opened": [
                "C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
                "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
            ],
            "regkey_opened": [
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
                "HKEY_CURRENT_USER\\software\\microsoft\\windows\\currentversion\\run"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Backup",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
            ],
            "dll_loaded": [
                "kernel32.dll"
            ],
            "regkey_written": [
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Backup"
            ]
        },
        "first_seen": 1592697189.327501,
        "ppid": 964
    },
    {
        "process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\47f2f54497034d56407293bfe05c72fab964ee2dff4997d66bd46ef9e6075cf6.bin",
        "process_name": "47f2f54497034d56407293bfe05c72fab964ee2dff4997d66bd46ef9e6075cf6.bin",
        "pid": 1268,
        "summary": {
            "dll_loaded": [
                "SXS.DLL",
                "ADVAPI32.dll",
                "UxTheme.dll",
                "OLEAUT32.DLL",
                "dwmapi.dll",
                "comctl32",
                "OLEAUT32.dll"
            ],
            "file_opened": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp",
                "C:\\",
                "c:\\",
                "C:\\Windows\\Fonts\\staticcache.dat"
            ],
            "regkey_opened": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\MS Sans Serif",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\System",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\HTML Help",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\VBA\\Monitors",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Help",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\47f2f54497034d56407293bfe05c72fab964ee2dff4997d66bd46ef9e6075cf6.bin",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows"
            ],
            "file_exists": [
                "C:\\Windows\\System32\\C_936.NLS",
                "C:\\Windows\\System32\\C_932.NLS",
                "C:\\Windows\\System32\\.HLP",
                "C:\\Users\\cuck\\AppData\\Local\\Temp",
                "C:\\Windows\\System32\\C_949.NLS",
                "C:\\Windows\\Help\\.HLP",
                "C:\\Windows\\System32\\C_950.NLS"
            ],
            "file_failed": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\47f2f54497034d56407293bfe05c72fab964ee2dff4997d66bd46ef9e6075cf6.exe",
                "C:\\Windows\\WINHELP.INI"
            ],
            "command_line": [
                "cmd \/c reg add HKCU\\software\\microsoft\\windows\\currentversion\\run \/v Updates \/t REG_SZ \/d D:\\Updates.exe \/f",
                "cmd \/c reg add HKCU\\software\\microsoft\\windows\\currentversion\\run \/v Backup \/t REG_SZ \/d D:\\Backup.exe \/f"
            ],
            "file_read": [
                "C:\\Windows\\Fonts\\staticcache.dat"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\949",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\HTML Help\\.HLP",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\950",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\932",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\936"
            ],
            "directory_enumerated": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\*.*"
            ]
        },
        "first_seen": 1592697188.546875,
        "ppid": 2308
    },
    {
        "process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
        "process_name": "cmd.exe",
        "pid": 856,
        "summary": {
            "dll_loaded": [
                "kernel32.dll"
            ],
            "file_opened": [
                "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
            ],
            "regkey_opened": [
                "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
            ],
            "file_exists": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp"
            ],
            "command_line": [
                "reg  add HKCU\\software\\microsoft\\windows\\currentversion\\run \/v Updates \/t REG_SZ \/d D:\\Updates.exe \/f"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar"
            ],
            "directory_enumerated": [
                "C:\\Windows\\System32\\reg.exe",
                "C:\\Users\\cuck\\AppData",
                "C:\\Windows\\System32\\reg.COM",
                "C:\\Windows\\System32\\reg.*",
                "C:\\Users\\cuck\\AppData\\Local\\Temp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\reg",
                "C:\\Users\\cuck",
                "C:\\Python27\\Scripts\\reg",
                "C:\\Python27\\Scripts\\reg.*",
                "C:\\Users",
                "C:\\Python27\\reg.*",
                "C:\\Python27\\reg",
                "C:\\Users\\cuck\\AppData\\Local",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\reg.*"
            ]
        },
        "first_seen": 1592697189.093124,
        "ppid": 1268
    },
    {
        "process_path": "C:\\Windows\\System32\\lsass.exe",
        "process_name": "lsass.exe",
        "pid": 476,
        "summary": {},
        "first_seen": 1592697188.3125,
        "ppid": 376
    }
]

Signatures

[
    {
        "markcount": 2,
        "families": [],
        "description": "Command line console output was observed",
        "severity": 1,
        "marks": [
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": "The operation completed successfully.\r\n",
                        "console_handle": "0x00000007"
                    },
                    "time": 1592697189.405501,
                    "tid": 3020,
                    "flags": {}
                },
                "pid": 1424,
                "type": "call",
                "cid": 31
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": "The operation completed successfully.\r\n",
                        "console_handle": "0x00000007"
                    },
                    "time": 1592697189.467501,
                    "tid": 2572,
                    "flags": {}
                },
                "pid": 1504,
                "type": "call",
                "cid": 31
            }
        ],
        "references": [],
        "name": "console_output"
    },
    {
        "markcount": 10,
        "families": [],
        "description": "One or more processes crashed",
        "severity": 1,
        "marks": [
            {
                "call": {
                    "category": "__notification__",
                    "status": 1,
                    "stacktrace": [],
                    "raw": [
                        "stacktrace"
                    ],
                    "api": "__exception__",
                    "return_value": 0,
                    "arguments": {
                        "stacktrace": "E\nb\nG\ne\nt\nH\na\nn\nd\nl\ne\nO\nf\nE\nx\ne\nc\nu\nt\ni\nn\ng\nP\nr\no\nj\ne\nc\nt\n+\n0\nx\n2\n2\nb\n3\n \nr\nt\nc\nP\na\nc\nk\nD\na\nt\ne\n-\n0\nx\nb\na\n9\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nd\n0\nd\nc\nf\n \n@\n \n0\nx\n7\n2\na\n1\n0\nd\nc\nf\n\n\nr\nt\nc\nD\no\nE\nv\ne\nn\nt\ns\n+\n0\nx\n1\n3\n1\n \n_\n_\nv\nb\na\nE\nr\nr\no\nr\n-\n0\nx\n6\n2\n6\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nc\ne\n2\n2\n8\n \n@\n \n0\nx\n7\n2\na\n0\ne\n2\n2\n8",
                        "registers": {
                            "esp": 1635788,
                            "edi": 5742952,
                            "eax": 1635788,
                            "ebp": 1635868,
                            "edx": 0,
                            "ebx": 5742952,
                            "esi": 5742952,
                            "ecx": 2
                        },
                        "exception": {
                            "instruction_r": "c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b",
                            "symbol": "RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727",
                            "instruction": "leave",
                            "module": "KERNELBASE.dll",
                            "exception_code": "0xc000008f",
                            "offset": 46887,
                            "address": "0x75dbb727"
                        }
                    },
                    "time": 1592697188.827875,
                    "tid": 2740,
                    "flags": {}
                },
                "pid": 1268,
                "type": "call",
                "cid": 269
            },
            {
                "call": {
                    "category": "__notification__",
                    "status": 1,
                    "stacktrace": [],
                    "raw": [
                        "stacktrace"
                    ],
                    "api": "__exception__",
                    "return_value": 0,
                    "arguments": {
                        "stacktrace": "E\nb\nG\ne\nt\nH\na\nn\nd\nl\ne\nO\nf\nE\nx\ne\nc\nu\nt\ni\nn\ng\nP\nr\no\nj\ne\nc\nt\n+\n0\nx\n2\n2\nb\n3\n \nr\nt\nc\nP\na\nc\nk\nD\na\nt\ne\n-\n0\nx\nb\na\n9\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nd\n0\nd\nc\nf\n \n@\n \n0\nx\n7\n2\na\n1\n0\nd\nc\nf\n\n\nr\nt\nc\nD\no\nE\nv\ne\nn\nt\ns\n+\n0\nx\n1\n3\n1\n \n_\n_\nv\nb\na\nE\nr\nr\no\nr\n-\n0\nx\n6\n2\n6\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nc\ne\n2\n2\n8\n \n@\n \n0\nx\n7\n2\na\n0\ne\n2\n2\n8",
                        "registers": {
                            "esp": 1635788,
                            "edi": 5742952,
                            "eax": 1635788,
                            "ebp": 1635868,
                            "edx": 0,
                            "ebx": 5742952,
                            "esi": 5742952,
                            "ecx": 2
                        },
                        "exception": {
                            "instruction_r": "c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b",
                            "symbol": "RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727",
                            "instruction": "leave",
                            "module": "KERNELBASE.dll",
                            "exception_code": "0xc000008f",
                            "offset": 46887,
                            "address": "0x75dbb727"
                        }
                    },
                    "time": 1592697188.827875,
                    "tid": 2740,
                    "flags": {}
                },
                "pid": 1268,
                "type": "call",
                "cid": 271
            },
            {
                "call": {
                    "category": "__notification__",
                    "status": 1,
                    "stacktrace": [],
                    "raw": [
                        "stacktrace"
                    ],
                    "api": "__exception__",
                    "return_value": 0,
                    "arguments": {
                        "stacktrace": "E\nb\nG\ne\nt\nH\na\nn\nd\nl\ne\nO\nf\nE\nx\ne\nc\nu\nt\ni\nn\ng\nP\nr\no\nj\ne\nc\nt\n+\n0\nx\n2\n2\nb\n3\n \nr\nt\nc\nP\na\nc\nk\nD\na\nt\ne\n-\n0\nx\nb\na\n9\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nd\n0\nd\nc\nf\n \n@\n \n0\nx\n7\n2\na\n1\n0\nd\nc\nf\n\n\nr\nt\nc\nD\no\nE\nv\ne\nn\nt\ns\n+\n0\nx\n1\n3\n1\n \n_\n_\nv\nb\na\nE\nr\nr\no\nr\n-\n0\nx\n6\n2\n6\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nc\ne\n2\n2\n8\n \n@\n \n0\nx\n7\n2\na\n0\ne\n2\n2\n8",
                        "registers": {
                            "esp": 1636064,
                            "edi": 5742952,
                            "eax": 1636064,
                            "ebp": 1636144,
                            "edx": 0,
                            "ebx": 5742952,
                            "esi": 5742952,
                            "ecx": 2
                        },
                        "exception": {
                            "instruction_r": "c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b",
                            "symbol": "RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727",
                            "instruction": "leave",
                            "module": "KERNELBASE.dll",
                            "exception_code": "0xc000008f",
                            "offset": 46887,
                            "address": "0x75dbb727"
                        }
                    },
                    "time": 1592697188.921875,
                    "tid": 2740,
                    "flags": {}
                },
                "pid": 1268,
                "type": "call",
                "cid": 279
            },
            {
                "call": {
                    "category": "__notification__",
                    "status": 1,
                    "stacktrace": [],
                    "raw": [
                        "stacktrace"
                    ],
                    "api": "__exception__",
                    "return_value": 0,
                    "arguments": {
                        "stacktrace": "E\nb\nG\ne\nt\nH\na\nn\nd\nl\ne\nO\nf\nE\nx\ne\nc\nu\nt\ni\nn\ng\nP\nr\no\nj\ne\nc\nt\n+\n0\nx\n2\n2\nb\n3\n \nr\nt\nc\nP\na\nc\nk\nD\na\nt\ne\n-\n0\nx\nb\na\n9\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nd\n0\nd\nc\nf\n \n@\n \n0\nx\n7\n2\na\n1\n0\nd\nc\nf\n\n\nr\nt\nc\nD\no\nE\nv\ne\nn\nt\ns\n+\n0\nx\n1\n3\n1\n \n_\n_\nv\nb\na\nE\nr\nr\no\nr\n-\n0\nx\n6\n2\n6\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nc\ne\n2\n2\n8\n \n@\n \n0\nx\n7\n2\na\n0\ne\n2\n2\n8",
                        "registers": {
                            "esp": 1636064,
                            "edi": 5742952,
                            "eax": 1636064,
                            "ebp": 1636144,
                            "edx": 0,
                            "ebx": 5742952,
                            "esi": 5742952,
                            "ecx": 2
                        },
                        "exception": {
                            "instruction_r": "c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b",
                            "symbol": "RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727",
                            "instruction": "leave",
                            "module": "KERNELBASE.dll",
                            "exception_code": "0xc000008f",
                            "offset": 46887,
                            "address": "0x75dbb727"
                        }
                    },
                    "time": 1592697188.921875,
                    "tid": 2740,
                    "flags": {}
                },
                "pid": 1268,
                "type": "call",
                "cid": 281
            },
            {
                "call": {
                    "category": "__notification__",
                    "status": 1,
                    "stacktrace": [],
                    "raw": [
                        "stacktrace"
                    ],
                    "api": "__exception__",
                    "return_value": 0,
                    "arguments": {
                        "stacktrace": "E\nb\nG\ne\nt\nH\na\nn\nd\nl\ne\nO\nf\nE\nx\ne\nc\nu\nt\ni\nn\ng\nP\nr\no\nj\ne\nc\nt\n+\n0\nx\n2\n2\nb\n3\n \nr\nt\nc\nP\na\nc\nk\nD\na\nt\ne\n-\n0\nx\nb\na\n9\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nd\n0\nd\nc\nf\n \n@\n \n0\nx\n7\n2\na\n1\n0\nd\nc\nf\n\n\nr\nt\nc\nD\no\nE\nv\ne\nn\nt\ns\n+\n0\nx\n1\n3\n1\n \n_\n_\nv\nb\na\nE\nr\nr\no\nr\n-\n0\nx\n6\n2\n6\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nc\ne\n2\n2\n8\n \n@\n \n0\nx\n7\n2\na\n0\ne\n2\n2\n8",
                        "registers": {
                            "esp": 1636240,
                            "edi": 5742952,
                            "eax": 1636240,
                            "ebp": 1636320,
                            "edx": 0,
                            "ebx": 5742952,
                            "esi": 5742952,
                            "ecx": 2
                        },
                        "exception": {
                            "instruction_r": "c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b",
                            "symbol": "RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727",
                            "instruction": "leave",
                            "module": "KERNELBASE.dll",
                            "exception_code": "0xc000008f",
                            "offset": 46887,
                            "address": "0x75dbb727"
                        }
                    },
                    "time": 1592697188.921875,
                    "tid": 2740,
                    "flags": {}
                },
                "pid": 1268,
                "type": "call",
                "cid": 283
            },
            {
                "call": {
                    "category": "__notification__",
                    "status": 1,
                    "stacktrace": [],
                    "raw": [
                        "stacktrace"
                    ],
                    "api": "__exception__",
                    "return_value": 0,
                    "arguments": {
                        "stacktrace": "E\nb\nG\ne\nt\nH\na\nn\nd\nl\ne\nO\nf\nE\nx\ne\nc\nu\nt\ni\nn\ng\nP\nr\no\nj\ne\nc\nt\n+\n0\nx\n2\n2\nb\n3\n \nr\nt\nc\nP\na\nc\nk\nD\na\nt\ne\n-\n0\nx\nb\na\n9\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nd\n0\nd\nc\nf\n \n@\n \n0\nx\n7\n2\na\n1\n0\nd\nc\nf\n\n\nr\nt\nc\nD\no\nE\nv\ne\nn\nt\ns\n+\n0\nx\n1\n3\n1\n \n_\n_\nv\nb\na\nE\nr\nr\no\nr\n-\n0\nx\n6\n2\n6\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nc\ne\n2\n2\n8\n \n@\n \n0\nx\n7\n2\na\n0\ne\n2\n2\n8",
                        "registers": {
                            "esp": 1635788,
                            "edi": 5742952,
                            "eax": 1635788,
                            "ebp": 1635868,
                            "edx": 0,
                            "ebx": 5742952,
                            "esi": 5742952,
                            "ecx": 2
                        },
                        "exception": {
                            "instruction_r": "c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b",
                            "symbol": "RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727",
                            "instruction": "leave",
                            "module": "KERNELBASE.dll",
                            "exception_code": "0xc000008f",
                            "offset": 46887,
                            "address": "0x75dbb727"
                        }
                    },
                    "time": 1592697188.921875,
                    "tid": 2740,
                    "flags": {}
                },
                "pid": 1268,
                "type": "call",
                "cid": 291
            },
            {
                "call": {
                    "category": "__notification__",
                    "status": 1,
                    "stacktrace": [],
                    "raw": [
                        "stacktrace"
                    ],
                    "api": "__exception__",
                    "return_value": 0,
                    "arguments": {
                        "stacktrace": "E\nb\nG\ne\nt\nH\na\nn\nd\nl\ne\nO\nf\nE\nx\ne\nc\nu\nt\ni\nn\ng\nP\nr\no\nj\ne\nc\nt\n+\n0\nx\n2\n2\nb\n3\n \nr\nt\nc\nP\na\nc\nk\nD\na\nt\ne\n-\n0\nx\nb\na\n9\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nd\n0\nd\nc\nf\n \n@\n \n0\nx\n7\n2\na\n1\n0\nd\nc\nf\n\n\nr\nt\nc\nD\no\nE\nv\ne\nn\nt\ns\n+\n0\nx\n1\n3\n1\n \n_\n_\nv\nb\na\nE\nr\nr\no\nr\n-\n0\nx\n6\n2\n6\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nc\ne\n2\n2\n8\n \n@\n \n0\nx\n7\n2\na\n0\ne\n2\n2\n8",
                        "registers": {
                            "esp": 1635788,
                            "edi": 5742952,
                            "eax": 1635788,
                            "ebp": 1635868,
                            "edx": 0,
                            "ebx": 5742952,
                            "esi": 5742952,
                            "ecx": 2
                        },
                        "exception": {
                            "instruction_r": "c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b",
                            "symbol": "RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727",
                            "instruction": "leave",
                            "module": "KERNELBASE.dll",
                            "exception_code": "0xc000008f",
                            "offset": 46887,
                            "address": "0x75dbb727"
                        }
                    },
                    "time": 1592697188.921875,
                    "tid": 2740,
                    "flags": {}
                },
                "pid": 1268,
                "type": "call",
                "cid": 293
            },
            {
                "call": {
                    "category": "__notification__",
                    "status": 1,
                    "stacktrace": [],
                    "raw": [
                        "stacktrace"
                    ],
                    "api": "__exception__",
                    "return_value": 0,
                    "arguments": {
                        "stacktrace": "E\nb\nG\ne\nt\nH\na\nn\nd\nl\ne\nO\nf\nE\nx\ne\nc\nu\nt\ni\nn\ng\nP\nr\no\nj\ne\nc\nt\n+\n0\nx\n2\n2\nb\n3\n \nr\nt\nc\nP\na\nc\nk\nD\na\nt\ne\n-\n0\nx\nb\na\n9\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nd\n0\nd\nc\nf\n \n@\n \n0\nx\n7\n2\na\n1\n0\nd\nc\nf\n\n\nr\nt\nc\nD\no\nE\nv\ne\nn\nt\ns\n+\n0\nx\n1\n3\n1\n \n_\n_\nv\nb\na\nE\nr\nr\no\nr\n-\n0\nx\n6\n2\n6\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nc\ne\n2\n2\n8\n \n@\n \n0\nx\n7\n2\na\n0\ne\n2\n2\n8",
                        "registers": {
                            "esp": 1635788,
                            "edi": 5742952,
                            "eax": 1635788,
                            "ebp": 1635868,
                            "edx": 0,
                            "ebx": 5742952,
                            "esi": 5742952,
                            "ecx": 2
                        },
                        "exception": {
                            "instruction_r": "c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b",
                            "symbol": "RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727",
                            "instruction": "leave",
                            "module": "KERNELBASE.dll",
                            "exception_code": "0xc000008f",
                            "offset": 46887,
                            "address": "0x75dbb727"
                        }
                    },
                    "time": 1592697188.921875,
                    "tid": 2740,
                    "flags": {}
                },
                "pid": 1268,
                "type": "call",
                "cid": 295
            },
            {
                "call": {
                    "category": "__notification__",
                    "status": 1,
                    "stacktrace": [],
                    "raw": [
                        "stacktrace"
                    ],
                    "api": "__exception__",
                    "return_value": 0,
                    "arguments": {
                        "stacktrace": "E\nb\nG\ne\nt\nH\na\nn\nd\nl\ne\nO\nf\nE\nx\ne\nc\nu\nt\ni\nn\ng\nP\nr\no\nj\ne\nc\nt\n+\n0\nx\n2\n2\nb\n3\n \nr\nt\nc\nP\na\nc\nk\nD\na\nt\ne\n-\n0\nx\nb\na\n9\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nd\n0\nd\nc\nf\n \n@\n \n0\nx\n7\n2\na\n1\n0\nd\nc\nf\n\n\nr\nt\nc\nD\no\nE\nv\ne\nn\nt\ns\n+\n0\nx\n1\n3\n1\n \n_\n_\nv\nb\na\nE\nr\nr\no\nr\n-\n0\nx\n6\n2\n6\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nc\ne\n2\n2\n8\n \n@\n \n0\nx\n7\n2\na\n0\ne\n2\n2\n8",
                        "registers": {
                            "esp": 1636240,
                            "edi": 5742952,
                            "eax": 1636240,
                            "ebp": 1636320,
                            "edx": 0,
                            "ebx": 5742952,
                            "esi": 5742952,
                            "ecx": 2
                        },
                        "exception": {
                            "instruction_r": "c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b",
                            "symbol": "RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727",
                            "instruction": "leave",
                            "module": "KERNELBASE.dll",
                            "exception_code": "0xc000008f",
                            "offset": 46887,
                            "address": "0x75dbb727"
                        }
                    },
                    "time": 1592697188.921875,
                    "tid": 2740,
                    "flags": {}
                },
                "pid": 1268,
                "type": "call",
                "cid": 297
            },
            {
                "call": {
                    "category": "__notification__",
                    "status": 1,
                    "stacktrace": [],
                    "raw": [
                        "stacktrace"
                    ],
                    "api": "__exception__",
                    "return_value": 0,
                    "arguments": {
                        "stacktrace": "E\nb\nG\ne\nt\nH\na\nn\nd\nl\ne\nO\nf\nE\nx\ne\nc\nu\nt\ni\nn\ng\nP\nr\no\nj\ne\nc\nt\n+\n0\nx\n2\n2\nb\n3\n \nr\nt\nc\nP\na\nc\nk\nD\na\nt\ne\n-\n0\nx\nb\na\n9\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nd\n0\nd\nc\nf\n \n@\n \n0\nx\n7\n2\na\n1\n0\nd\nc\nf\n\n\nr\nt\nc\nD\no\nE\nv\ne\nn\nt\ns\n+\n0\nx\n1\n3\n1\n \n_\n_\nv\nb\na\nE\nr\nr\no\nr\n-\n0\nx\n6\n2\n6\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nc\ne\n2\n2\n8\n \n@\n \n0\nx\n7\n2\na\n0\ne\n2\n2\n8",
                        "registers": {
                            "esp": 1636348,
                            "edi": 5742952,
                            "eax": 1636348,
                            "ebp": 1636428,
                            "edx": 0,
                            "ebx": 5742952,
                            "esi": 5742952,
                            "ecx": 2
                        },
                        "exception": {
                            "instruction_r": "c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b",
                            "symbol": "RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727",
                            "instruction": "leave",
                            "module": "KERNELBASE.dll",
                            "exception_code": "0xc000008f",
                            "offset": 46887,
                            "address": "0x75dbb727"
                        }
                    },
                    "time": 1592697188.921875,
                    "tid": 2740,
                    "flags": {}
                },
                "pid": 1268,
                "type": "call",
                "cid": 298
            }
        ],
        "references": [],
        "name": "raises_exception"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Foreign language identified in PE resource",
        "severity": 2,
        "marks": [
            {
                "name": "RT_MANIFEST",
                "language": "LANG_ENGLISH",
                "offset": "0x000114d4",
                "filetype": "XML 1.0 document, ASCII text, with CRLF line terminators",
                "sublanguage": "SUBLANG_ENGLISH_AUS",
                "type": "generic",
                "size": "0x000001ee"
            }
        ],
        "references": [],
        "name": "origin_langid"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)",
        "severity": 2,
        "marks": [
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1268,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "length": 24576,
                        "protection": 32,
                        "process_handle": "0xffffffff",
                        "base_address": "0x003b0000"
                    },
                    "time": 1592697188.780875,
                    "tid": 2740,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READ"
                    }
                },
                "pid": 1268,
                "type": "call",
                "cid": 18
            }
        ],
        "references": [],
        "name": "protection_rx"
    },
    {
        "markcount": 4,
        "families": [],
        "description": "Uses Windows utilities for basic Windows functionality",
        "severity": 2,
        "marks": [
            {
                "category": "cmdline",
                "ioc": "reg  add HKCU\\software\\microsoft\\windows\\currentversion\\run \/v Backup \/t REG_SZ \/d D:\\Backup.exe \/f",
                "type": "ioc",
                "description": null
            },
            {
                "category": "cmdline",
                "ioc": "cmd \/c reg add HKCU\\software\\microsoft\\windows\\currentversion\\run \/v Backup \/t REG_SZ \/d D:\\Backup.exe \/f",
                "type": "ioc",
                "description": null
            },
            {
                "category": "cmdline",
                "ioc": "reg  add HKCU\\software\\microsoft\\windows\\currentversion\\run \/v Updates \/t REG_SZ \/d D:\\Updates.exe \/f",
                "type": "ioc",
                "description": null
            },
            {
                "category": "cmdline",
                "ioc": "cmd \/c reg add HKCU\\software\\microsoft\\windows\\currentversion\\run \/v Updates \/t REG_SZ \/d D:\\Updates.exe \/f",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [
            "http:\/\/blog.jpcert.or.jp\/2016\/01\/windows-commands-abused-by-attackers.html"
        ],
        "name": "uses_windows_utilities"
    },
    {
        "markcount": 2,
        "families": [],
        "description": "Installs itself for autorun at Windows startup",
        "severity": 3,
        "marks": [
            {
                "type": "generic",
                "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Backup",
                "reg_value": "D:\\Backup.exe"
            },
            {
                "type": "generic",
                "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Updates",
                "reg_value": "D:\\Updates.exe"
            }
        ],
        "references": [],
        "name": "persistence_autorun"
    }
]

Yara

The Yara rules did not detect anything in the file.

Network

{
    "tls": [],
    "udp": [
        {
            "src": "192.168.56.101",
            "dst": "192.168.56.255",
            "offset": 546,
            "time": 3.139786958694458,
            "dport": 137,
            "sport": 137
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 4318,
            "time": 3.064815044403076,
            "dport": 5355,
            "sport": 51001
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 4646,
            "time": 1.0913269519805908,
            "dport": 5355,
            "sport": 53595
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 4974,
            "time": 3.074955940246582,
            "dport": 5355,
            "sport": 53848
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 5302,
            "time": 1.5599019527435303,
            "dport": 5355,
            "sport": 54255
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 5630,
            "time": -0.04155611991882324,
            "dport": 5355,
            "sport": 55314
        },
        {
            "src": "192.168.56.101",
            "dst": "239.255.255.250",
            "offset": 5958,
            "time": 1.6252810955047607,
            "dport": 1900,
            "sport": 1900
        },
        {
            "src": "192.168.56.101",
            "dst": "239.255.255.250",
            "offset": 14640,
            "time": 1.126697063446045,
            "dport": 3702,
            "sport": 49152
        },
        {
            "src": "192.168.56.101",
            "dst": "239.255.255.250",
            "offset": 18832,
            "time": 3.2023189067840576,
            "dport": 1900,
            "sport": 53598
        }
    ],
    "dns_servers": [],
    "http": [],
    "icmp": [],
    "smtp": [],
    "tcp": [],
    "smtp_ex": [],
    "mitm": [],
    "hosts": [],
    "pcap_sha256": "7626d10cdc6dd8a625a10328ad39269cba883e115d705323069bb9d8733fb586",
    "dns": [],
    "http_ex": [],
    "domains": [],
    "dead_hosts": [],
    "sorted_pcap_sha256": "3f1e70eb912cb04145b8d8ba6593e44eba389b8cc18b5a7dcb8c17418e1de20c",
    "irc": [],
    "https_ex": []
}

Screenshots

Screenshot from the sandbox

Backup.exe.P_S removal instructions

The instructions below shows how to remove Backup.exe.P_S with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the Backup.exe.P_S file for removal, restart your computer and scan it again to verify that Backup.exe.P_S has been successfully removed. Here are the removal instructions in more detail:

  1. Download and install FreeFixer: http://www.freefixer.com/download.html
  2. Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
    Screenshot of Start Scan button
  3. When the scan is finished, locate Backup.exe.P_S in the scan result and tick the checkbox next to the Backup.exe.P_S file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate Backup.exe.P_S in the scan result.
    Red arrow point on the unwanted file
    c:\Pre_Scan\Quarantine\D\Backup.exe.P_S
  4. Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the Backup.exe.P_S file.
    Screenshot of Fix button
  5. Restart your computer.
  6. Start FreeFixer and scan your computer again. If Backup.exe.P_S still remains in the scan result, proceed with the next step. If Backup.exe.P_S is gone from the scan result you're done.
  7. If Backup.exe.P_S still remains in the scan result, check its checkbox again in the scan result and click Fix.
  8. Restart your computer.
  9. Start FreeFixer and scan your computer again. Verify that Backup.exe.P_S no longer appear in the scan result.
Please select the option that best describe your thoughts on the removal instructions given above








Free Questionnaires

Hashes [?]

PropertyValue
MD5bfbe53738e0e12eb4154685fd3a2eab8
SHA25647f2f54497034d56407293bfe05c72fab964ee2dff4997d66bd46ef9e6075cf6

What will you do with Backup.exe.P_S?

To help other users, please let us know what you will do with Backup.exe.P_S:



Comments

Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.

I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.

No comments posted yet.

Leave a reply