IOC Report
praxisbackup.exe

loading gif

Files

File Path
Type
Category
Malicious
praxisbackup.exe
PE32+ executable (GUI) x86-64, for MS Windows
initial sample
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_praxisbackup.exe_fa851c8bd9c5583f741cfa88ae4a1244eeb19db5_9be301e6_7c27b446-6383-4edf-b7b5-fb839c6564ce\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
malicious
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB2F.tmp.dmp
Mini DuMP crash report, 15 streams, Thu Oct 24 10:07:58 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBAD.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBED.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBFA.tmp.csv
data
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC3A.tmp.txt
data
dropped
C:\Windows\System32\drivers\Sysprox.sys
PE32+ executable (native) x86-64, for MS Windows
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\praxisbackup.exe
"C:\Users\user\Desktop\praxisbackup.exe"
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 4136 -ip 4136
C:\Windows\System32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4136 -s 488

URLs

Name
IP
Malicious
http://secure.globalsign.net/cacert/PrimObject.crt0
unknown
http://secure.globalsign.net/cacert/ObjectSign.crt09
unknown
http://upx.sf.net
unknown
http://www.globalsign.net/repository09
unknown
http://www.globalsign.net/repository/0
unknown

Registry

Path
Value
Malicious
\REGISTRY\A\{e4f8345c-08c4-0552-3267-810b0f4e47c2}\Root\InventoryApplicationFile\praxisbackup.exe|5f1e489b8bb46e47
ProgramId
malicious
\REGISTRY\A\{e4f8345c-08c4-0552-3267-810b0f4e47c2}\Root\InventoryApplicationFile\praxisbackup.exe|5f1e489b8bb46e47
FileId
malicious
\REGISTRY\A\{e4f8345c-08c4-0552-3267-810b0f4e47c2}\Root\InventoryApplicationFile\praxisbackup.exe|5f1e489b8bb46e47
LowerCaseLongPath
malicious
\REGISTRY\A\{e4f8345c-08c4-0552-3267-810b0f4e47c2}\Root\InventoryApplicationFile\praxisbackup.exe|5f1e489b8bb46e47
LongPathHash
malicious
\REGISTRY\A\{e4f8345c-08c4-0552-3267-810b0f4e47c2}\Root\InventoryApplicationFile\praxisbackup.exe|5f1e489b8bb46e47
Name
malicious
\REGISTRY\A\{e4f8345c-08c4-0552-3267-810b0f4e47c2}\Root\InventoryApplicationFile\praxisbackup.exe|5f1e489b8bb46e47
OriginalFileName
malicious
\REGISTRY\A\{e4f8345c-08c4-0552-3267-810b0f4e47c2}\Root\InventoryApplicationFile\praxisbackup.exe|5f1e489b8bb46e47
Publisher
malicious
\REGISTRY\A\{e4f8345c-08c4-0552-3267-810b0f4e47c2}\Root\InventoryApplicationFile\praxisbackup.exe|5f1e489b8bb46e47
Version
malicious
\REGISTRY\A\{e4f8345c-08c4-0552-3267-810b0f4e47c2}\Root\InventoryApplicationFile\praxisbackup.exe|5f1e489b8bb46e47
BinFileVersion
malicious
\REGISTRY\A\{e4f8345c-08c4-0552-3267-810b0f4e47c2}\Root\InventoryApplicationFile\praxisbackup.exe|5f1e489b8bb46e47
BinaryType
malicious
\REGISTRY\A\{e4f8345c-08c4-0552-3267-810b0f4e47c2}\Root\InventoryApplicationFile\praxisbackup.exe|5f1e489b8bb46e47
ProductName
malicious
\REGISTRY\A\{e4f8345c-08c4-0552-3267-810b0f4e47c2}\Root\InventoryApplicationFile\praxisbackup.exe|5f1e489b8bb46e47
ProductVersion
malicious
\REGISTRY\A\{e4f8345c-08c4-0552-3267-810b0f4e47c2}\Root\InventoryApplicationFile\praxisbackup.exe|5f1e489b8bb46e47
LinkDate
malicious
\REGISTRY\A\{e4f8345c-08c4-0552-3267-810b0f4e47c2}\Root\InventoryApplicationFile\praxisbackup.exe|5f1e489b8bb46e47
BinProductVersion
malicious
\REGISTRY\A\{e4f8345c-08c4-0552-3267-810b0f4e47c2}\Root\InventoryApplicationFile\praxisbackup.exe|5f1e489b8bb46e47
AppxPackageFullName
malicious
\REGISTRY\A\{e4f8345c-08c4-0552-3267-810b0f4e47c2}\Root\InventoryApplicationFile\praxisbackup.exe|5f1e489b8bb46e47
AppxPackageRelativeId
malicious
\REGISTRY\A\{e4f8345c-08c4-0552-3267-810b0f4e47c2}\Root\InventoryApplicationFile\praxisbackup.exe|5f1e489b8bb46e47
Size
malicious
\REGISTRY\A\{e4f8345c-08c4-0552-3267-810b0f4e47c2}\Root\InventoryApplicationFile\praxisbackup.exe|5f1e489b8bb46e47
Language
malicious
\REGISTRY\A\{e4f8345c-08c4-0552-3267-810b0f4e47c2}\Root\InventoryApplicationFile\praxisbackup.exe|5f1e489b8bb46e47
Usn
malicious
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Sysprox\Instances
DefaultInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Sysprox\Instances\Sysprox Instance
Altitude
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\4136
Terminator
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\4136
Reason
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\4136
CreationTime
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceId
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
ApplicationFlags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
0018000DDABBE6B3
There are 18 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
19240A02000
unkown
page read and write
19240A47000
heap
page read and write
2461D1A0000
heap
page read and write
7FF6421CE000
unkown
page readonly
19240C00000
heap
page read and write
192409C0000
trusted library allocation
page read and write
19240D00000
heap
page read and write
19240B02000
trusted library allocation
page read and write
7FF6421CC000
unkown
page write copy
7FF6421CE000
unkown
page readonly
7FF6421AD000
unkown
page readonly
2461D270000
heap
page read and write
19240C13000
heap
page read and write
19240D13000
heap
page read and write
7FF642161000
unkown
page execute read
2461D1C0000
heap
page read and write
7FF642160000
unkown
page readonly
19240C02000
heap
page read and write
7FF642160000
unkown
page readonly
19240D02000
heap
page read and write
2461D276000
heap
page read and write
2461D27C000
heap
page read and write
19240D13000
heap
page read and write
19240D00000
heap
page read and write
7FF642161000
unkown
page execute read
192408E0000
heap
page read and write
19240B24000
heap
page read and write
7FF6421CC000
unkown
page read and write
19240B00000
trusted library allocation
page read and write
19240A3C000
heap
page read and write
31EBB7B000
stack
page read and write
7FF6421AD000
unkown
page readonly
D6B4CF5000
stack
page read and write
19240A00000
unkown
page read and write
2461D28B000
heap
page read and write
19240D02000
heap
page read and write
2461D460000
heap
page read and write
D6B4DFE000
stack
page read and write
31EB71D000
stack
page read and write
2461D0C0000
heap
page read and write
19240A13000
unkown
page read and write
31EBEF9000
stack
page read and write
192408C0000
heap
page read and write
D6B4EFE000
stack
page read and write
19240B15000
trusted library allocation
page read and write
19240A1B000
unkown
page read and write
19240A2B000
heap
page read and write
There are 37 hidden memdumps, click here to show them.