Windows Analysis Report
praxisbackup.exe

Overview

General Information

Sample name: praxisbackup.exe
Analysis ID: 1541092
MD5: dbf8fe8bde46ead1bc550a03ad4a3f74
SHA1: 888f27dd2269119cf9524474a6a0b559d0d201a1
SHA256: ca601708a3822d4f1fbea39171c8d5e94c0b8741f35a5a2fb63cd6d71da29b1a
Tags: exeMS4Killeruser-smica83
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Sample is not signed and drops a device driver
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables driver privileges
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: praxisbackup.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: praxisbackup.exe ReversingLabs: Detection: 52%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 85.8% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64218BB80 BCryptGenRandom,GetCurrentProcessId,BCryptGenRandom,HeapFree,CreateNamedPipeW,GetLastError,BCryptGenRandom,BCryptGenRandom,HeapFree,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,BCryptGenRandom,HeapFree, 0_2_00007FF64218BB80
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642192750 BCryptGenRandom, 0_2_00007FF642192750
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642192730 BCryptGenRandom, 0_2_00007FF642192730
Source: praxisbackup.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\itm_mon\itm_mon_3.0.0.4\driver\objfre_wlh_amd64\amd64\Probmon.pdb source: praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp, Sysprox.sys.0.dr
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642181A20 GetFileInformationByHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,FindFirstFileW,FindClose,HeapFree, 0_2_00007FF642181A20
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF6421A08D8 FindFirstFileExW, 0_2_00007FF6421A08D8
Source: praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp, Sysprox.sys.0.dr String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp, Sysprox.sys.0.dr String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp, Sysprox.sys.0.dr String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp, Sysprox.sys.0.dr String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp, Sysprox.sys.0.dr String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net
Source: praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp, Sysprox.sys.0.dr String found in binary or memory: http://www.globalsign.net/repository/0
Source: praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp, Sysprox.sys.0.dr String found in binary or memory: http://www.globalsign.net/repository09
Contains functionality to call native functions
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642161C00 FilterConnectCommunicationPort,GetCommandLineW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,OpenSCManagerW,OpenServiceW,FilterLoad,CloseServiceHandle,CloseServiceHandle,HeapFree,GlobalMemoryStatusEx,GetLastError,K32GetPerformanceInfo,PdhCollectQueryData,PdhOpenQueryA,HeapFree,NtQuerySystemInformation,HeapFree,HeapFree,HeapFree,AcquireSRWLockExclusive,HeapFree,Sleep,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,Sleep,FilterConnectCommunicationPort,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,PdhRemoveCounter,CloseHandle,GetLastError,HeapFree,PdhCloseQuery,HeapFree,HeapFree,HeapFree,FilterSendMessage,HeapFree,CloseHandle,HeapFree,HeapFree, 0_2_00007FF642161C00
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642179610 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError, 0_2_00007FF642179610
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF6421963E0 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,HeapFree,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,VirtualQueryEx,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,VirtualQueryEx,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,GetProcessTimes,GetLastError,GetSystemTimes,GetLastError,GetProcessIoCounters,GetProcessMemoryInfo,GetLastError,GetLastError,GetModuleFileNameExW,HeapFree, 0_2_00007FF6421963E0
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642197A50 NtQueryInformationProcess,NtQueryInformationProcess,HeapFree,HeapFree, 0_2_00007FF642197A50
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF6421637C9 NtQuerySystemInformation, 0_2_00007FF6421637C9
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64216381D HeapFree,NtQuerySystemInformation, 0_2_00007FF64216381D
Creates driver files
Source: C:\Users\user\Desktop\praxisbackup.exe File created: C:\Windows\System32\Drivers\Sysprox.sys Jump to behavior
Creates files inside the driver directory
Source: C:\Users\user\Desktop\praxisbackup.exe File created: C:\Windows\System32\Drivers\Sysprox.sys Jump to behavior
Creates files inside the system directory
Source: C:\Users\user\Desktop\praxisbackup.exe File created: C:\Windows\System32\Drivers\Sysprox.sys Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642199350 0_2_00007FF642199350
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642161C2B 0_2_00007FF642161C2B
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642161C00 0_2_00007FF642161C00
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64218BB80 0_2_00007FF64218BB80
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF6421963E0 0_2_00007FF6421963E0
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64216CC20 0_2_00007FF64216CC20
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642163C3B 0_2_00007FF642163C3B
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642198450 0_2_00007FF642198450
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64218A4B0 0_2_00007FF64218A4B0
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF6421654B8 0_2_00007FF6421654B8
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64217ACC0 0_2_00007FF64217ACC0
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642176970 0_2_00007FF642176970
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642194140 0_2_00007FF642194140
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642171990 0_2_00007FF642171990
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64217C190 0_2_00007FF64217C190
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF6421991C0 0_2_00007FF6421991C0
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642193210 0_2_00007FF642193210
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642168280 0_2_00007FF642168280
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF6421AC2C0 0_2_00007FF6421AC2C0
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF6421942C0 0_2_00007FF6421942C0
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF6421AB2D0 0_2_00007FF6421AB2D0
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64219EF40 0_2_00007FF64219EF40
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF6421A97B0 0_2_00007FF6421A97B0
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64217D870 0_2_00007FF64217D870
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF6421830B5 0_2_00007FF6421830B5
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642192880 0_2_00007FF642192880
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642170090 0_2_00007FF642170090
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642180090 0_2_00007FF642180090
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF6421A08D8 0_2_00007FF6421A08D8
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642170920 0_2_00007FF642170920
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64216B910 0_2_00007FF64216B910
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642195D60 0_2_00007FF642195D60
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642198D60 0_2_00007FF642198D60
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64216ADA0 0_2_00007FF64216ADA0
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64218B5B0 0_2_00007FF64218B5B0
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64217C5B0 0_2_00007FF64217C5B0
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64218A660 0_2_00007FF64218A660
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF6421A7EA8 0_2_00007FF6421A7EA8
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64217CEF0 0_2_00007FF64217CEF0
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64218F6D0 0_2_00007FF64218F6D0
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642188720 0_2_00007FF642188720
Enables driver privileges
Source: C:\Users\user\Desktop\praxisbackup.exe Process token adjusted: Load Driver Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: String function: 00007FF642168810 appears 78 times
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 476 -p 4136 -ip 4136
Sample file is different than original file name gathered from version info
Source: praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprobmon.sys4 vs praxisbackup.exe
Source: classification engine Classification label: mal72.evad.winEXE@7/8@0/0
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64217ACC0 GetModuleHandleW,FormatMessageW,GetLastError,HeapFree,HeapFree, 0_2_00007FF64217ACC0
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642161C2B FilterConnectCommunicationPort,HeapFree,GetCurrentProcessId,FilterSendMessage,HeapFree,CloseHandle,HeapFree,GetProcessHeap,HeapFree,GetCommandLineW,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,GetCurrentProcess,OpenProcessToken,HeapFree,LookupPrivilegeValueW,HeapFree,AdjustTokenPrivileges,HeapFree,CloseHandle,HeapFree,HeapFree,HeapFree,OpenSCManagerW,HeapFree,OpenServiceW,GetLastError,CreateServiceW,HeapFree,RegOpenKeyW,HeapFree,RegCreateKeyW,HeapFree,RegCreateKeyW,HeapFree,RegSetValueExW,HeapFree,RegSetValueExW,HeapFree,HeapFree,FilterLoad,CloseServiceHandle,HeapFree,CloseServiceHandle,HeapFree,HeapFree,GlobalMemoryStatusEx,GetLastError,K32GetPerformanceInfo,PdhCollectQueryData,HeapFree,HeapFree, 0_2_00007FF642161C2B
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642161C00 FilterConnectCommunicationPort,GetCommandLineW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,OpenSCManagerW,OpenServiceW,FilterLoad,CloseServiceHandle,CloseServiceHandle,HeapFree,GlobalMemoryStatusEx,GetLastError,K32GetPerformanceInfo,PdhCollectQueryData,PdhOpenQueryA,HeapFree,NtQuerySystemInformation,HeapFree,HeapFree,HeapFree,AcquireSRWLockExclusive,HeapFree,Sleep,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,Sleep,FilterConnectCommunicationPort,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,PdhRemoveCounter,CloseHandle,GetLastError,HeapFree,PdhCloseQuery,HeapFree,HeapFree,HeapFree,FilterSendMessage,HeapFree,CloseHandle,HeapFree,HeapFree, 0_2_00007FF642161C00
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: FilterConnectCommunicationPort,HeapFree,GetCurrentProcessId,FilterSendMessage,HeapFree,CloseHandle,HeapFree,GetProcessHeap,HeapFree,GetCommandLineW,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,GetCurrentProcess,OpenProcessToken,HeapFree,LookupPrivilegeValueW,HeapFree,AdjustTokenPrivileges,HeapFree,CloseHandle,HeapFree,HeapFree,HeapFree,OpenSCManagerW,HeapFree,OpenServiceW,GetLastError,CreateServiceW,HeapFree,RegOpenKeyW,HeapFree,RegCreateKeyW,HeapFree,RegCreateKeyW,HeapFree,RegSetValueExW,HeapFree,RegSetValueExW,HeapFree,HeapFree,FilterLoad,CloseServiceHandle,HeapFree,CloseServiceHandle,HeapFree,HeapFree,GlobalMemoryStatusEx,GetLastError,K32GetPerformanceInfo,PdhCollectQueryData,HeapFree,HeapFree, 0_2_00007FF642161C2B
Source: C:\Windows\System32\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:5012:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4136
Source: C:\Windows\System32\svchost.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\04940959-5de7-442f-b0ab-e767a510a4d1 Jump to behavior
Source: praxisbackup.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\praxisbackup.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: praxisbackup.exe ReversingLabs: Detection: 52%
Source: unknown Process created: C:\Users\user\Desktop\praxisbackup.exe "C:\Users\user\Desktop\praxisbackup.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 476 -p 4136 -ip 4136
Source: C:\Users\user\Desktop\praxisbackup.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4136 -s 488
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 476 -p 4136 -ip 4136 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4136 -s 488 Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\praxisbackup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\praxisbackup.exe Section loaded: fltlib.dll Jump to behavior
Source: C:\Users\user\Desktop\praxisbackup.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\Desktop\praxisbackup.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\praxisbackup.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\praxisbackup.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wersvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowsperformancerecordercontrol.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: weretw.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: faultrep.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: praxisbackup.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: praxisbackup.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: praxisbackup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\itm_mon\itm_mon_3.0.0.4\driver\objfre_wlh_amd64\amd64\Probmon.pdb source: praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp, Sysprox.sys.0.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64218F6D0 SetLastError,GetCurrentDirectoryW,GetLastError,GetLastError,HeapFree,RtlCaptureContext,RtlLookupFunctionEntry,GetCurrentProcessId,CreateMutexA,CloseHandle,WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,ReleaseMutex,RtlVirtualUnwind,HeapFree,GetLastError,HeapFree,HeapFree, 0_2_00007FF64218F6D0
PE file contains sections with non-standard names
Source: praxisbackup.exe Static PE information: section name: _RDATA

Persistence and Installation Behavior
barindex
Sample is not signed and drops a device driver
Source: C:\Users\user\Desktop\praxisbackup.exe File created: C:\Windows\System32\Drivers\Sysprox.sys Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\praxisbackup.exe File created: C:\Windows\System32\drivers\Sysprox.sys Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\praxisbackup.exe File created: C:\Windows\System32\drivers\Sysprox.sys Jump to dropped file
Creates or modifies windows services
Source: C:\Users\user\Desktop\praxisbackup.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Sysprox\Instances Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking system information)
Source: C:\Users\user\Desktop\praxisbackup.exe Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\praxisbackup.exe Dropped PE file which has not been started: C:\Windows\System32\drivers\Sysprox.sys Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\praxisbackup.exe API coverage: 5.9 %
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642181A20 GetFileInformationByHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,FindFirstFileW,FindClose,HeapFree, 0_2_00007FF642181A20
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF6421A08D8 FindFirstFileExW, 0_2_00007FF6421A08D8
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642192880 HeapFree,GetSystemInfo,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree, 0_2_00007FF642192880
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\Desktop\praxisbackup.exe Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64219A790 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF64219A790
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64218F6D0 SetLastError,GetCurrentDirectoryW,GetLastError,GetLastError,HeapFree,RtlCaptureContext,RtlLookupFunctionEntry,GetCurrentProcessId,CreateMutexA,CloseHandle,WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,ReleaseMutex,RtlVirtualUnwind,HeapFree,GetLastError,HeapFree,HeapFree, 0_2_00007FF64218F6D0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642199350 GetProcessHeap,HeapAlloc,SysFreeString,SysStringLen,FormatMessageW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_00007FF642199350
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF6421A842C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF6421A842C
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64219A938 SetUnhandledExceptionFilter, 0_2_00007FF64219A938
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64219A790 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF64219A790
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64219FE9C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF64219FE9C
Source: C:\Users\user\Desktop\praxisbackup.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 476 -p 4136 -ip 4136 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4136 -s 488 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF6421A7CF0 cpuid 0_2_00007FF6421A7CF0
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF64218BB80 BCryptGenRandom,GetCurrentProcessId,BCryptGenRandom,HeapFree,CreateNamedPipeW,GetLastError,BCryptGenRandom,BCryptGenRandom,HeapFree,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,BCryptGenRandom,HeapFree, 0_2_00007FF64218BB80
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF6421963E0 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,HeapFree,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,VirtualQueryEx,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,VirtualQueryEx,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,GetProcessTimes,GetLastError,GetSystemTimes,GetLastError,GetProcessIoCounters,GetProcessMemoryInfo,GetLastError,GetLastError,GetModuleFileNameExW,HeapFree, 0_2_00007FF6421963E0
Source: C:\Users\user\Desktop\praxisbackup.exe Code function: 0_2_00007FF642197CD1 HeapFree,HeapFree,RtlGetVersion, 0_2_00007FF642197CD1
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1541092 Sample: praxisbackup.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 72 21 Antivirus / Scanner detection for submitted sample 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 AI detected suspicious sample 2->25 6 praxisbackup.exe 2 1 2->6         started        10 svchost.exe 3 8 2->10         started        process3 file4 17 C:\Windows\System32\drivers\Sysprox.sys, PE32+ 6->17 dropped 27 Found evasive API chain (may stop execution after checking system information) 6->27 29 Found API chain indicative of debugger detection 6->29 31 Sample is not signed and drops a device driver 6->31 12 WerFault.exe 22 16 6->12         started        15 WerFault.exe 2 10->15         started        signatures5 process6 file7 19 C:\ProgramData\Microsoft\...\Report.wer, Unicode 12->19 dropped
No contacted IP infos