Windows Analysis Report PRTService.exe

Overview

General Information

Sample Name: PRTService.exe
Analysis ID: 452460
MD5: 4a838989da416e3d16c520d03c3ba192
SHA1: f2fb096d74527a06c5b5c2975fd438419ec171b6
SHA256: 26c2caf1eb317e9354cec8a92e824a495ce7d253f6d1779226138e6994553cf9
Infos:

Most interesting Screenshot:

Detection

Score: 26
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Tries to detect virtualization through RDTSC time measurements
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
One or more processes crash
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Compliance:

barindex
Uses 32bit PE files
Source: PRTService.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\PRTService.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: PRTService.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Dev\CliSecure\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: PRTService.exe, 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp, AgileDotNetRT.dll.1.dr
Source: Binary string: C:\Windows\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: V:\ID-CHECK\Windows\NetDLL\Release\IDCheckNet.pdb source: PRTService.exe
Source: Binary string: C:\Windows\symbols\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: V:\ID-Check\IDCDeviceController\NetDeviceController\Release\IDCDeviceControllerNet.pdb source: PRTService.exe
Source: Binary string: mscorjit.pdb source: PRTService.exe, 00000001.00000002.207332184.0000000005A60000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\PRTService.pdb` source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: indows\PRTService.pdbpdbice.pdbs\ source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: .pdb3 source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: V:\ID-Check\IDCDeviceController\NetDeviceController\Release\IDCDeviceControllerNet.pdb source: PRTService.exe
Source: Binary string: c:\Users\CarlosQ\Documents\Visual Studio 2012\Projects\ASAIComLayer\PRTService\obj\Release\PRTService.pdb source: PRTService.exe
Source: Binary string: C:\Users\user\Desktop\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: mscorjit.pdb{ source: PRTService.exe, 00000001.00000002.207332184.0000000005A60000.00000004.00000001.sdmp
Source: Binary string: symbols\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: 1<pC:\Windows\PRTService.pdb source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: PRTService.exe, 00000001.00000002.207107980.00000000057B0000.00000002.00000001.sdmp
Source: Binary string: c:\Users\CarlosQ\Documents\Visual Studio 2012\Projects\ASAIComLayer\PRTService\obj\Release\PRTService.pdb\ source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: C:\Users\user\Desktop.pdbervice.exe < source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_00EC29D8 1_2_00EC29D8
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_00EC345E 1_2_00EC345E
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_00EC2050 1_2_00EC2050
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_00F529D8 1_2_00F529D8
One or more processes crash
Source: C:\Users\user\Desktop\PRTService.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 852
Sample file is different than original file name gathered from version info
Source: PRTService.exe Binary or memory string: OriginalFilename vs PRTService.exe
Source: PRTService.exe, 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Binary or memory string: OriginalFilename vs PRTService.exe
Source: PRTService.exe, 00000001.00000000.197033489.0000000000EF8000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIDCDeviceControllerNet.dllD vs PRTService.exe
Source: PRTService.exe, 00000001.00000000.197033489.0000000000EF8000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIDCheckNet.dllH vs PRTService.exe
Source: PRTService.exe, 00000001.00000002.207107980.00000000057B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs PRTService.exe
Source: PRTService.exe, 00000001.00000002.207177360.0000000005810000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PRTService.exe
Source: PRTService.exe Binary or memory string: OriginalFilenameIDCDeviceControllerNet.dllD vs PRTService.exe
Source: PRTService.exe Binary or memory string: OriginalFilenameIDCheckNet.dllH vs PRTService.exe
Uses 32bit PE files
Source: PRTService.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: AgileDotNetRT.dll.1.dr Static PE information: Section: .reloc IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: AgileDotNetRT.dll.1.dr Static PE information: Section: .reloc IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: sus26.evad.winEXE@3/4@0/0
Source: C:\Users\user\Desktop\PRTService.exe File created: C:\Users\user\AppData\Local\Temp\1d7a2c72-3aee-4299-91f8-2280595a512b Jump to behavior
Source: PRTService.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PRTService.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: PRTService.exe String found in binary or memory: Load Timed Out/LoadJurisTable Status:
Source: C:\Users\user\Desktop\PRTService.exe File read: C:\Users\user\Desktop\PRTService.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PRTService.exe 'C:\Users\user\Desktop\PRTService.exe'
Source: C:\Users\user\Desktop\PRTService.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 852
Source: C:\Users\user\Desktop\PRTService.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 852 Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: PRTService.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\PRTService.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: PRTService.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: PRTService.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Dev\CliSecure\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: PRTService.exe, 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp, AgileDotNetRT.dll.1.dr
Source: Binary string: C:\Windows\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: V:\ID-CHECK\Windows\NetDLL\Release\IDCheckNet.pdb source: PRTService.exe
Source: Binary string: C:\Windows\symbols\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: V:\ID-Check\IDCDeviceController\NetDeviceController\Release\IDCDeviceControllerNet.pdb source: PRTService.exe
Source: Binary string: mscorjit.pdb source: PRTService.exe, 00000001.00000002.207332184.0000000005A60000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\PRTService.pdb` source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: indows\PRTService.pdbpdbice.pdbs\ source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: .pdb3 source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: V:\ID-Check\IDCDeviceController\NetDeviceController\Release\IDCDeviceControllerNet.pdb source: PRTService.exe
Source: Binary string: c:\Users\CarlosQ\Documents\Visual Studio 2012\Projects\ASAIComLayer\PRTService\obj\Release\PRTService.pdb source: PRTService.exe
Source: Binary string: C:\Users\user\Desktop\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: mscorjit.pdb{ source: PRTService.exe, 00000001.00000002.207332184.0000000005A60000.00000004.00000001.sdmp
Source: Binary string: symbols\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: 1<pC:\Windows\PRTService.pdb source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: PRTService.exe, 00000001.00000002.207107980.00000000057B0000.00000002.00000001.sdmp
Source: Binary string: c:\Users\CarlosQ\Documents\Visual Studio 2012\Projects\ASAIComLayer\PRTService\obj\Release\PRTService.pdb\ source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: C:\Users\user\Desktop.pdbervice.exe < source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E478500 GetCurrentProcess,GetCurrentProcess,GetFileVersionInfoSizeW,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,LoadLibraryW,GetProcAddress,GetProcessHeap,HeapFree, 1_2_6E478500
PE file contains sections with non-standard names
Source: AgileDotNetRT.dll.1.dr Static PE information: section name: .textbss
Source: AgileDotNetRT.dll.1.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_00EC31F4 push ecx; retf 0000h 1_2_00EC32F0
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_00F19CD4 push eax; ret 1_2_00F19CE8
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_00F19CD4 push eax; ret 1_2_00F19D10
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_00F70498 push eax; ret 1_2_00F704AC
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_00F70498 push eax; ret 1_2_00F704D4
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_00F19EA7 push ecx; ret 1_2_00F19EB7
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E47569E push eax; ret 1_2_6E4756BC
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E48AE07 push 00000C3Fh; mov dword ptr [esp], eax 1_2_6E48AE0F
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E48A621 push 000003C8h; mov dword ptr [esp], ebx 1_2_6E48A62C
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E48A688 push 000023F7h; mov dword ptr [esp], eax 1_2_6E48A693
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E488F68 push 000073FDh; mov dword ptr [esp], edx 1_2_6E488F6D
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E488717 push 000010B9h; mov dword ptr [esp], eax 1_2_6E48BAFB
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E48B7C3 push 00001947h; mov dword ptr [esp], ecx 1_2_6E48B7CB
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E489C41 push 00001F00h; mov dword ptr [esp], edx 1_2_6E489C48
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E489463 push 00007DDCh; mov dword ptr [esp], ebp 1_2_6E48947C
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E488C34 push 00007802h; mov dword ptr [esp], edx 1_2_6E4895CF
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E48B4AA push 00007F81h; mov dword ptr [esp], ebx 1_2_6E48B4C2
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E48AD67 push 0000183Fh; mov dword ptr [esp], edx 1_2_6E48AD6C
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E487DCD push 00000237h; mov dword ptr [esp], esi 1_2_6E487DD6
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E48AA36 push 00003619h; mov dword ptr [esp], ecx 1_2_6E48AA3F
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E48C348 push 00004A85h; mov dword ptr [esp], edx 1_2_6E48C352
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E48831F push 000008ABh; mov dword ptr [esp], edx 1_2_6E48A329
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E48A3AE push 000063D4h; mov dword ptr [esp], ecx 1_2_6E48A3B7
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E48B068 push 00000FACh; mov dword ptr [esp], edx 1_2_6E48B06D
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E48902C push 00002D0Eh; mov dword ptr [esp], edi 1_2_6E489034
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E48A82F push 000019CCh; mov dword ptr [esp], esp 1_2_6E48A834
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E48B8D6 push 0000142Bh; mov dword ptr [esp], eax 1_2_6E48B8DF
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E48997F push 0000120Bh; mov dword ptr [esp], edx 1_2_6E48999F
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E48A93F push 00005B3Dh; mov dword ptr [esp], ebx 1_2_6E489BAD
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E48A1D0 push 00000289h; mov dword ptr [esp], edi 1_2_6E48A1D9
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E4889FD push 00006D00h; mov dword ptr [esp], eax 1_2_6E488A09
Source: initial sample Static PE information: section name: .text entropy: 6.82449258024
Source: initial sample Static PE information: section name: .reloc entropy: 7.44136591955

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\PRTService.exe File created: C:\Users\user\AppData\Local\Temp\1d7a2c72-3aee-4299-91f8-2280595a512b\AgileDotNetRT.dll Jump to dropped file
Source: C:\Users\user\Desktop\PRTService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\PRTService.exe RDTSC instruction interceptor: First address: 000000006E472D12 second address: 000000006E472D96 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-10h], eax 0x00000005 mov dword ptr [ebp-0Ch], edx 0x00000008 mov eax, dword ptr [ebp-10h] 0x0000000b sub eax, dword ptr [ebp-08h] 0x0000000e mov edx, dword ptr [ebp-0Ch] 0x00000011 sbb edx, dword ptr [ebp-04h] 0x00000014 pop edi 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 mov esp, ebp 0x00000019 pop ebp 0x0000001a ret 0x0000001b mov dword ptr [6E4833C0h], eax 0x00000020 mov dword ptr [6E4833C4h], edx 0x00000026 mov dword ptr [ebp-0Ch], 00000000h 0x0000002d jmp 00007FF90CA8700Bh 0x0000002f mov eax, dword ptr [ebp-0Ch] 0x00000032 cmp eax, dword ptr [ebp+08h] 0x00000035 jnl 00007FF90CA87046h 0x00000037 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E472D50 rdtsc 1_2_6E472D50
Source: PRTService.exe, 00000001.00000002.207177360.0000000005810000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PRTService.exe, 00000001.00000002.207177360.0000000005810000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PRTService.exe, 00000001.00000002.207177360.0000000005810000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: PRTService.exe, 00000001.00000002.207177360.0000000005810000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\PRTService.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E472D50 rdtsc 1_2_6E472D50
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E478500 GetCurrentProcess,GetCurrentProcess,GetFileVersionInfoSizeW,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,LoadLibraryW,GetProcAddress,GetProcessHeap,HeapFree, 1_2_6E478500
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E47EF00 GetProcessHeap,RtlAllocateHeap, 1_2_6E47EF00
Source: C:\Users\user\Desktop\PRTService.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PRTService.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 852 Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E4767C0 MessageBoxW,GetSystemTimeAsFileTime,CompareFileTime,MessageBoxW, 1_2_6E4767C0
Source: C:\Users\user\Desktop\PRTService.exe Code function: 1_2_6E471EA0 GetVersionExW, 1_2_6E471EA0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 452460 Sample: PRTService.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 26 5 PRTService.exe 4 2->5         started        file3 11 C:\Users\user\AppData\...\AgileDotNetRT.dll, PE32 5->11 dropped 13 Tries to detect virtualization through RDTSC time measurements 5->13 9 dw20.exe 22 6 5->9         started        signatures4 process5
No contacted IP infos