Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report PRTService.exe

Overview

General Information

Sample Name:PRTService.exe
Analysis ID:452460
MD5:4a838989da416e3d16c520d03c3ba192
SHA1:f2fb096d74527a06c5b5c2975fd438419ec171b6
SHA256:26c2caf1eb317e9354cec8a92e824a495ce7d253f6d1779226138e6994553cf9
Infos:

Most interesting Screenshot:

Detection

Score:26
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Tries to detect virtualization through RDTSC time measurements
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
One or more processes crash
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample crashes during execution, try analyze it on another analysis machine
Sample may be VM or Sandbox-aware, try analysis on a native machine
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

  • System is w10x64
  • PRTService.exe (PID: 5480 cmdline: 'C:\Users\user\Desktop\PRTService.exe' MD5: 4A838989DA416E3D16C520D03C3BA192)
    • dw20.exe (PID: 5976 cmdline: dw20.exe -x -s 852 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results
Source: PRTService.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\PRTService.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Source: PRTService.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Dev\CliSecure\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: PRTService.exe, 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp, AgileDotNetRT.dll.1.dr
Source: Binary string: C:\Windows\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: V:\ID-CHECK\Windows\NetDLL\Release\IDCheckNet.pdb source: PRTService.exe
Source: Binary string: C:\Windows\symbols\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: V:\ID-Check\IDCDeviceController\NetDeviceController\Release\IDCDeviceControllerNet.pdb source: PRTService.exe
Source: Binary string: mscorjit.pdb source: PRTService.exe, 00000001.00000002.207332184.0000000005A60000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\PRTService.pdb` source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: indows\PRTService.pdbpdbice.pdbs\ source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: .pdb3 source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: V:\ID-Check\IDCDeviceController\NetDeviceController\Release\IDCDeviceControllerNet.pdb source: PRTService.exe
Source: Binary string: c:\Users\CarlosQ\Documents\Visual Studio 2012\Projects\ASAIComLayer\PRTService\obj\Release\PRTService.pdb source: PRTService.exe
Source: Binary string: C:\Users\user\Desktop\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: mscorjit.pdb{ source: PRTService.exe, 00000001.00000002.207332184.0000000005A60000.00000004.00000001.sdmp
Source: Binary string: symbols\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: 1<pC:\Windows\PRTService.pdb source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: PRTService.exe, 00000001.00000002.207107980.00000000057B0000.00000002.00000001.sdmp
Source: Binary string: c:\Users\CarlosQ\Documents\Visual Studio 2012\Projects\ASAIComLayer\PRTService\obj\Release\PRTService.pdb\ source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: C:\Users\user\Desktop.pdbervice.exe < source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00EC29D81_2_00EC29D8
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00EC345E1_2_00EC345E
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00EC20501_2_00EC2050
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00F529D81_2_00F529D8
Source: C:\Users\user\Desktop\PRTService.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 852
Source: PRTService.exeBinary or memory string: OriginalFilename vs PRTService.exe
Source: PRTService.exe, 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs PRTService.exe
Source: PRTService.exe, 00000001.00000000.197033489.0000000000EF8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIDCDeviceControllerNet.dllD vs PRTService.exe
Source: PRTService.exe, 00000001.00000000.197033489.0000000000EF8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIDCheckNet.dllH vs PRTService.exe
Source: PRTService.exe, 00000001.00000002.207107980.00000000057B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PRTService.exe
Source: PRTService.exe, 00000001.00000002.207177360.0000000005810000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PRTService.exe
Source: PRTService.exeBinary or memory string: OriginalFilenameIDCDeviceControllerNet.dllD vs PRTService.exe
Source: PRTService.exeBinary or memory string: OriginalFilenameIDCheckNet.dllH vs PRTService.exe
Source: PRTService.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: AgileDotNetRT.dll.1.drStatic PE information: Section: .reloc IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: AgileDotNetRT.dll.1.drStatic PE information: Section: .reloc IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: sus26.evad.winEXE@3/4@0/0
Source: C:\Users\user\Desktop\PRTService.exeFile created: C:\Users\user\AppData\Local\Temp\1d7a2c72-3aee-4299-91f8-2280595a512bJump to behavior
Source: PRTService.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PRTService.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: PRTService.exeString found in binary or memory: Load Timed Out/LoadJurisTable Status:
Source: C:\Users\user\Desktop\PRTService.exeFile read: C:\Users\user\Desktop\PRTService.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\PRTService.exe 'C:\Users\user\Desktop\PRTService.exe'
Source: C:\Users\user\Desktop\PRTService.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 852
Source: C:\Users\user\Desktop\PRTService.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 852Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Source: PRTService.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\PRTService.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Source: PRTService.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: PRTService.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Dev\CliSecure\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: PRTService.exe, 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp, AgileDotNetRT.dll.1.dr
Source: Binary string: C:\Windows\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: V:\ID-CHECK\Windows\NetDLL\Release\IDCheckNet.pdb source: PRTService.exe
Source: Binary string: C:\Windows\symbols\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: V:\ID-Check\IDCDeviceController\NetDeviceController\Release\IDCDeviceControllerNet.pdb source: PRTService.exe
Source: Binary string: mscorjit.pdb source: PRTService.exe, 00000001.00000002.207332184.0000000005A60000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\PRTService.pdb` source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: indows\PRTService.pdbpdbice.pdbs\ source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: .pdb3 source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: V:\ID-Check\IDCDeviceController\NetDeviceController\Release\IDCDeviceControllerNet.pdb source: PRTService.exe
Source: Binary string: c:\Users\CarlosQ\Documents\Visual Studio 2012\Projects\ASAIComLayer\PRTService\obj\Release\PRTService.pdb source: PRTService.exe
Source: Binary string: C:\Users\user\Desktop\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: mscorjit.pdb{ source: PRTService.exe, 00000001.00000002.207332184.0000000005A60000.00000004.00000001.sdmp
Source: Binary string: symbols\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: 1<pC:\Windows\PRTService.pdb source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: PRTService.exe, 00000001.00000002.207107980.00000000057B0000.00000002.00000001.sdmp
Source: Binary string: c:\Users\CarlosQ\Documents\Visual Studio 2012\Projects\ASAIComLayer\PRTService\obj\Release\PRTService.pdb\ source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: C:\Users\user\Desktop.pdbervice.exe < source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E478500 GetCurrentProcess,GetCurrentProcess,GetFileVersionInfoSizeW,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,LoadLibraryW,GetProcAddress,GetProcessHeap,HeapFree,1_2_6E478500
Source: AgileDotNetRT.dll.1.drStatic PE information: section name: .textbss
Source: AgileDotNetRT.dll.1.drStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00EC31F4 push ecx; retf 0000h1_2_00EC32F0
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00F19CD4 push eax; ret 1_2_00F19CE8
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00F19CD4 push eax; ret 1_2_00F19D10
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00F70498 push eax; ret 1_2_00F704AC
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00F70498 push eax; ret 1_2_00F704D4
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00F19EA7 push ecx; ret 1_2_00F19EB7
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E47569E push eax; ret 1_2_6E4756BC
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48AE07 push 00000C3Fh; mov dword ptr [esp], eax1_2_6E48AE0F
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48A621 push 000003C8h; mov dword ptr [esp], ebx1_2_6E48A62C
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48A688 push 000023F7h; mov dword ptr [esp], eax1_2_6E48A693
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E488F68 push 000073FDh; mov dword ptr [esp], edx1_2_6E488F6D
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E488717 push 000010B9h; mov dword ptr [esp], eax1_2_6E48BAFB
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48B7C3 push 00001947h; mov dword ptr [esp], ecx1_2_6E48B7CB
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E489C41 push 00001F00h; mov dword ptr [esp], edx1_2_6E489C48
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E489463 push 00007DDCh; mov dword ptr [esp], ebp1_2_6E48947C
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E488C34 push 00007802h; mov dword ptr [esp], edx1_2_6E4895CF
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48B4AA push 00007F81h; mov dword ptr [esp], ebx1_2_6E48B4C2
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48AD67 push 0000183Fh; mov dword ptr [esp], edx1_2_6E48AD6C
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E487DCD push 00000237h; mov dword ptr [esp], esi1_2_6E487DD6
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48AA36 push 00003619h; mov dword ptr [esp], ecx1_2_6E48AA3F
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48C348 push 00004A85h; mov dword ptr [esp], edx1_2_6E48C352
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48831F push 000008ABh; mov dword ptr [esp], edx1_2_6E48A329
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48A3AE push 000063D4h; mov dword ptr [esp], ecx1_2_6E48A3B7
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48B068 push 00000FACh; mov dword ptr [esp], edx1_2_6E48B06D
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48902C push 00002D0Eh; mov dword ptr [esp], edi1_2_6E489034
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48A82F push 000019CCh; mov dword ptr [esp], esp1_2_6E48A834
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48B8D6 push 0000142Bh; mov dword ptr [esp], eax1_2_6E48B8DF
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48997F push 0000120Bh; mov dword ptr [esp], edx1_2_6E48999F
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48A93F push 00005B3Dh; mov dword ptr [esp], ebx1_2_6E489BAD
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48A1D0 push 00000289h; mov dword ptr [esp], edi1_2_6E48A1D9
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E4889FD push 00006D00h; mov dword ptr [esp], eax1_2_6E488A09
Source: initial sampleStatic PE information: section name: .text entropy: 6.82449258024
Source: initial sampleStatic PE information: section name: .reloc entropy: 7.44136591955
Source: C:\Users\user\Desktop\PRTService.exeFile created: C:\Users\user\AppData\Local\Temp\1d7a2c72-3aee-4299-91f8-2280595a512b\AgileDotNetRT.dllJump to dropped file
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\PRTService.exeRDTSC instruction interceptor: First address: 000000006E472D12 second address: 000000006E472D96 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-10h], eax 0x00000005 mov dword ptr [ebp-0Ch], edx 0x00000008 mov eax, dword ptr [ebp-10h] 0x0000000b sub eax, dword ptr [ebp-08h] 0x0000000e mov edx, dword ptr [ebp-0Ch] 0x00000011 sbb edx, dword ptr [ebp-04h] 0x00000014 pop edi 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 mov esp, ebp 0x00000019 pop ebp 0x0000001a ret 0x0000001b mov dword ptr [6E4833C0h], eax 0x00000020 mov dword ptr [6E4833C4h], edx 0x00000026 mov dword ptr [ebp-0Ch], 00000000h 0x0000002d jmp 00007FF90CA8700Bh 0x0000002f mov eax, dword ptr [ebp-0Ch] 0x00000032 cmp eax, dword ptr [ebp+08h] 0x00000035 jnl 00007FF90CA87046h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E472D50 rdtsc 1_2_6E472D50
Source: PRTService.exe, 00000001.00000002.207177360.0000000005810000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PRTService.exe, 00000001.00000002.207177360.0000000005810000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PRTService.exe, 00000001.00000002.207177360.0000000005810000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: PRTService.exe, 00000001.00000002.207177360.0000000005810000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\PRTService.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E472D50 rdtsc 1_2_6E472D50
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E478500 GetCurrentProcess,GetCurrentProcess,GetFileVersionInfoSizeW,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,LoadLibraryW,GetProcAddress,GetProcessHeap,HeapFree,1_2_6E478500
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E47EF00 GetProcessHeap,RtlAllocateHeap,1_2_6E47EF00
Source: C:\Users\user\Desktop\PRTService.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\PRTService.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 852Jump to behavior
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E4767C0 MessageBoxW,GetSystemTimeAsFileTime,CompareFileTime,MessageBoxW,1_2_6E4767C0
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E471EA0 GetVersionExW,1_2_6E471EA0

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection11Virtualization/Sandbox Evasion11OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery131Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerVirtualization/Sandbox Evasion11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsSystem Information Discovery13SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
PRTService.exe6%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\1d7a2c72-3aee-4299-91f8-2280595a512b\AgileDotNetRT.dll1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\1d7a2c72-3aee-4299-91f8-2280595a512b\AgileDotNetRT.dll2%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\1d7a2c72-3aee-4299-91f8-2280595a512b\AgileDotNetRT.dll2%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:452460
Start date:22.07.2021
Start time:12:04:10
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 15s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:PRTService.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:SUS
Classification:sus26.evad.winEXE@3/4@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 68%
  • Number of executed functions: 53
  • Number of non-executed functions: 22
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): svchost.exe
  • Excluded IPs from analysis (whitelisted): 168.61.161.212, 52.147.198.201, 40.88.32.150
  • Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, watson.telemetry.microsoft.com

Simulations

Behavior and APIs

TimeTypeDescription
12:04:59API Interceptor1x Sleep call for process: dw20.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_prtservice.exe_9a52ed83f9a038e8d5d8a8b157025a4bf964059_00000000_170c17b5\Report.wer
Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):12060
Entropy (8bit):3.77494316680188
Encrypted:false
SSDEEP:192:qukBTvHiNmXmhnZaKsn9fXeewQlfY/u7s6S274ItxUn:r2TiraDfY/u7s6X4ItW
MD5:BC1FC11A79D4F343E5BB91CE09B7E8AD
SHA1:D7B371EAEFB34AF61C2D839AB37529D9ACBFB38E
SHA-256:157F9E47E5C2B3807B350974B124C7F32129A991AD8B1F8092B3D33CCE9EA5CF
SHA-512:460570B46667510C06D40CAAD8B61EF7B8444A4BB13DC899DA97C5D9ED2B5C30582A2B5EEBA13B980B7D66A68DDB87309B8CC133EE274F3233335C95A71AE5D2
Malicious:false
Reputation:low
Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.1.4.5.4.2.9.7.2.5.0.4.9.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.1.4.5.4.2.9.7.5.4.7.3.8.4.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.a.a.9.f.8.6.7.-.5.c.8.2.-.4.4.6.3.-.9.4.7.f.-.3.1.8.b.e.5.8.7.b.9.f.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.R.T.S.e.r.v.i.c.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.6.8.-.0.0.0.1.-.0.0.1.7.-.9.8.a.3.-.4.c.7.5.2.c.7.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.d.4.4.3.3.7.a.a.a.c.6.2.e.9.a.f.7.2.5.a.0.b.2.6.a.b.f.5.d.7.3.0.0.0.0.0.0.0.0.!.0.0.0.0.f.2.f.b.0.9.6.d.7.4.5.2.7.a.0.6.c.5.b.5.c.2.9.7.5.f.d.4.3.8.4.1.9.e.c.1.7.1.b.6.!.P.R.T.S.e.r.v.i.c.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.7././.1.1././.2.9.:.2.0.:.0.9.:.3.3.!.0.!.P.R.T.S.e.r.v.i.c.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC2.tmp.WERInternalMetadata.xml
Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):7680
Entropy (8bit):3.696497169104449
Encrypted:false
SSDEEP:192:Rrl7r3GLNik6U6ksMe6YSKSUNC1lgmfZJAdS+Cp1yb1fYqGm:RrlsNiI696YfSUNC1lgmfXOSnypfr
MD5:1EBF2F48397EFDD1021EDE3AF4B317DC
SHA1:48847211A8D7E6385E13908B6F951483DDAD5AED
SHA-256:55ABEF9712C023C23556FBE0439396D36F9626F229BB144475BAB8A1FAEAD0FD
SHA-512:F9E1F2EA19AE2BFE6C7814B6F27748C16DAA0C423AFEEB02EC845E1198C7B6D5038D844AC0C26361F5D269DFDCB18055703268F3475D21C058AE48BD7868A782
Malicious:false
Reputation:low
Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.8.0.<./.P.i.d.>.......
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE60.tmp.xml
Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4699
Entropy (8bit):4.4714599202674306
Encrypted:false
SSDEEP:48:cvIwSD8zsvJgtWI9ZVWSC8Bhs8fm8M4JFKzLtJ2F3f+q8vCLtJfebF9pd:uITfR6kSNbRJFKsfKMep9pd
MD5:BF3AD03AC5C53F7BD1E72D3B3BB4C4E1
SHA1:3F8D93C4AEECFE1BFC18E53DC9C758F6AC7D3E8B
SHA-256:80E099F69D975A62E4B82EC1E9AD616938D4A425EE51BB4EDAB3E5EABEFB49D1
SHA-512:494C602BD5A3ACDAA155379483A070611E77772F1A54B2A7339E106025A145829FC2785E7888F2A8D8457A6D6764C80DDDA5AEBF0F5D11CDFE625120127BA7E5
Malicious:false
Reputation:low
Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1088895" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
C:\Users\user\AppData\Local\Temp\1d7a2c72-3aee-4299-91f8-2280595a512b\AgileDotNetRT.dll
Process:C:\Users\user\Desktop\PRTService.exe
File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):123285
Entropy (8bit):6.470545105128027
Encrypted:false
SSDEEP:3072:eoVfy2n+bR4l+w5wIDn+1HcR6bpMpImsGPZni2:ly2n+bR42xcR6bpUxni2
MD5:F377D15AD215C779E12775DE2B42C965
SHA1:59409AC15E0535CEA47EC5AC5968867E8FF8C0E6
SHA-256:BC2440A2A185006247BE562F4D6B67560309E48694CC854308E00C41F02CA7D8
SHA-512:11AFDD6F098AB7D7466A764868D9E163142836B11044A0A2572EAC305454328B6FADE08929F93BD9E5FA9436435C5566A3C2EE86F1CDA6457B908F1198E22CF1
Malicious:false
Antivirus:
  • Antivirus: Virustotal, Detection: 1%, Browse
  • Antivirus: Metadefender, Detection: 2%, Browse
  • Antivirus: ReversingLabs, Detection: 2%
Reputation:low
Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............F...F...F..TF...F..lF...F...F...F..aF...F.wTF...F.wdF...F.weF...F.wbF...FRich...F........PE..L....9VS...........!.........8............................................... .......|....@..........................#.......@..d....`.......................p.......................................................B.. ....P..`....................textbss.................................text...)........................... ..`.rdata..............................@..@.data........0......................@....idata.......@......................@....didat..a....P.......*..............@....rsrc........`......................@..@.reloc.......p.......2..............`...................................................................................................................................................................................................................

Static File Info

General

File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):6.818104665244162
TrID:
  • Win32 Executable (generic) Net Framework (10011505/4) 49.69%
  • Win32 Executable (generic) a (10002005/4) 49.65%
  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
  • InstallShield setup (43055/19) 0.21%
  • Windows Screen Saver (13104/52) 0.07%
File name:PRTService.exe
File size:957952
MD5:4a838989da416e3d16c520d03c3ba192
SHA1:f2fb096d74527a06c5b5c2975fd438419ec171b6
SHA256:26c2caf1eb317e9354cec8a92e824a495ce7d253f6d1779226138e6994553cf9
SHA512:ab62430a4d72f4e6d71c489fe45e338a8b877f5d9936bd10ea60a6d325fa02e03d25652a04a3262fcff8347e121fee876b4b98c8f767f5339ba8c01c1d0d9f9c
SSDEEP:12288:4BnFzJLhIE3wD2gM+L+GQtXJoqWJ+7MVOIVcD:cFprPDtPW87MVOs8
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z............................z.... ........@.. ....................................@................................

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x4eb17a
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x5A1F13FD [Wed Nov 29 20:09:33 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:v2.0.50727
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc ecx
adc ebx, dword ptr [edi]
pop edx
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [ecx+esi*4-6C43FFF2h], bh
push cs
add byte ptr [edx+53h], dl
inc esp
push ebx
jne 00007FF90C769D74h
pop ebp
add cl, byte ptr [edx]
jp 00007FF90C769D72h
inc edx
mov eax, 70716149h
std
sub dword ptr [edx+01h], edx
add byte ptr [eax], al
add byte ptr [ebx+3Ah], ah
pop esp
push ebp
jnc 00007FF90C769DA7h
jc 00007FF90C769DB5h
pop esp
inc ebx
popad
jc 00007FF90C769DAEh
outsd
jnc 00007FF90C769D93h
pop esp
inc esp
outsd
arpl word ptr [ebp+6Dh], si
outsb
je 00007FF90C769DB5h
pop esp
push esi
imul esi, dword ptr [ebx+75h], 53206C61h
je 00007FF90C769DB7h
imul ebp, dword ptr fs:[edi+20h], 32313032h
pop esp
push eax
jc 00007FF90C769DB1h
push 00000065h
arpl word ptr [ebx+esi*2+5Ch], si
inc ecx
push ebx
inc ecx
dec ecx
inc ebx
outsd
insd
dec esp
popad
jns 00007FF90C769DA7h
jc 00007FF90C769D9Eh
push eax
push edx
push esp
push ebx
jc 00007FF90C769DB9h
imul esp, dword ptr [ebx+65h], 6A626F5Ch
pop esp
push edx
insb
popad
jnc 00007FF90C769DA7h
pop esp
push eax
push edx
push esp
push ebx
jc 00007FF90C769DB9h
imul esp, dword ptr [ebx+65h], 6264702Eh
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xeb1200x57.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0xec0000x54c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xee0000xc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0xeb1a00x1c.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x20000xe92400xe9400False0.431423960008data6.82449258024IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc0xec0000x54c0x600False0.391927083333data3.95297327924IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xee0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_VERSION0xec0a00x2c0data
RT_MANIFEST0xec3600x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLLImport
mscoree.dll_CorExeMain

Version Infos

DescriptionData
Translation0x0000 0x04b0
LegalCopyrightCopyright 2015
Assembly Version1.0.0.0
InternalNamePRTService.exe
FileVersion1.0.0.0
ProductNamePRTService
ProductVersion1.0.0.0
FileDescriptionPRTService
OriginalFilenamePRTService.exe

Network Behavior

Network Port Distribution

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Jul 22, 2021 12:04:49.281429052 CEST5754453192.168.2.38.8.8.8
Jul 22, 2021 12:04:49.338541985 CEST53575448.8.8.8192.168.2.3
Jul 22, 2021 12:04:50.223974943 CEST5598453192.168.2.38.8.8.8
Jul 22, 2021 12:04:50.283888102 CEST53559848.8.8.8192.168.2.3
Jul 22, 2021 12:04:51.742949009 CEST6418553192.168.2.38.8.8.8
Jul 22, 2021 12:04:51.795140028 CEST53641858.8.8.8192.168.2.3
Jul 22, 2021 12:04:52.562978029 CEST6511053192.168.2.38.8.8.8
Jul 22, 2021 12:04:52.612060070 CEST53651108.8.8.8192.168.2.3
Jul 22, 2021 12:04:56.747797012 CEST5836153192.168.2.38.8.8.8
Jul 22, 2021 12:04:56.800153017 CEST53583618.8.8.8192.168.2.3
Jul 22, 2021 12:04:57.887835026 CEST6349253192.168.2.38.8.8.8
Jul 22, 2021 12:04:57.937417030 CEST53634928.8.8.8192.168.2.3
Jul 22, 2021 12:04:57.998963118 CEST6083153192.168.2.38.8.8.8
Jul 22, 2021 12:04:58.055975914 CEST53608318.8.8.8192.168.2.3
Jul 22, 2021 12:04:58.842502117 CEST6010053192.168.2.38.8.8.8
Jul 22, 2021 12:04:58.891685963 CEST53601008.8.8.8192.168.2.3
Jul 22, 2021 12:05:00.004996061 CEST5319553192.168.2.38.8.8.8
Jul 22, 2021 12:05:00.065162897 CEST53531958.8.8.8192.168.2.3
Jul 22, 2021 12:05:01.762751102 CEST5014153192.168.2.38.8.8.8
Jul 22, 2021 12:05:01.812561035 CEST53501418.8.8.8192.168.2.3
Jul 22, 2021 12:05:02.623524904 CEST5302353192.168.2.38.8.8.8
Jul 22, 2021 12:05:02.676060915 CEST53530238.8.8.8192.168.2.3
Jul 22, 2021 12:05:04.735703945 CEST4956353192.168.2.38.8.8.8
Jul 22, 2021 12:05:04.791460037 CEST53495638.8.8.8192.168.2.3
Jul 22, 2021 12:05:05.813606024 CEST5135253192.168.2.38.8.8.8
Jul 22, 2021 12:05:05.865675926 CEST53513528.8.8.8192.168.2.3
Jul 22, 2021 12:05:06.653266907 CEST5934953192.168.2.38.8.8.8
Jul 22, 2021 12:05:06.705532074 CEST53593498.8.8.8192.168.2.3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: PRTService.exe PID: 5480 Parent PID: 5724

General

Start time:12:04:55
Start date:22/07/2021
Path:C:\Users\user\Desktop\PRTService.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user\Desktop\PRTService.exe'
Imagebase:0xec0000
File size:957952 bytes
MD5 hash:4A838989DA416E3D16C520D03C3BA192
Has elevated privileges:true
Has administrator privileges:true
Programmed in:.Net C# or VB.NET
Reputation:low

Chronological Activities

Analysis Process: dw20.exe PID: 5976 Parent PID: 5480

General

Start time:12:04:56
Start date:22/07/2021
Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
Wow64 process (32bit):true
Commandline:dw20.exe -x -s 852
Imagebase:0x10000000
File size:33936 bytes
MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: PRTService.exe PID: 5480 Parent PID: 5724 PRTService.exeCOMMON

    Execution Graph

    Execution Coverage:5.7%
    Dynamic/Decrypted Code Coverage:57.6%
    Signature Coverage:8.4%
    Total number of Nodes:191
    Total number of Limit Nodes:17

    Graph

    execution_graph 14677 1a1a562 14678 1a1a58e SetErrorMode 14677->14678 14679 1a1a5b7 14677->14679 14680 1a1a5a3 14678->14680 14679->14678 14681 5740070 14682 5740079 14681->14682 14685 5740098 14681->14685 14698 5740089 14681->14698 14686 574014b 14685->14686 14687 57400ab 14685->14687 14686->14682 14688 57400d8 14687->14688 14711 57401e0 14687->14711 14716 5740308 14687->14716 14721 5740178 14687->14721 14726 5740648 DrawFrameControl 14687->14726 14728 5740658 DrawFrameControl 14687->14728 14730 57405f8 14687->14730 14735 574061c 14687->14735 14740 5740342 14687->14740 14688->14686 14689 574013e DrawFrameControl 14688->14689 14689->14686 14699 574014b 14698->14699 14700 57400ab 14698->14700 14699->14682 14701 57400d8 14700->14701 14703 57401e0 DrawFrameControl 14700->14703 14704 5740342 DrawFrameControl 14700->14704 14705 574061c DrawFrameControl 14700->14705 14706 57405f8 DrawFrameControl 14700->14706 14707 5740658 DrawFrameControl 14700->14707 14708 5740648 DrawFrameControl 14700->14708 14709 5740178 DrawFrameControl 14700->14709 14710 5740308 DrawFrameControl 14700->14710 14701->14699 14702 574013e DrawFrameControl 14701->14702 14702->14699 14703->14701 14704->14701 14705->14701 14706->14701 14707->14701 14708->14701 14709->14701 14710->14701 14715 5740217 14711->14715 14712 5740633 14712->14688 14713 5740640 DrawFrameControl 14714 5740673 14713->14714 14714->14688 14715->14712 14715->14713 14720 574024f 14716->14720 14717 5740633 14717->14688 14718 5740640 DrawFrameControl 14719 5740673 14718->14719 14719->14688 14720->14717 14720->14718 14725 574019a 14721->14725 14722 57401b4 14722->14688 14723 5740640 DrawFrameControl 14724 5740673 14723->14724 14724->14688 14725->14722 14725->14723 14727 5740673 14726->14727 14727->14688 14729 5740673 14728->14729 14729->14688 14734 574024f 14730->14734 14731 5740633 14731->14688 14732 5740640 DrawFrameControl 14733 5740673 14732->14733 14733->14688 14734->14731 14734->14732 14739 574024f 14735->14739 14736 5740633 14736->14688 14737 5740640 DrawFrameControl 14738 5740673 14737->14738 14738->14688 14739->14736 14739->14737 14744 574024f 14740->14744 14741 5740633 14741->14688 14742 5740640 DrawFrameControl 14743 5740673 14742->14743 14743->14688 14744->14741 14744->14742 14745 6e472140 14746 6e472176 14745->14746 14747 6e472185 14746->14747 14748 6e47218c GetProcessHeap HeapAlloc 14746->14748 14749 6e4721b7 14748->14749 14750 6e472282 14749->14750 14752 6e4721c5 GetProcessHeap HeapFree 14749->14752 14753 6e4721ee 14749->14753 14750->14747 14751 6e472288 GetProcessHeap HeapFree 14750->14751 14751->14747 14752->14747 14753->14750 14754 6e472250 GetProcessHeap HeapFree 14753->14754 14754->14747 14755 6e478500 14756 6e47852b 14755->14756 14757 6e4785c1 GetCurrentProcess 14756->14757 14758 6e47856c GetCurrentProcess 14756->14758 14760 6e47857d 14757->14760 14758->14760 14759 6e4785af 14760->14759 14761 6e478627 GetProcessHeap HeapAlloc 14760->14761 14765 6e478665 14761->14765 14762 6e478905 LoadLibraryW GetProcAddress 14763 6e478942 GetProcessHeap HeapFree 14762->14763 14763->14759 14764 6e4787ff 14764->14762 14765->14762 14765->14764 14766 6e47ef00 GetProcessHeap RtlAllocateHeap 14767 6e4757d0 14768 6e475809 14767->14768 14769 6e475818 GetProcessHeap HeapAlloc 14768->14769 14773 6e47582e 14768->14773 14769->14773 14770 6e4758bd 14771 6e4758d6 VirtualQuery 14770->14771 14772 6e4758c3 GetProcessHeap HeapFree 14770->14772 14775 6e47590f 14771->14775 14772->14771 14773->14770 14774 6e475894 GetProcessHeap HeapFree 14773->14774 14774->14775 14776 1a1a6b6 14777 1a1a6dc CreateDirectoryW 14776->14777 14779 1a1a703 14777->14779 14780 6e472d50 InterlockedCompareExchange 14783 6e472d6c 14780->14783 14781 6e472dda 14782 6e472d9e Sleep 14782->14782 14782->14783 14783->14781 14783->14782 14784 1a1a776 14786 1a1a7ae CreateFileW 14784->14786 14787 1a1a7fd 14786->14787 14788 5740168 14790 57401e0 DrawFrameControl 14788->14790 14791 5740342 DrawFrameControl 14788->14791 14792 574061c DrawFrameControl 14788->14792 14793 57405f8 DrawFrameControl 14788->14793 14794 5740178 DrawFrameControl 14788->14794 14795 5740308 DrawFrameControl 14788->14795 14789 5740176 14790->14789 14791->14789 14792->14789 14793->14789 14794->14789 14795->14789 14796 57406e8 14797 574071f DrawFrameControl 14796->14797 14800 5740839 14797->14800 14799 57409f9 14803 1a1af2a 14800->14803 14807 1a1af6e 14800->14807 14805 1a1af37 LoadLibraryA 14803->14805 14806 1a1afe6 14805->14806 14806->14799 14810 1a1afa9 LoadLibraryA 14807->14810 14809 1a1afe6 14809->14799 14810->14809 14811 5740ae8 14812 57401e0 DrawFrameControl 14811->14812 14813 5740af5 14812->14813 14814 6e475f1b 14815 6e475f2a 14814->14815 14816 6e47609a VirtualProtect VirtualProtect 14815->14816 14817 6e47611c 14815->14817 14816->14817 14818 5740ca8 14819 5740098 9 API calls 14818->14819 14820 5740cb0 14819->14820 14821 6e475724 14822 6e475733 VirtualProtect 14821->14822 14823 6e4759e0 14824 6e475a04 14823->14824 14825 6e475a67 GetCurrentProcess 14824->14825 14826 6e475a0b 14824->14826 14825->14826 14827 6e4780a0 14831 6e4780bc 14827->14831 14828 6e47836f 14829 6e4783de 14828->14829 14830 6e4783cb GetProcessHeap HeapFree 14828->14830 14832 6e4783f7 14829->14832 14833 6e4783e4 GetProcessHeap HeapFree 14829->14833 14830->14829 14831->14828 14834 6e4781e0 WaitForSingleObject 14831->14834 14837 6e4781bb RaiseException 14831->14837 14833->14832 14836 6e478265 14834->14836 14836->14828 14838 6e478280 WaitForSingleObject 14836->14838 14837->14834 14839 6e4782a3 14838->14839 14839->14828 14840 6e4782f0 14839->14840 14841 6e478307 GetProcessHeap HeapAlloc 14840->14841 14842 6e478328 14841->14842 14842->14828 14843 1a1a88e 14845 1a1a8c3 GetFileType 14843->14845 14846 1a1a8f0 14845->14846 14847 1a1a94e 14849 1a1a983 WriteFile 14847->14849 14850 1a1a9b5 14849->14850 14851 1a1b3d2 14852 1a1b3fe LoadLibraryExW 14851->14852 14854 1a1b41a 14852->14854 14855 5740d80 14857 5740d8c 14855->14857 14856 5740de1 14857->14856 14860 5740e38 14857->14860 14864 5740e29 14857->14864 14861 5740e50 DrawFrameControl 14860->14861 14863 5740ea8 14861->14863 14863->14857 14865 5740e50 DrawFrameControl 14864->14865 14867 5740ea8 14865->14867 14867->14857 14868 6e473770 14869 6e473787 14868->14869 14870 6e47378c 14868->14870 14871 6e4737f9 InitializeCriticalSection 14870->14871 14871->14869 14872 6e47c5b0 14873 6e471276 14872->14873 14874 6e47c5e9 CreateFileW GetFileSize 14873->14874 14875 6e471609 14874->14875 14876 6e47c61f ReadFile FindCloseChangeNotification 14875->14876 14877 6e47c688 14876->14877 14878 6e472b30 CreateEventW CreateEventW CreateEventW GetCurrentThreadId CreateThread 14879 6e471136 14878->14879 14880 6e472a50 SetEvent 14879->14880 14881 6e472a65 14880->14881 14882 6e472aa1 14881->14882 14883 6e472a85 SetEvent 14881->14883 14883->14882 14884 6e4756bd 14886 6e4756d5 14884->14886 14887 6e475656 14884->14887 14885 6e475757 14886->14885 14888 6e4756e2 VirtualProtect 14886->14888 14888->14885 14898 1a1a25e 14899 1a1a2c9 14898->14899 14900 1a1a28a FindCloseChangeNotification 14898->14900 14899->14900 14901 1a1a298 14900->14901

    Executed Functions

    Function 6E478500, Relevance: 37.0, APIs: 8, Strings: 13, Instructions: 280memorylibraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetCurrentProcess.KERNEL32(clrjit.dll), ref: 6E478571
    • GetCurrentProcess.KERNEL32(mscorjit.dll), ref: 6E4785C6
    • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 6E478636
    • HeapAlloc.KERNEL32(00000000), ref: 6E47863D
    • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?), ref: 6E478918
    • GetProcAddress.KERNEL32(?,getJit), ref: 6E478930
    • GetProcessHeap.KERNEL32(00000000,?), ref: 6E47898E
    • HeapFree.KERNEL32(00000000), ref: 6E478995
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: HeapProcess$Current$AddressAllocFreeLibraryLoadProc
    • String ID: 2.0.50727.$2.0.50727.3053 (netfxsp.050727-3000)$2.0.50727.3068 (QFE.050727-3000)$4.0.30319.17020 built by: FXM3REL$4.0.30319.17379$4.0.30319.17626$\StringFileInfo\040904b0\FileVersion$clrjit.dll$clrjit.dll$getJit$mscorjit.dll$mscorjit.dll$v4.0
    • API String ID: 3521026962-732809550
    • Opcode ID: 93164fea1d8ba5588c2668a0d68c44e989e4af734bdfbaf567cdea87dc43201d
    • Instruction ID: f474ab5dd950e1af54aa08e489d253bf3262f3dafaaad92f7d874faf43cfeac9
    • Opcode Fuzzy Hash: 93164fea1d8ba5588c2668a0d68c44e989e4af734bdfbaf567cdea87dc43201d
    • Instruction Fuzzy Hash: C7C11DF5D042289FDF64DFA4DD44BDAB7B8AB49304F0044DAE609A7341E7319A88CF99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E472D50, Relevance: 3.1, APIs: 2, Instructions: 51sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 396 6e472d50-6e472d6a InterlockedCompareExchange 397 6e472d7c-6e472d83 396->397 398 6e472d6c-6e472d76 call 6e4713ca 396->398 400 6e472d8e-6e472d94 397->400 398->397 402 6e472d96-6e472d9b 400->402 403 6e472dda-6e472de0 400->403 404 6e472d9e-6e472dc9 Sleep 402->404 404->404 405 6e472dcb 404->405 406 6e472dcd-6e472dd6 405->406 407 6e472dd8 405->407 406->404 406->407 407->400
    APIs
    • InterlockedCompareExchange.KERNEL32(6E4833CC,00000001,00000000), ref: 6E472D62
    • Sleep.KERNELBASE(00000064), ref: 6E472DA0
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: CompareExchangeInterlockedSleep
    • String ID:
    • API String ID: 3488530569-0
    • Opcode ID: abc47d4ecbe5f20b90f325b2dd63bf4e10eb02ecb971cd2eeb91ea7b74ea04bb
    • Instruction ID: c590963853d98fff3143e9a52af2f407c063b983f81c6ab491bbf8478df26386
    • Opcode Fuzzy Hash: abc47d4ecbe5f20b90f325b2dd63bf4e10eb02ecb971cd2eeb91ea7b74ea04bb
    • Instruction Fuzzy Hash: F91122B0D00689AFCF14EFE9D584BDEBBF5FB46B00F10815AE404A7244DB3099428B95
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E47EF00, Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 418 6e47ef00-6e47ef22 GetProcessHeap RtlAllocateHeap
    APIs
    • GetProcessHeap.KERNEL32(00000000,?), ref: 6E47EF0F
    • RtlAllocateHeap.NTDLL(00000000), ref: 6E47EF16
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Heap$AllocateProcess
    • String ID:
    • API String ID: 1357844191-0
    • Opcode ID: 78703fbacd7a5de49b682a61044d3f41af60108b21a07f5fa360a92f17f82c7c
    • Instruction ID: ba27a6f4a84d3d990aff0f52e7bc49d3813d60747143bcb56a48648012cf9fd0
    • Opcode Fuzzy Hash: 78703fbacd7a5de49b682a61044d3f41af60108b21a07f5fa360a92f17f82c7c
    • Instruction Fuzzy Hash: C7D0C77660410877D60076EABC49EAFBB5CD7466E2F000155FA09C11409551981146F1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4780A0, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 268memorysynchronizationCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • RaiseException.KERNEL32(00000111,00000000,00000001,?,?,?,015D09D8), ref: 6E4781DA
    • WaitForSingleObject.KERNEL32(00000338,00000000,?,00000000,?,00007263,?,00000000,?,?,015D09D8), ref: 6E47825B
    • WaitForSingleObject.KERNEL32(0000033C,000003E8), ref: 6E478299
    • GetProcessHeap.KERNEL32(00000000,0000001C,00000000,00000000,?), ref: 6E47830B
    • HeapAlloc.KERNEL32(00000000), ref: 6E478312
    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 6E4783D1
    • HeapFree.KERNEL32(00000000), ref: 6E4783D8
    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 6E4783EA
    • HeapFree.KERNEL32(00000000), ref: 6E4783F1
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Heap$Process$FreeObjectSingleWait$AllocExceptionRaise
    • String ID: Agile.NET runtime internal error occurred.$cr
    • API String ID: 2104414052-3111436492
    • Opcode ID: 02279134ba6396c871397995a2ac233f4d03f13e715c4b11dd691abeef735ca5
    • Instruction ID: abb47b2261c60a4a8a22858a2ca5dacf8a95bb8f55473dedf65b5916653391c2
    • Opcode Fuzzy Hash: 02279134ba6396c871397995a2ac233f4d03f13e715c4b11dd691abeef735ca5
    • Instruction Fuzzy Hash: 6AC1E275A00208EFDB14DFA8C894EDEB7B9FF49304F10855AE9099B391DB71EA45CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4757D0, Relevance: 10.6, APIs: 7, Instructions: 148memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 127 6e4757d0-6e475804 call 6e4715aa 129 6e475809-6e475816 127->129 130 6e47582e-6e475845 call 6e4715aa 129->130 131 6e475818-6e47582b GetProcessHeap HeapAlloc 129->131 134 6e475847-6e47584e 130->134 135 6e4758bd-6e4758c1 130->135 131->130 138 6e475859-6e475862 134->138 136 6e4758d6-6e475914 VirtualQuery call 6e471311 135->136 137 6e4758c3-6e4758d0 GetProcessHeap HeapFree 135->137 143 6e475967 136->143 144 6e475916-6e475925 136->144 137->136 138->135 140 6e475864-6e47587f call 6e47166d 138->140 147 6e475881-6e475887 140->147 148 6e4758bb 140->148 149 6e475969-6e47596f 143->149 144->143 146 6e475927-6e475931 144->146 146->143 151 6e475933-6e475952 call 6e471311 146->151 147->148 152 6e475889-6e475892 147->152 148->138 151->143 156 6e475954-6e475960 151->156 152->148 154 6e475894-6e4758b6 GetProcessHeap HeapFree 152->154 154->149 156->143 157 6e475962-6e475965 156->157 157->149
    APIs
    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 6E47581E
    • HeapAlloc.KERNEL32(00000000), ref: 6E475825
    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,0000000C,00000000,?,?,0000000C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6E4758A6
    • HeapFree.KERNEL32(00000000), ref: 6E4758AD
    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6E4758C9
    • HeapFree.KERNEL32(00000000), ref: 6E4758D0
    • VirtualQuery.KERNEL32(00000000,00000000,0000001C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6E4758FB
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Heap$Process$Free$AllocQueryVirtual
    • String ID:
    • API String ID: 2387146580-0
    • Opcode ID: e0585895d901698fa3dc3df902f99e7701e8e0e6f35ca30ecf19dd930f3ade62
    • Instruction ID: cea55eaa32b4c03cabc562a1cbf0ef32771707cc057f786ef86d51ae22d161aa
    • Opcode Fuzzy Hash: e0585895d901698fa3dc3df902f99e7701e8e0e6f35ca30ecf19dd930f3ade62
    • Instruction Fuzzy Hash: 8151C0B5E00208AFDF54DFE9D894EEEBBB8BF09301F10415AE515EB240D778AA45CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E472140, Relevance: 10.1, APIs: 8, Instructions: 111memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 6E472192
    • HeapAlloc.KERNEL32(00000000), ref: 6E472199
    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 6E4721D6
    • HeapFree.KERNEL32(00000000), ref: 6E4721DD
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Heap$Process$AllocFree
    • String ID:
    • API String ID: 756756679-0
    • Opcode ID: ca26ea807c26773c7a6a09dadc5b3551bfa28fc14baca05188d5d9c9bf1de272
    • Instruction ID: f7183ce27eb298bd073c7001e94fa6b3a7b5513cffc86858a7b0f59212cab6cc
    • Opcode Fuzzy Hash: ca26ea807c26773c7a6a09dadc5b3551bfa28fc14baca05188d5d9c9bf1de272
    • Instruction Fuzzy Hash: 504109B5904108EFDF24DBE9D948FCEB7BCEB49345F00859AE605E7240DA709A81CFA4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E475BE0, Relevance: 9.4, APIs: 6, Instructions: 377COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 181 6e475be0-6e475c2b call 6e4715eb call 6e4714b5 call 6e471311 188 6e475c4d-6e475c86 call 6e471456 call 6e471311 181->188 189 6e475c2d-6e475c48 call 6e4711db 181->189 197 6e475ca8-6e475cd3 call 6e471311 188->197 198 6e475c88-6e475ca3 call 6e4711db 188->198 194 6e476249-6e47624f 189->194 203 6e475cf5-6e475d17 call 6e471406 197->203 204 6e475cd5-6e475cf0 call 6e4711db 197->204 198->194 209 6e475d53-6e475d6b call 6e471406 203->209 210 6e475d19-6e475d31 call 6e471406 203->210 204->194 215 6e475d77-6e475e17 call 6e47105a call 6e471410 call 6e471456 GetProcessHeap HeapAlloc call 6e471609 209->215 216 6e475d6d 209->216 210->209 217 6e475d33-6e475d4e call 6e4711db 210->217 228 6e475e2c 215->228 229 6e475e19-6e475e2a call 6e471573 215->229 216->215 217->194 231 6e475e36-6e475e97 GetProcessHeap HeapAlloc call 6e471410 228->231 229->231 235 6e475eb7-6e475f39 231->235 236 6e475e99-6e475eb4 call 6e471082 231->236 240 6e476136-6e476162 call 6e47127b 235->240 241 6e475f3f-6e475f52 235->241 236->235 247 6e476173-6e476181 240->247 243 6e475f54-6e475f5e 241->243 244 6e475f60-6e475f84 241->244 246 6e475f8a-6e475f9d 243->246 244->246 248 6e475f9f-6e475fa3 246->248 249 6e475fbd-6e47605b 246->249 253 6e476187-6e47619c 247->253 254 6e47622c-6e476243 call 6e4711db 247->254 248->249 252 6e475fa5-6e475fb7 call 6e471082 248->252 250 6e476061-6e476074 249->250 251 6e47611c-6e476131 249->251 250->251 255 6e47607a-6e476116 call 6e471456 VirtualProtect * 2 250->255 252->249 258 6e476212-6e476227 253->258 259 6e47619e-6e4761cc call 6e471456 call 6e47128a 253->259 254->194 255->251 258->247 269 6e4761f1-6e47620d call 6e4713a7 259->269 270 6e4761ce-6e4761ef call 6e4713a7 259->270 269->258 270->258
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a233853f2db280026c14ff831b53368c3f78176b470a7bc29919e0a2aa94f4da
    • Instruction ID: 911943b671cdfba34d7d27faa8cd9a0abf04edce663722c9a916187246cc4e87
    • Opcode Fuzzy Hash: a233853f2db280026c14ff831b53368c3f78176b470a7bc29919e0a2aa94f4da
    • Instruction Fuzzy Hash: 741297749049289FDB64CB68DD94FEAB7B5AB48346F1041D9D80DAB391DB30AEC5CF80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E472B30, Relevance: 7.5, APIs: 5, Instructions: 40threadCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 6E472B41
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 6E472B54
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 6E472B67
    • GetCurrentThreadId.KERNEL32 ref: 6E472B72
    • CreateThread.KERNELBASE(00000000,00000000,Function_00011136,00000000,00000000,6E473816), ref: 6E472B8E
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Create$Event$Thread$Current
    • String ID:
    • API String ID: 4115085679-0
    • Opcode ID: e801073e37783c8f2eefc057c3f2e22c24205b5294d94f132f47ac8d1ca44e37
    • Instruction ID: 61ed3a99ff28a4a31d776540b3cfbc1127df174d599e2a42d65aebc472a1a47d
    • Opcode Fuzzy Hash: e801073e37783c8f2eefc057c3f2e22c24205b5294d94f132f47ac8d1ca44e37
    • Instruction Fuzzy Hash: E3F01274B84704BAFA306BB1AC4BF9A7B68E717F81F10001AF705AD2C0D6E1A5018659
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E47C5B0, Relevance: 6.1, APIs: 4, Instructions: 88fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • CreateFileW.KERNELBASE(00000001,00000001,00000001,00000000,00000003,00000000,00000000), ref: 6E47C5FC
    • GetFileSize.KERNEL32(?,?), ref: 6E47C60D
    • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 6E47C649
    • FindCloseChangeNotification.KERNELBASE(?), ref: 6E47C653
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: File$ChangeCloseCreateFindNotificationReadSize
    • String ID:
    • API String ID: 2135649906-0
    • Opcode ID: 1ec1d3d590a5221238a662c4a050396a5744db4958cc71ff3259d92acb04b906
    • Instruction ID: e8b7bf1a0a2872202fae862d8e92dac11021621c6ac6449f4f779cb702edae3b
    • Opcode Fuzzy Hash: 1ec1d3d590a5221238a662c4a050396a5744db4958cc71ff3259d92acb04b906
    • Instruction Fuzzy Hash: 3531B9B5A40208EFDB04DF94D998FDEB7F8AB49304F2441A9E904AB381D775AE04DF94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 057406E8, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 282 57406e8-574079f 292 57407a1-57407b0 282->292 293 57407b2-57407be 282->293 294 57407c1-5740834 DrawFrameControl 292->294 293->294 342 5740837 call 59000d8 294->342 343 5740837 call 59000f8 294->343 302 5740839-57408ee 313 57409f4 302->313 314 57408f4-574093a 302->314 340 57409f6 call 1a1af2a 313->340 341 57409f6 call 1a1af6e 313->341 344 574093d call 5900128 314->344 345 574093d call 5900148 314->345 315 57409fb-5740a11 317 5740a13-5740a3d 315->317 324 5740a3f-5740a5e 317->324 325 57409f9-5740a11 317->325 322 574093f-5740959 346 574095c call 5900198 322->346 347 574095c call 5900178 322->347 331 5740a5f 324->331 325->317 328 574095e-57409ef 328->313 331->331 340->315 341->315 342->302 343->302 344->322 345->322 346->328 347->328
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.207024881.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_5740000_PRTService.jbxd
    Similarity
    • API ID: ControlDrawFrame
    • String ID: $ghr
    • API String ID: 3837821161-1352911727
    • Opcode ID: 124e7f3e3420b50d6aea73d8cdc4be70edaac323cc4d626c716a499bc5f63543
    • Instruction ID: 03460b5be17180794b37b53aba28a85ca56a6abc1e2aa9fac12b4b4e78303b57
    • Opcode Fuzzy Hash: 124e7f3e3420b50d6aea73d8cdc4be70edaac323cc4d626c716a499bc5f63543
    • Instruction Fuzzy Hash: 58912A307001219FC748EB68D594A2EB7A3FBDD250B24806ED91A9F395CE3AED07DB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4756BD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 348 6e4756bd-6e4756d3 349 6e475656-6e47565d 348->349 350 6e4756d5-6e4756d7 348->350 351 6e475663-6e47566c 349->351 352 6e47565e call 6e471500 349->352 353 6e475757-6e475759 350->353 354 6e4756d9-6e4756f0 VirtualProtect 350->354 352->351 357 6e491f77 353->357 354->357 358 6e491f7c 357->358 358->358
    APIs
    • VirtualProtect.KERNELBASE(?), ref: 6E4756E7
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: t
    • API String ID: 544645111-2238339752
    • Opcode ID: 032c919be3f82fdbfa92d882d0c824ac1532aef8dfab8f9cdfbb3d1660450ec0
    • Instruction ID: 21d0550091a1b928005378b1eccbe2d7a1a00933d6fb3775ea8955f2e574f9be
    • Opcode Fuzzy Hash: 032c919be3f82fdbfa92d882d0c824ac1532aef8dfab8f9cdfbb3d1660450ec0
    • Instruction Fuzzy Hash: 18F0F6B2E08149DFCB04DFF198508EEBFA4DF49250F04465BD505AB101D2248206CF64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E475F1B, Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 359 6e475f1b-6e475f39 361 6e476136-6e476162 call 6e47127b 359->361 362 6e475f3f-6e475f52 359->362 368 6e476173-6e476181 361->368 364 6e475f54-6e475f5e 362->364 365 6e475f60-6e475f84 362->365 367 6e475f8a-6e475f9d 364->367 365->367 369 6e475f9f-6e475fa3 367->369 370 6e475fbd-6e47605b 367->370 374 6e476187-6e47619c 368->374 375 6e47622c-6e47624f call 6e4711db 368->375 369->370 373 6e475fa5-6e475fb7 call 6e471082 369->373 371 6e476061-6e476074 370->371 372 6e47611c-6e476131 370->372 371->372 376 6e47607a-6e476116 call 6e471456 VirtualProtect * 2 371->376 373->370 379 6e476212-6e476227 374->379 380 6e47619e-6e4761cc call 6e471456 call 6e47128a 374->380 376->372 379->368 391 6e4761f1-6e47620d call 6e4713a7 380->391 392 6e4761ce-6e4761ef call 6e4713a7 380->392 391->379 392->379
    APIs
    • VirtualProtect.KERNELBASE(?,0000000C,00000004,?,?,?,?,?,?,?,?,?), ref: 6E4760B2
    • VirtualProtect.KERNELBASE(?,0000000C,?,?,?,?,?,?,?,?,?), ref: 6E476116
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: b69dd58c092f260b3b6cfe4884b137f27cf2e7d9983251186c83dcae41982bbb
    • Instruction ID: 73b589460fb8229a97500e66104cc54b22747f7ddca560c432cd01c60bd0d6e8
    • Opcode Fuzzy Hash: b69dd58c092f260b3b6cfe4884b137f27cf2e7d9983251186c83dcae41982bbb
    • Instruction Fuzzy Hash: 475194749049288FEB74CF28DC94BAAB7B1EB48346F1481D9D81DA7341DA35AEC5DF40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E471136, Relevance: 3.0, APIs: 2, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 409 6e471136-6e472a5f SetEvent 411 6e472a65-6e472a6c 409->411 412 6e472aa1-6e472aa7 411->412 413 6e472a6e-6e472a83 411->413 414 6e472a95-6e472a97 call 6e4716fe 413->414 415 6e472a85-6e472a93 SetEvent 413->415 417 6e472a9c-6e472a9f 414->417 415->412 417->411
    APIs
    • SetEvent.KERNEL32(0000033C), ref: 6E472A5F
    • SetEvent.KERNEL32(00000338), ref: 6E472A8B
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Event
    • String ID:
    • API String ID: 4201588131-0
    • Opcode ID: 9481a089313e8371bff8cebb054fcbec6bb4f3706258f1b47fd9f95efa10a0d1
    • Instruction ID: 9f1b9073a612b781d9f5cc35fcd0080120c008cddc9921c0f438b1abd9167041
    • Opcode Fuzzy Hash: 9481a089313e8371bff8cebb054fcbec6bb4f3706258f1b47fd9f95efa10a0d1
    • Instruction Fuzzy Hash: C2F082F1A44208BBDE30EBFA9908BCF77AC9B4B755F000026E941A7740DEB1C94586E5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 057401E0, Relevance: 1.9, APIs: 1, Instructions: 409COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 419 57401e0-5740249 424 5740633-574063a 419->424 425 574024f-5740258 419->425 426 574025e-5740284 call 1a123f4 425->426 427 574063b-57406bd DrawFrameControl 425->427 433 5740286-57402a2 426->433 434 57402b7-57402e9 426->434 444 57406d7-57406de 427->444 445 57406bf-57406c5 427->445 433->427 438 57402a8-57402b5 433->438 450 5740303-5740322 434->450 451 57402eb-57402f1 434->451 438->434 504 57406e1 call 1a2a1a6 444->504 505 57406e1 call 1a2a104 444->505 506 57406e1 call 1a2a138 444->506 507 57406e1 call 1a2a17c 444->507 447 57406c7 445->447 448 57406c9-57406d5 445->448 447->444 448->444 449 57406e3-57406e7 458 5740324-574033d 450->458 459 574034c-5740389 450->459 452 57402f5-5740301 451->452 453 57402f3 451->453 452->450 453->450 464 57405ff-574062d 458->464 469 57403b0-574042a 459->469 470 574038b-5740391 459->470 464->424 464->425 481 574042c-5740463 469->481 482 5740468-574046b 469->482 470->427 472 5740397-57403ae 470->472 472->469 472->470 481->482 483 574046d-57404a4 482->483 484 57404a9-57404ac 482->484 483->484 486 57404ae-57404e5 484->486 487 57404ea-57404ed 484->487 486->487 489 574053c-5740540 487->489 490 57404ef-57404f7 487->490 491 5740542-574056a 489->491 492 574056c-574058b 489->492 490->489 494 57404f9-5740508 490->494 499 5740594-57405ec 491->499 492->499 498 574050a-574053a 494->498 498->489 503 57405f4-57405f6 499->503 503->464 504->449 505->449 506->449 507->449
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.207024881.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_5740000_PRTService.jbxd
    Similarity
    • API ID: ControlDrawFrame
    • String ID:
    • API String ID: 3837821161-0
    • Opcode ID: c5a522dda17d9be41de35582b673702d7f84c8200b243295866bf6607e8da46f
    • Instruction ID: 3a7960d30d7cc4a88608f566b064e8ec91d0478bbd53fd94b87d418ccd33cb0c
    • Opcode Fuzzy Hash: c5a522dda17d9be41de35582b673702d7f84c8200b243295866bf6607e8da46f
    • Instruction Fuzzy Hash: E0E12E31A00110DFDB09DFA8C958E69BBB3FF89314B1580A9E6069F276CB36DC55EB41
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4759E0, Relevance: 1.6, APIs: 1, Instructions: 144COMMON
    Download Yara Rule

    Control-flow Graph

    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c314b88c4117b726fcddd8e4a45d7c50735c50c4acab312b8a8bc639efab585f
    • Instruction ID: 6824feae9779eb2983094779b481f05857d4f0ae63765611860f6994e5ef45d5
    • Opcode Fuzzy Hash: c314b88c4117b726fcddd8e4a45d7c50735c50c4acab312b8a8bc639efab585f
    • Instruction Fuzzy Hash: BE51EB74A00109AFDF58DBE9C9A0FFEB7B9AF44304F10045AE546AB381CB749A44DB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A1A750, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 01A1A7F5
    Memory Dump Source
    • Source File: 00000001.00000002.206387528.0000000001A1A000.00000040.00000001.sdmp, Offset: 01A1A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a1a000_PRTService.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: f9086d8fd256be94bfd8e7af3361a71495638dde8f6f8af77a8e55ee568dfc5f
    • Instruction ID: edf92d02ee43590caf83fe38118e7ad3b03a8d84306c0aa727afe8035edaf1cd
    • Opcode Fuzzy Hash: f9086d8fd256be94bfd8e7af3361a71495638dde8f6f8af77a8e55ee568dfc5f
    • Instruction Fuzzy Hash: 9E319EB1505380AFE722CF65CC44F66BFE8EF45210F0884AEED858B252D365E909CB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A1AF2A, Relevance: 1.6, APIs: 1, Instructions: 85libraryCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNELBASE(?,00000E2C), ref: 01A1AFD7
    Memory Dump Source
    • Source File: 00000001.00000002.206387528.0000000001A1A000.00000040.00000001.sdmp, Offset: 01A1A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a1a000_PRTService.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 08adec9c8a9c9a308df6e62addd8a463d7273e013a883f006e71297341948ea3
    • Instruction ID: b92ce907889d59077e46e5f6759898687f0f16e89077bc52bf97b2ac93d160cd
    • Opcode Fuzzy Hash: 08adec9c8a9c9a308df6e62addd8a463d7273e013a883f006e71297341948ea3
    • Instruction Fuzzy Hash: 8D31C37140D3C4AFE7138B24CC55BA2BFB89F03320F1880DBE9849F193D269A949C762
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A1A84C, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
    Download Yara Rule
    APIs
    • GetFileType.KERNELBASE(?,00000E2C,FB8EC79A,00000000,00000000,00000000,00000000), ref: 01A1A8E1
    Memory Dump Source
    • Source File: 00000001.00000002.206387528.0000000001A1A000.00000040.00000001.sdmp, Offset: 01A1A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a1a000_PRTService.jbxd
    Similarity
    • API ID: FileType
    • String ID:
    • API String ID: 3081899298-0
    • Opcode ID: 743d94a7a79522d57b50ead5feee3be7ab205fc8c261eebcf70b95c4589a8829
    • Instruction ID: 51fed76b13077a66f3eefe56da8c3ad13d599b0b73352c4e943af244d8d8468f
    • Opcode Fuzzy Hash: 743d94a7a79522d57b50ead5feee3be7ab205fc8c261eebcf70b95c4589a8829
    • Instruction Fuzzy Hash: 5021D6B54493806FE7138B25DC41BA2BFA8EF47720F1980D7ED849B293D2646909CB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A1A776, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 01A1A7F5
    Memory Dump Source
    • Source File: 00000001.00000002.206387528.0000000001A1A000.00000040.00000001.sdmp, Offset: 01A1A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a1a000_PRTService.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: e979bd0c44b432df5e6a426285f546ed3a6ad7337d1a4634b4db39078e8702c3
    • Instruction ID: 6d7cd4085d7bd88459e91d9ab4689495d0bf2555b2473d98b55408ff93c35a16
    • Opcode Fuzzy Hash: e979bd0c44b432df5e6a426285f546ed3a6ad7337d1a4634b4db39078e8702c3
    • Instruction Fuzzy Hash: AD218C71501640AFEB21DF69CC84F66FBE8EF08710F18846AEE858B656D371E905CB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A1A91C, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON
    Download Yara Rule
    APIs
    • WriteFile.KERNELBASE(?,00000E2C,FB8EC79A,00000000,00000000,00000000,00000000), ref: 01A1A9AD
    Memory Dump Source
    • Source File: 00000001.00000002.206387528.0000000001A1A000.00000040.00000001.sdmp, Offset: 01A1A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a1a000_PRTService.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: d06a25025348f5cd707b81a87de3b5cbfe9e6a9f4bd5d0744ba42cdc63daed2f
    • Instruction ID: 6902a620f69cc0e71f0af2b0ba01aa140d086c428b1b77b7d2ffad0baa1194c4
    • Opcode Fuzzy Hash: d06a25025348f5cd707b81a87de3b5cbfe9e6a9f4bd5d0744ba42cdc63daed2f
    • Instruction Fuzzy Hash: 4621C472409380AFD7228F65DC45F56FFB8EF46310F09849BEA849F153C224A409CB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A1A67F, Relevance: 1.6, APIs: 1, Instructions: 71COMMON
    Download Yara Rule
    APIs
    • CreateDirectoryW.KERNELBASE(?,?), ref: 01A1A6FB
    Memory Dump Source
    • Source File: 00000001.00000002.206387528.0000000001A1A000.00000040.00000001.sdmp, Offset: 01A1A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a1a000_PRTService.jbxd
    Similarity
    • API ID: CreateDirectory
    • String ID:
    • API String ID: 4241100979-0
    • Opcode ID: 7277b57ceb8074d97d854dc777628dda1eac9f5ce7c9eb030b9bae67f5893f72
    • Instruction ID: b141e6b5592f66bbd7ef3eed92bd8bf7faf90d220c7c927ab8fc1011c69b7262
    • Opcode Fuzzy Hash: 7277b57ceb8074d97d854dc777628dda1eac9f5ce7c9eb030b9bae67f5893f72
    • Instruction Fuzzy Hash: 6C21A1B55093809FD712CB29DC44B52BFE8EF46210F0984EAE985CF153E2649909CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 05740E29, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.207024881.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_5740000_PRTService.jbxd
    Similarity
    • API ID: ControlDrawFrame
    • String ID:
    • API String ID: 3837821161-0
    • Opcode ID: c8c83f7a19e556f241756b4c6e6e03c9d0d03f25e14c0959a4b2f73b45d7d1a2
    • Instruction ID: bad91f2fac12bae861796ed3c2759afa676c25b7ed693d7cdf2988bf376be0af
    • Opcode Fuzzy Hash: c8c83f7a19e556f241756b4c6e6e03c9d0d03f25e14c0959a4b2f73b45d7d1a2
    • Instruction Fuzzy Hash: 371190303002118FC708EB6CD9A0A2EB7A7FFD9624724956ED9098F385CE36AD078795
    Uniqueness

    Uniqueness Score: -1.00%

    Function 05740089, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • DrawFrameControl.USER32(00000000,?,?,?,?,05740CB0), ref: 05740149
    Memory Dump Source
    • Source File: 00000001.00000002.207024881.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_5740000_PRTService.jbxd
    Similarity
    • API ID: ControlDrawFrame
    • String ID:
    • API String ID: 3837821161-0
    • Opcode ID: 4d6e4e779375ed85b5eda091a95397ba71ff61527706fe2bea9fb17d77037aab
    • Instruction ID: c55b7e385b4e21816df3d8a813a949554187e3f4aee7b3cf5e0138f747f2efe2
    • Opcode Fuzzy Hash: 4d6e4e779375ed85b5eda091a95397ba71ff61527706fe2bea9fb17d77037aab
    • Instruction Fuzzy Hash: C011C4343041605FD7189A6DD895739B793FFCB210B24806AD54ADF395CA3ADD078B51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 05740E38, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.207024881.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_5740000_PRTService.jbxd
    Similarity
    • API ID: ControlDrawFrame
    • String ID:
    • API String ID: 3837821161-0
    • Opcode ID: 0893caaedc80de48799e3c29319608210707b43b9795720488b5fb3dd3475828
    • Instruction ID: b7e745a81a226911dba6d7058482c179b024cf71c12a7ead4f865eef5121908c
    • Opcode Fuzzy Hash: 0893caaedc80de48799e3c29319608210707b43b9795720488b5fb3dd3475828
    • Instruction Fuzzy Hash: B51121303001215FC708E66DD960A6EB7ABFBD9624724952ED90A8B384CE76ED068795
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A1A94E, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
    Download Yara Rule
    APIs
    • WriteFile.KERNELBASE(?,00000E2C,FB8EC79A,00000000,00000000,00000000,00000000), ref: 01A1A9AD
    Memory Dump Source
    • Source File: 00000001.00000002.206387528.0000000001A1A000.00000040.00000001.sdmp, Offset: 01A1A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a1a000_PRTService.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: 33e136769d746dd4040032ecea17a1f6db12ebe4797c5ad84a2970a16f3cdeaf
    • Instruction ID: d39f47d7f01946fe7c015bfdc2879be5adf36dc49c5ef8e8b059fa0748eb1fa1
    • Opcode Fuzzy Hash: 33e136769d746dd4040032ecea17a1f6db12ebe4797c5ad84a2970a16f3cdeaf
    • Instruction Fuzzy Hash: 3311BF72400640EFEB218F59DC81F6AFFA8EF45320F18846BEE49DB255C674A448CB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A1B3A6, Relevance: 1.6, APIs: 1, Instructions: 59libraryCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNELBASE(?,?,?), ref: 01A1B412
    Memory Dump Source
    • Source File: 00000001.00000002.206387528.0000000001A1A000.00000040.00000001.sdmp, Offset: 01A1A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a1a000_PRTService.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: ef4131efcd3e88664abc60901ede333bc3ecbb73d8d9168d48f900d126cb2a57
    • Instruction ID: 2aea49a3bc3b8dbb81162939db61a94748c6884d59a2ff5451ab37d3e91b61e0
    • Opcode Fuzzy Hash: ef4131efcd3e88664abc60901ede333bc3ecbb73d8d9168d48f900d126cb2a57
    • Instruction Fuzzy Hash: F7117F71449384AFDB12CF65DC84B92FFF4EF46210F0884AAED898B253D275A455CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 05740098, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • DrawFrameControl.USER32(00000000,?,?,?,?,05740CB0), ref: 05740149
    Memory Dump Source
    • Source File: 00000001.00000002.207024881.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_5740000_PRTService.jbxd
    Similarity
    • API ID: ControlDrawFrame
    • String ID:
    • API String ID: 3837821161-0
    • Opcode ID: 34101ee9fb6ce9293dec2b33c3683bf8df64ceba57fd7b62fa878f40b89cddc2
    • Instruction ID: 8b950f8592f14e1e05691314385dc7928d55ca88c05fc50b51ed6f0b0c736fc2
    • Opcode Fuzzy Hash: 34101ee9fb6ce9293dec2b33c3683bf8df64ceba57fd7b62fa878f40b89cddc2
    • Instruction Fuzzy Hash: 1B1182343001209FD7189A6DD894B3AB797FFCA214F24806AD60A9F385CE3ADC078B61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A1A23C, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • FindCloseChangeNotification.KERNELBASE(?), ref: 01A1A290
    Memory Dump Source
    • Source File: 00000001.00000002.206387528.0000000001A1A000.00000040.00000001.sdmp, Offset: 01A1A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a1a000_PRTService.jbxd
    Similarity
    • API ID: ChangeCloseFindNotification
    • String ID:
    • API String ID: 2591292051-0
    • Opcode ID: 12557af5de11123bb10d4bf96e44f49797f1b9eecca87d1688f13e46cd0bd910
    • Instruction ID: 87530e3e34a74c7050bd38e6acc138e72a0a6172271e379666550e8b581ea832
    • Opcode Fuzzy Hash: 12557af5de11123bb10d4bf96e44f49797f1b9eecca87d1688f13e46cd0bd910
    • Instruction Fuzzy Hash: A411A7715093C0AFDB128F25DC84B56BFA4DF46220F0884DBED858F657D2759908CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A1AF6E, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNELBASE(?,00000E2C), ref: 01A1AFD7
    Memory Dump Source
    • Source File: 00000001.00000002.206387528.0000000001A1A000.00000040.00000001.sdmp, Offset: 01A1A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a1a000_PRTService.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 403f6ecd72012cb44576223b19cb957fc6ef0063524f72195866dc3dbef07c50
    • Instruction ID: af14b8ce6a73ce34d63d3710cdc2f589454d3a7a318698b8368c0fe6171558dd
    • Opcode Fuzzy Hash: 403f6ecd72012cb44576223b19cb957fc6ef0063524f72195866dc3dbef07c50
    • Instruction Fuzzy Hash: DB114471500300EFFB21DB29CC81FA6FBA8DF05720F24C09AEE455B286C2B4A508CBB1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A1A6B6, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • CreateDirectoryW.KERNELBASE(?,?), ref: 01A1A6FB
    Memory Dump Source
    • Source File: 00000001.00000002.206387528.0000000001A1A000.00000040.00000001.sdmp, Offset: 01A1A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a1a000_PRTService.jbxd
    Similarity
    • API ID: CreateDirectory
    • String ID:
    • API String ID: 4241100979-0
    • Opcode ID: 572602f6d6f358850110cb4ee2d3aada9feeac360fa525ed94fb5efd9f32f6c5
    • Instruction ID: 96168c041c1b4ec7732b5963140b98aa4b477582b500662947eeca1a62f460f5
    • Opcode Fuzzy Hash: 572602f6d6f358850110cb4ee2d3aada9feeac360fa525ed94fb5efd9f32f6c5
    • Instruction Fuzzy Hash: 031184756012809FEB10CF29D884B66FFE8EF44220F18C4AADD49DB646E674E944CF71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A1A88E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • GetFileType.KERNELBASE(?,00000E2C,FB8EC79A,00000000,00000000,00000000,00000000), ref: 01A1A8E1
    Memory Dump Source
    • Source File: 00000001.00000002.206387528.0000000001A1A000.00000040.00000001.sdmp, Offset: 01A1A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a1a000_PRTService.jbxd
    Similarity
    • API ID: FileType
    • String ID:
    • API String ID: 3081899298-0
    • Opcode ID: bf5d5f60e92e2b87e42d4bb4ddb8944053a3c8365356bd9cd791722ea37b32cc
    • Instruction ID: 2c7b7223a5a02f2474aef7def923e62c22b0992022f2d7efdc1dd3913dffbbd4
    • Opcode Fuzzy Hash: bf5d5f60e92e2b87e42d4bb4ddb8944053a3c8365356bd9cd791722ea37b32cc
    • Instruction Fuzzy Hash: 10012271500244EEE721CB29CC84F66FBA8DF45320F188097EE45AB246D2B4A4498BB1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 05740658, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.207024881.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_5740000_PRTService.jbxd
    Similarity
    • API ID: ControlDrawFrame
    • String ID:
    • API String ID: 3837821161-0
    • Opcode ID: 030e9f3f1194caaaa8b76672fa5ea3042a9c41c4a318a5ae2a254122b7a19f09
    • Instruction ID: 23b888ef5cf5615033646a3708c09de05cb2086dbc677bd82fd3b3e0e3968df1
    • Opcode Fuzzy Hash: 030e9f3f1194caaaa8b76672fa5ea3042a9c41c4a318a5ae2a254122b7a19f09
    • Instruction Fuzzy Hash: B10171317002208BC718DA5DD46492AB79BFFCE264724846ED91ACF344DE36DC07CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A1A540, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNELBASE(?), ref: 01A1A594
    Memory Dump Source
    • Source File: 00000001.00000002.206387528.0000000001A1A000.00000040.00000001.sdmp, Offset: 01A1A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a1a000_PRTService.jbxd
    Similarity
    • API ID: ErrorMode
    • String ID:
    • API String ID: 2340568224-0
    • Opcode ID: 574f8a14c0ebb8eb72ec4d059013add47f89c6b81f61d2a8cf495753a42ec53b
    • Instruction ID: b400d0ce4caa52a682ef2c8c58bc0fab426881692ebb0987afafb8c2e516f384
    • Opcode Fuzzy Hash: 574f8a14c0ebb8eb72ec4d059013add47f89c6b81f61d2a8cf495753a42ec53b
    • Instruction Fuzzy Hash: 88115E714093C4AFD7128B25DC44B62FFA4DF46625F0880DAED859B253D275A908DB72
    Uniqueness

    Uniqueness Score: -1.00%

    Function 05740648, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.207024881.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_5740000_PRTService.jbxd
    Similarity
    • API ID: ControlDrawFrame
    • String ID:
    • API String ID: 3837821161-0
    • Opcode ID: 32daf778a15f05447c0c3b60b512b674eed79862a3fb9dbc3ffc3fd2a0183aaf
    • Instruction ID: 0fcc37042e8d2f015620fb2cda6fec89dbfb5ecffb5a4c77614e111271b8e73d
    • Opcode Fuzzy Hash: 32daf778a15f05447c0c3b60b512b674eed79862a3fb9dbc3ffc3fd2a0183aaf
    • Instruction Fuzzy Hash: BA0180313042208FC719DA5DD454929B7A7FFCE25472884AED909CF395CA36DC07CB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A1B3D2, Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNELBASE(?,?,?), ref: 01A1B412
    Memory Dump Source
    • Source File: 00000001.00000002.206387528.0000000001A1A000.00000040.00000001.sdmp, Offset: 01A1A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a1a000_PRTService.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 582f2a19617ead2675f871da73c95c1e0085a4018bd166f8ee783090b6e7bde8
    • Instruction ID: 1a33ad8ea06a8a824d34a8d97c4b7ef918cc8194652154114093d3bb1d318e7e
    • Opcode Fuzzy Hash: 582f2a19617ead2675f871da73c95c1e0085a4018bd166f8ee783090b6e7bde8
    • Instruction Fuzzy Hash: 86018C759402409FDB20CF69D884766FFE4EF44220F18C4AADE498B206D275A414CB72
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A1A25E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
    Download Yara Rule
    APIs
    • FindCloseChangeNotification.KERNELBASE(?), ref: 01A1A290
    Memory Dump Source
    • Source File: 00000001.00000002.206387528.0000000001A1A000.00000040.00000001.sdmp, Offset: 01A1A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a1a000_PRTService.jbxd
    Similarity
    • API ID: ChangeCloseFindNotification
    • String ID:
    • API String ID: 2591292051-0
    • Opcode ID: d4aacc75a508986edd919750210597491766d6900911d3c750bc0b5f7fabf3df
    • Instruction ID: 271dd35a4f9761aaf695cd95be2bbf73d81ed2a48c232cc8bf5d02c0df6b3046
    • Opcode Fuzzy Hash: d4aacc75a508986edd919750210597491766d6900911d3c750bc0b5f7fabf3df
    • Instruction Fuzzy Hash: 3501DF71905280DFDB108F69D8847A6FFA4EF44320F18C4ABDD0A8B62AD675A408CF61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E47569E, Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNELBASE(?), ref: 6E4756E7
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 2677f3c0be0bd231ae4adbc0a16395cf1b80fdc80d4b2d41d04c26dcae2e3f97
    • Instruction ID: e2b453b48cb057047879885c668579516b5dfe5969cb7bff448714acc6dfdc5b
    • Opcode Fuzzy Hash: 2677f3c0be0bd231ae4adbc0a16395cf1b80fdc80d4b2d41d04c26dcae2e3f97
    • Instruction Fuzzy Hash: 4BF0A475A18109AFCB04CEA9D854DEEBB69EB85251F508056E944DB304C7319981CBE0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A1A562, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNELBASE(?), ref: 01A1A594
    Memory Dump Source
    • Source File: 00000001.00000002.206387528.0000000001A1A000.00000040.00000001.sdmp, Offset: 01A1A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a1a000_PRTService.jbxd
    Similarity
    • API ID: ErrorMode
    • String ID:
    • API String ID: 2340568224-0
    • Opcode ID: 1d5e884cc55ed74708bada948bcb2779d4ddb72883f76ab4264d46dd8b80556e
    • Instruction ID: 0855088e5cd13d0437aef2a264ffe3ee5077e70243989de919bac9ea41eea2eb
    • Opcode Fuzzy Hash: 1d5e884cc55ed74708bada948bcb2779d4ddb72883f76ab4264d46dd8b80556e
    • Instruction Fuzzy Hash: 5AF08C75909684DFDB108F29D884766FFA0EF04331F18C09ADD494B71AD3B5A408CEA2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4756F8, Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 6E475743
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 50436b8ccc79e37b61e783c5071e96ee841c9d2338f7c73645fbb049e1391b0e
    • Instruction ID: fc62e815b3319c1feefaee859bafb6ec8ad87f83c4073164c2978cfd7faac8a1
    • Opcode Fuzzy Hash: 50436b8ccc79e37b61e783c5071e96ee841c9d2338f7c73645fbb049e1391b0e
    • Instruction Fuzzy Hash: F6F08276D15048DA8B00DBE9E440DEDB7B9EEC9321B14C217E634F3180EB254415CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E475724, Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 6E475743
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: bfdcca4ab560bd81211b05dee00d8494bc04540e6fa1887ea51362aead3b5fe1
    • Instruction ID: 18f5abb04b34eb8f51c1922e9c915bad3946fa0b7aba28ee930e6285ead37de8
    • Opcode Fuzzy Hash: bfdcca4ab560bd81211b05dee00d8494bc04540e6fa1887ea51362aead3b5fe1
    • Instruction Fuzzy Hash: A6E0E576A045089B8B00CFD9E4809DEF7B8EB8C251F10806AE915E3200E334A9128B20
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E473770, Relevance: 1.3, APIs: 1, Instructions: 51COMMON
    Download Yara Rule
    APIs
    • InitializeCriticalSection.KERNEL32(015D09D8), ref: 6E47380B
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: CriticalInitializeSection
    • String ID:
    • API String ID: 32694325-0
    • Opcode ID: 18554ceb562ae4e1612562248a8a9000e7feb224838ae8bfa233c6464e0fea40
    • Instruction ID: b63ea2db49128afb911bf84552b515671d00a731fa3a506681f2f83884ce8dc1
    • Opcode Fuzzy Hash: 18554ceb562ae4e1612562248a8a9000e7feb224838ae8bfa233c6464e0fea40
    • Instruction Fuzzy Hash: 51114671D045149ADF20DBB5EC64FDBB778AB05646F00449EE809A6280DB719A49CFD0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A2A17C, Relevance: .1, Instructions: 77COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.206396402.0000000001A2A000.00000040.00000001.sdmp, Offset: 01A2A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a2a000_PRTService.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2eb89d7e1b330a05a623ec8eaa0aad85fb8709a82c317d2a93b979f0ef5ad516
    • Instruction ID: 91e79e88df86b895bb41113f27f3735b77f17c473b2ae879fd3fc1cf58f49842
    • Opcode Fuzzy Hash: 2eb89d7e1b330a05a623ec8eaa0aad85fb8709a82c317d2a93b979f0ef5ad516
    • Instruction Fuzzy Hash: D9210472549340AFD7108F49AC41A66FFA8EB85630F18C59FFD0A9B611C276A404CBB2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A2A1A6, Relevance: .1, Instructions: 64COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.206396402.0000000001A2A000.00000040.00000001.sdmp, Offset: 01A2A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a2a000_PRTService.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ad535f4e0edec44a27c210ad2e7de47c0a967b63147faaafc6738788795e5bd8
    • Instruction ID: 17633a87c9b06c6e285d14a4d3ca3f15098beeb55b3aecb6849b2e3a275fe6e3
    • Opcode Fuzzy Hash: ad535f4e0edec44a27c210ad2e7de47c0a967b63147faaafc6738788795e5bd8
    • Instruction Fuzzy Hash: 9B11C276644304BFD6508E4AEC41E67FBA8EBC4A31F18C56AFE095B601D272B9148FB1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A2A104, Relevance: .0, Instructions: 50COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.206396402.0000000001A2A000.00000040.00000001.sdmp, Offset: 01A2A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a2a000_PRTService.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 490a98e3843682ff16940869aa5ba96e4e540211090833bc2c65464486b3a2a8
    • Instruction ID: b4dfd278e60f42ef271d189ac9589a33cf557f3725a65477d557b2a79b979e1b
    • Opcode Fuzzy Hash: 490a98e3843682ff16940869aa5ba96e4e540211090833bc2c65464486b3a2a8
    • Instruction Fuzzy Hash: E701247240E3C06FD3128B259C51AA2BF78DF43620F1D84CBE9889F153D2166909C7B2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A2A138, Relevance: .0, Instructions: 26COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.206396402.0000000001A2A000.00000040.00000001.sdmp, Offset: 01A2A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a2a000_PRTService.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5b0194c85eda5514061eca9f176336ff2e294091393fa2cc73e7c70e7a8f8d3c
    • Instruction ID: cf03b2a4a3da3c82b79b0a62791c11fe89efaa7d0f0e5833889fc35a607c4108
    • Opcode Fuzzy Hash: 5b0194c85eda5514061eca9f176336ff2e294091393fa2cc73e7c70e7a8f8d3c
    • Instruction Fuzzy Hash: B0E0D872941700ABD2508E0ADC82B53FB58EB84A31F18C457ED0D1B701D1B5B5048EF1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 05900128, Relevance: .0, Instructions: 19COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.207316029.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_5900000_PRTService.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2cbbbc9da58bef2226ea70711eb2e341bcca791d07096a78bf168f9f3774de33
    • Instruction ID: 4d8ab261e8c3a7cdfdf68f4a02a4a6f358545f3103c1db970d256ca836738b4f
    • Opcode Fuzzy Hash: 2cbbbc9da58bef2226ea70711eb2e341bcca791d07096a78bf168f9f3774de33
    • Instruction Fuzzy Hash: 14E0927144D3C49FC7438BA588689953FB4AF47224B0B80EBE584CF4B3D23A5859DF62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 05900178, Relevance: .0, Instructions: 17COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.207316029.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_5900000_PRTService.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1d5ed543a4ab155bfdb74987dd5a31645f2016d53d831c1db2c8047dc4cf2b23
    • Instruction ID: cfaaa55e13d6daffe139a0f35228996c110d7a235d4e059d355204d79cb7d524
    • Opcode Fuzzy Hash: 1d5ed543a4ab155bfdb74987dd5a31645f2016d53d831c1db2c8047dc4cf2b23
    • Instruction Fuzzy Hash: 20E0426604E7C08FC3038B749868A543F75AF17109B1E80D7D094CF5B3C5169809C726
    Uniqueness

    Uniqueness Score: -1.00%

    Function 059000D8, Relevance: .0, Instructions: 16COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.207316029.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_5900000_PRTService.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5fc51ed11293fe73e3ba66353bb36abc6625877220c470afc6a85e36a0a21a3c
    • Instruction ID: e467376a4130b0c9b1a71b35bcd963d274fe67fac8d90fd6a1218328e01349f3
    • Opcode Fuzzy Hash: 5fc51ed11293fe73e3ba66353bb36abc6625877220c470afc6a85e36a0a21a3c
    • Instruction Fuzzy Hash: 24E0242504E3C08FC3038BB499A8A913FB4AF03109B1A40EBD188CB8B3C16A180EC722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A123F4, Relevance: .0, Instructions: 15COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.206384168.0000000001A12000.00000040.00000001.sdmp, Offset: 01A12000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a12000_PRTService.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f06c262f0fc09983e3cfc32263b1ab570e56312dc8ca25a1000c95e5724c382c
    • Instruction ID: d37955d7b2baf455a7d43d0a63ff75b56ba4d02979e46722bc9de19281c6ba21
    • Opcode Fuzzy Hash: f06c262f0fc09983e3cfc32263b1ab570e56312dc8ca25a1000c95e5724c382c
    • Instruction Fuzzy Hash: 1FD05E79295A818FE3268B1CC1A8B953FE4AB51B04F5644FEE8008B667C368E981D200
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01A123BC, Relevance: .0, Instructions: 14COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.206384168.0000000001A12000.00000040.00000001.sdmp, Offset: 01A12000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_1a12000_PRTService.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ac51ba474f0806364fa2433641138a45203dc4f19ec4c28cdab4fcbb4180d5f3
    • Instruction ID: b06350cd523aba2e6368fed8c209c8f46b5948c98e8841ad08ebcd2f253b503e
    • Opcode Fuzzy Hash: ac51ba474f0806364fa2433641138a45203dc4f19ec4c28cdab4fcbb4180d5f3
    • Instruction Fuzzy Hash: A6D05E342002818FE715DB0CC594F593BD4AB41B00F1644E9AD008B666C3A4D881D600
    Uniqueness

    Uniqueness Score: -1.00%

    Function 05900148, Relevance: .0, Instructions: 8COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.207316029.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_5900000_PRTService.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 03b294f4b2c48518cfeedeba3b9af9ab744c2084e4f4ed62b4c78870d39f2145
    • Instruction ID: ae8d11fc871b69cf8a317df25c21c8a0faa538be261ceed2a03d50c433cd20f9
    • Opcode Fuzzy Hash: 03b294f4b2c48518cfeedeba3b9af9ab744c2084e4f4ed62b4c78870d39f2145
    • Instruction Fuzzy Hash: A2C04C35100208AFCB015F55D404D957FA9EF55260F008061F9484A521C67295249B51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 05900198, Relevance: .0, Instructions: 6COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.207316029.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_5900000_PRTService.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d624a1dacee1db0c12c846bd779557fc363f24c1e94d5624fb5d31168e842392
    • Instruction ID: 25dbd8d1524ea88a0d5d3abe123b4c8251d15cd8ef575636d9417f4a5caeb493
    • Opcode Fuzzy Hash: d624a1dacee1db0c12c846bd779557fc363f24c1e94d5624fb5d31168e842392
    • Instruction Fuzzy Hash: 48A011300002088B8200AAA8E00880033ECBA08A0830800E0A0088BA328A22B8008A82
    Uniqueness

    Uniqueness Score: -1.00%

    Function 059000F8, Relevance: .0, Instructions: 6COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.207316029.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_5900000_PRTService.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c2b739e6143de4b2e80f1910f2a15913308529585e9a6837397fe98f9abcd8c9
    • Instruction ID: ce9f0d320568e7aeddd1da0d443e20918fc001d358bb9c195afdc7c1ad0b123c
    • Opcode Fuzzy Hash: c2b739e6143de4b2e80f1910f2a15913308529585e9a6837397fe98f9abcd8c9
    • Instruction Fuzzy Hash: 32A011300002088BC200ABA8E008EA033ECAB08A08F0000F0A20C8BA228A22B8008A82
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 6E4767C0, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 136windowCOMMON
    Download Yara Rule
    APIs
    • MessageBoxW.USER32(00000000,?,AgileDotNet,00010000), ref: 6E4768AD
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Message
    • String ID: and can not run on this machine.$AgileDotNet$The secured image was created using a trial version of
    • API String ID: 2030045667-654727452
    • Opcode ID: 0c74ecc97fc1f3d329d8e17294cc7015879a79c8e045fb928f25d71c0dc0a42b
    • Instruction ID: cfa3fb18115f06d769f37bdefaa34cdd269cf4a283646d1102855c14848b132a
    • Opcode Fuzzy Hash: 0c74ecc97fc1f3d329d8e17294cc7015879a79c8e045fb928f25d71c0dc0a42b
    • Instruction Fuzzy Hash: C341A672D142586ACF20D7F09C15FEF77BCAB15245F0408ABF588E6241EA74D68C8BE1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E471EA0, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • GetVersionExW.KERNEL32(00000114), ref: 6E471EC4
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Version
    • String ID:
    • API String ID: 1889659487-0
    • Opcode ID: ed7358aee531903d3b42c3cca89ac5023d9cc2014b4106fbdc88b907d5301a12
    • Instruction ID: a5d60195afbc0501374e1dd7a5814437852252c337055bdaf830998f46dc1a09
    • Opcode Fuzzy Hash: ed7358aee531903d3b42c3cca89ac5023d9cc2014b4106fbdc88b907d5301a12
    • Instruction Fuzzy Hash: 8521A370D1921CDBDFB48EA18A1ABCDB6B4AB06719F1041DBD51822344C3B44BCDCED2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00EC345E, Relevance: .3, Instructions: 313COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.205851900.0000000000EC2000.00000002.00020000.sdmp, Offset: 00EC0000, based on PE: true
    • Associated: 00000001.00000002.205843619.0000000000EC0000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.205917024.0000000000EF8000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_ec0000_PRTService.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b2a6387abad8aaa46175e112f3aa4443342a3a65c4a618d98733fb91c65af728
    • Instruction ID: 358f50a8d9e2809327581fdbea1cc6937e6195fec94ceca7582a880b59de7631
    • Opcode Fuzzy Hash: b2a6387abad8aaa46175e112f3aa4443342a3a65c4a618d98733fb91c65af728
    • Instruction Fuzzy Hash: 2DE1C9A244E7C29FC7538B748C656907FB0AE17224B1E49DBC4C1CF4A3E25D585ADB23
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00EC29D8, Relevance: .2, Instructions: 204COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.205851900.0000000000EC2000.00000002.00020000.sdmp, Offset: 00EC0000, based on PE: true
    • Associated: 00000001.00000002.205843619.0000000000EC0000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.205917024.0000000000EF8000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_ec0000_PRTService.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3abe0b4e3218fffa630672e131f9a410a53fcb1476a4011b9998169ecf56a48a
    • Instruction ID: 23601bb1c59848db742e2664b18a080bfc8221dc0f3e1bd02099afdac04eae77
    • Opcode Fuzzy Hash: 3abe0b4e3218fffa630672e131f9a410a53fcb1476a4011b9998169ecf56a48a
    • Instruction Fuzzy Hash: 7781B82145F7D28FC7934B748DA51917FB1AE0726831E48DBC8C0CF4A7D269285ADB23
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E472300, Relevance: 36.3, APIs: 24, Instructions: 279memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32(00000000,00001000), ref: 6E472346
    • HeapAlloc.KERNEL32(00000000), ref: 6E47234D
    • ReadProcessMemory.KERNEL32(000000FF,?,00000000,00001000,?), ref: 6E472377
    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 6E47238F
    • HeapFree.KERNEL32(00000000), ref: 6E472396
    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 6E4723D1
    • HeapFree.KERNEL32(00000000), ref: 6E4723D8
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Heap$Process$Free$AllocMemoryRead
    • String ID:
    • API String ID: 3401992658-0
    • Opcode ID: 85bc460d1c2322a149f95fc22f987220284803b1153c37d383a8324f70c51c7e
    • Instruction ID: 51fe0bb33cd016b184a8d132dfa950cf9437f2b1cdf3bfc26b017480d93011fa
    • Opcode Fuzzy Hash: 85bc460d1c2322a149f95fc22f987220284803b1153c37d383a8324f70c51c7e
    • Instruction Fuzzy Hash: 2FC1F3B0A08109EFDF54DFE9D894FEEBBB8AF09345F10445AE505E7240DB74AA41CBA4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E473950, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 196memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32(00000000,00000178), ref: 6E4739CB
    • HeapAlloc.KERNEL32(00000000), ref: 6E4739D2
    • RaiseException.KERNEL32(00000111,00000000,00000001,?), ref: 6E473A26
    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,0000000E,00000000,00000000,00000178), ref: 6E473A55
    • HeapFree.KERNEL32(00000000), ref: 6E473A5C
    • GetProcessHeap.KERNEL32(00000000,00000178), ref: 6E473A68
    • HeapAlloc.KERNEL32(00000000), ref: 6E473A6F
    • RaiseException.KERNEL32(00000111,00000000,00000001,?), ref: 6E473AC3
    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,0000000E,00000000,00000000,00000178,00000000,0000000E,00000000,00000000,00000178), ref: 6E473BD6
    • HeapFree.KERNEL32(00000000), ref: 6E473BDD
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Heap$Process$AllocExceptionFreeRaise
    • String ID: Memory allocation failed for IP_ADAPTER_ADDRESSES struct$luetooth
    • API String ID: 2657628542-2887912024
    • Opcode ID: 4ba90f1ccef212d4d1b258b90e17bf6de8b89733aaac6c7f98453c2b247195f8
    • Instruction ID: cec65e905aa94aee0d1ef9a5e3eaaba2371b1efbee9dba7207c6e4aa1e88a9b6
    • Opcode Fuzzy Hash: 4ba90f1ccef212d4d1b258b90e17bf6de8b89733aaac6c7f98453c2b247195f8
    • Instruction Fuzzy Hash: 56710CB1E04209AFEF10DFE0C899FDFB7B8AB09305F004559E605AB281D7B59945CFA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E471FE0, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 92librarymemoryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryW.KERNEL32(ntdll.dll), ref: 6E472011
    • GetProcAddress.KERNEL32(00000000,DbgUiRemoteBreakin), ref: 6E472036
    • GetProcAddress.KERNEL32(00000000,DbgBreakPoint), ref: 6E47204A
    • FreeLibrary.KERNEL32(00000000), ref: 6E47205D
    • VirtualProtect.KERNEL32(00000000,00001000,00000040,?), ref: 6E472079
    • FreeLibrary.KERNEL32(00000000), ref: 6E472087
    • VirtualProtect.KERNEL32(00000000,00001000,?,?), ref: 6E4720CA
    • FreeLibrary.KERNEL32(00000000), ref: 6E4720D8
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Library$Free$AddressProcProtectVirtual$Load
    • String ID: DbgBreakPoint$DbgUiRemoteBreakin$ntdll.dll
    • API String ID: 1593070991-76633807
    • Opcode ID: 99673c4967c38f185ec7fa7b75ff5dddd6a00cc1490d38b82cbd97c7d1ca6328
    • Instruction ID: 0de1f22bd0c833135596907a8f2540f111724f50db378ef20f965d576c2ed1f6
    • Opcode Fuzzy Hash: 99673c4967c38f185ec7fa7b75ff5dddd6a00cc1490d38b82cbd97c7d1ca6328
    • Instruction Fuzzy Hash: 26310AB4904289EFCF10DFF5D848EEFB7B8BB0A355F00444AE611A7240D7B59A46CBA4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E47A5C0, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 87memorytimefileCOMMON
    Download Yara Rule
    APIs
    • GetTempPathA.KERNEL32(00000104,?), ref: 6E47A5D8
    • GetSystemTime.KERNEL32(?), ref: 6E47A5E5
    • GetDateFormatA.KERNEL32(00000400,00000000,00000000,dd'd'MM'm'yyyy'y',?,00000014), ref: 6E47A602
    • GetTimeFormatA.KERNEL32(00000400,00000000,00000000,HH'h'mm'm'ss's',?,00000014), ref: 6E47A61F
    • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 6E47A6BC
    • GetProcessHeap.KERNEL32(00000000,00000018), ref: 6E47A6CB
    • HeapAlloc.KERNEL32(00000000), ref: 6E47A6D2
    • InitializeCriticalSection.KERNEL32(00000000), ref: 6E47A6E3
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: FormatHeapTime$AllocCreateCriticalDateFileInitializePathProcessSectionSystemTemp
    • String ID: .txt$HH'h'mm'm'ss's'$RuntimeLog$dd'd'MM'm'yyyy'y'
    • API String ID: 3586126689-1436097571
    • Opcode ID: 0237f20412ce979bc3333558678d6f6207329b2a12a577092a4cf419266bfbc0
    • Instruction ID: 3d4d3edc61747118a4dc6f49a8c4336d9fa8a12c8f6c8fe8451870175638872e
    • Opcode Fuzzy Hash: 0237f20412ce979bc3333558678d6f6207329b2a12a577092a4cf419266bfbc0
    • Instruction Fuzzy Hash: 0F3137B69402187BDF20A7F0ED89FDB737CAB25705F00059AF705E6280E7709649CBA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E473F10, Relevance: 18.2, APIs: 12, Instructions: 237threadinjectionCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: ErrorLastThread$Context$EventResumeSuspend
    • String ID:
    • API String ID: 1160570678-0
    • Opcode ID: 4eb6aeb741d32611af17f3fab3532565dff2e6da978ac1f104c45ef608c0259e
    • Instruction ID: 5e3913e4fe5a39827e8c68b52eac382ae17fbad9e60b14dac98da89b7df66037
    • Opcode Fuzzy Hash: 4eb6aeb741d32611af17f3fab3532565dff2e6da978ac1f104c45ef608c0259e
    • Instruction Fuzzy Hash: 42C1E370A05258DFDB64DFA4C99CBDDBBB5AB05344F1040CAE408AB391D7B6AE85CF90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E472E10, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 33libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(mscoree.dll), ref: 6E472E1E
    • GetProcAddress.KERNEL32(00000000,GetCORVersion), ref: 6E472E3F
    • GetProcAddress.KERNEL32(00000000,GetRequestedRuntimeInfo), ref: 6E472E55
    • GetProcAddress.KERNEL32(00000000,GetFileVersion), ref: 6E472E6B
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: GetCORVersion$GetFileVersion$GetRequestedRuntimeInfo$mscoree.dll
    • API String ID: 2238633743-1350728216
    • Opcode ID: 468c638f161fc4ea66a20a91a65a5b369b1b30da67c17204a59874b7b50a1d14
    • Instruction ID: 3430d235ed8a4ef57d9596ea292007cee5cd8a774a9d0db491bc04f2721ac488
    • Opcode Fuzzy Hash: 468c638f161fc4ea66a20a91a65a5b369b1b30da67c17204a59874b7b50a1d14
    • Instruction Fuzzy Hash: 79F0FFB9A04A40AFCB14BBF5A84CE277BA8F317AD1F00401FF900C6300DAB0E8058BA4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E473D20, Relevance: 13.6, APIs: 9, Instructions: 101threadsynchronizationCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThread.KERNEL32 ref: 6E473D79
    • GetCurrentThreadId.KERNEL32 ref: 6E473D84
    • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 6E473D98
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6E473DAC
    • CreateThread.KERNEL32 ref: 6E473DD3
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6E473DE5
    • CloseHandle.KERNEL32(?), ref: 6E473DF2
    • GetCurrentThread.KERNEL32 ref: 6E473E02
    • CloseHandle.KERNEL32(?), ref: 6E473E14
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Thread$Current$CloseCreateHandle$EventObjectOpenSingleWait
    • String ID:
    • API String ID: 889725247-0
    • Opcode ID: 96fb321459b87224a478d2a3713ccfb0d4613d602a856818bbb6b66ec3187477
    • Instruction ID: ba40acbdaebcd1135093847ae5e29033cba3dcfbd40497441c7f3d71cacc82ce
    • Opcode Fuzzy Hash: 96fb321459b87224a478d2a3713ccfb0d4613d602a856818bbb6b66ec3187477
    • Instruction Fuzzy Hash: A341B578A04248EFDB14DFA4D998F9DBBB4EB49741F204599F905AB390D770AE01CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E474410, Relevance: 12.1, APIs: 8, Instructions: 76threadsynchronizationCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThread.KERNEL32 ref: 6E474430
    • GetCurrentThreadId.KERNEL32 ref: 6E47443E
    • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 6E474452
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6E47446A
    • CreateThread.KERNEL32 ref: 6E474491
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6E4744A3
    • CloseHandle.KERNEL32(?), ref: 6E4744B0
    • CloseHandle.KERNEL32(?), ref: 6E4744CF
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Thread$CloseCreateCurrentHandle$EventObjectOpenSingleWait
    • String ID:
    • API String ID: 4004156642-0
    • Opcode ID: 974957a872b18730a101cdecabfd804365f57838aa1ae34ea9675b6b9935d42b
    • Instruction ID: eb0433e68d399eef8ebe0c4ed33b20cb142f7a97179aa1cdd8d9f815b03941f9
    • Opcode Fuzzy Hash: 974957a872b18730a101cdecabfd804365f57838aa1ae34ea9675b6b9935d42b
    • Instruction Fuzzy Hash: 72312C74A04208EFDB14DFE5D945FADBBB9AB0A381F204199F915AB380C771DE01DB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E47D570, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 223COMMON
    Download Yara Rule
    APIs
    • RaiseException.KERNEL32(00000111,00000000,00000001,?), ref: 6E47D6C9
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: ExceptionRaise
    • String ID: $-$@$@$Table stream was not found.
    • API String ID: 3997070919-3695719007
    • Opcode ID: 233303d659e55f188a2b09a242d957d7d747bf806a52a2c2c51428a8527ba379
    • Instruction ID: 980dfe76e85c000c1ecebf7795dd9a7434f824dafbb0f959602c04b29dccfe29
    • Opcode Fuzzy Hash: 233303d659e55f188a2b09a242d957d7d747bf806a52a2c2c51428a8527ba379
    • Instruction Fuzzy Hash: FCB1C274E04219DFCB24CFA8C985BEEB7B4AB89304F1041EAD419AB341D771AE85CF84
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E47E1F0, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 210memorystringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Heap$AllocCommandLineProcesslstrcpylstrlen
    • String ID:
    • API String ID: 3105795567-3916222277
    • Opcode ID: d5feda676317140f37ee96d8270b44a6c56b214743d147ea6dd9cc4f5e58ffaf
    • Instruction ID: 6a1516e5939dd95bc6a11f6be7e483d3eb7cfb785401d062fe0a9b1f827c8612
    • Opcode Fuzzy Hash: d5feda676317140f37ee96d8270b44a6c56b214743d147ea6dd9cc4f5e58ffaf
    • Instruction Fuzzy Hash: B891B474E01119AFDFA8CFAAC494AEEB7B0FF46305B00859EE865E7350E3749950CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E47A830, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52filethreadCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(MiniDump.dmp,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 6E47A850
    • GetCurrentThreadId.KERNEL32 ref: 6E47A865
    • GetCurrentProcessId.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 6E47A89B
    • GetCurrentProcess.KERNEL32(00000000), ref: 6E47A8A2
    • CloseHandle.KERNEL32(000000FF,00000000), ref: 6E47A8B5
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Current$Process$CloseCreateFileHandleThread
    • String ID: MiniDump.dmp
    • API String ID: 2270032372-271895303
    • Opcode ID: ad80b1d069bc2d19dbca9c040631f7675894e60f6d245d6b2b595dc407cc6813
    • Instruction ID: e1c8f0cbdec3ea05f970ee632e29ddd93b0aa3129fdb9ceb6adc2e8ac939885f
    • Opcode Fuzzy Hash: ad80b1d069bc2d19dbca9c040631f7675894e60f6d245d6b2b595dc407cc6813
    • Instruction Fuzzy Hash: 86113971A40308ABDF10EFF8DC0AF9EBBB8AB05751F20411AF624E7280D6709A05CB94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E47A990, Relevance: 6.1, APIs: 4, Instructions: 53memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 6E47A9B3
    • VirtualProtect.KERNEL32(?,?,00000004,?,?,?,0000001C), ref: 6E47A9CA
    • LeaveCriticalSection.KERNEL32(?,?,?,0000001C), ref: 6E47A9D9
    • VirtualProtect.KERNEL32(?,?,?,00000000,?,?,?,0000001C), ref: 6E47AA06
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Virtual$Protect$CriticalLeaveQuerySection
    • String ID:
    • API String ID: 2006288-0
    • Opcode ID: 6a60b768bd102aae5d5bccd432ab621f59f0bbc7bb95f20d63037f137e0b1bc7
    • Instruction ID: 15cbdec2e061d1d653f1312c2c6b7102a8d812286f7ebdb496a7eda25ea04f27
    • Opcode Fuzzy Hash: 6a60b768bd102aae5d5bccd432ab621f59f0bbc7bb95f20d63037f137e0b1bc7
    • Instruction Fuzzy Hash: BD11B3B5A04208EFDB04DBE9D984EEEBBFCAF49301F204199E905E7240D731AE41DB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E47A8F0, Relevance: 6.0, APIs: 4, Instructions: 49memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 6E47A906
    • VirtualProtect.KERNEL32(?,?,00000004,?), ref: 6E47A91D
    • EnterCriticalSection.KERNEL32(?), ref: 6E47A92A
    • VirtualProtect.KERNEL32(?,?,?,00000000), ref: 6E47A956
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Virtual$Protect$CriticalEnterQuerySection
    • String ID:
    • API String ID: 2670832257-0
    • Opcode ID: 69cd3fab4ad6e0a05f6e51421cd2c3fc3a782a8cc9eb3a7c1de251e87cc00459
    • Instruction ID: a248f5f09bdd3aefde1a39ad24a7e05f17370b475541c5ba604f40285919c723
    • Opcode Fuzzy Hash: 69cd3fab4ad6e0a05f6e51421cd2c3fc3a782a8cc9eb3a7c1de251e87cc00459
    • Instruction Fuzzy Hash: 111196B5A00208EFCB04DFE8D985EDEBBBCEB4D340F104159FA05E7240D631AA41CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E4736D0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON
    Download Yara Rule
    APIs
    • MessageBoxW.USER32(00000000,This application requires .NET Framework 2.0 in order to run properly. Please verify that .NET framework 2.0 is installed on the,AgileDotNet,00010000), ref: 6E4736F6
    Strings
    • This application requires .NET Framework 2.0 in order to run properly. Please verify that .NET framework 2.0 is installed on the, xrefs: 6E4736EF
    • AgileDotNet, xrefs: 6E4736EA
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Message
    • String ID: AgileDotNet$This application requires .NET Framework 2.0 in order to run properly. Please verify that .NET framework 2.0 is installed on the
    • API String ID: 2030045667-543017848
    • Opcode ID: 4cb8153ffa4b1070c1a21d43dc89ddf0684b8a0ee4e60559205e3ba318481702
    • Instruction ID: 7d00f310422322713234abc3d157379ebbe2ce1c142b93e8aaad6ef5aac075a9
    • Opcode Fuzzy Hash: 4cb8153ffa4b1070c1a21d43dc89ddf0684b8a0ee4e60559205e3ba318481702
    • Instruction Fuzzy Hash: EAD05E7224421432EA2031FB2C46FFB775C9785ADAF404057FA48A93829A81E44900EA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E478FC0, Relevance: 5.1, APIs: 4, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32(00000000,?), ref: 6E479012
    • HeapFree.KERNEL32(00000000), ref: 6E479019
    • GetProcessHeap.KERNEL32(00000000,?), ref: 6E479033
    • HeapFree.KERNEL32(00000000), ref: 6E47903A
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Heap$FreeProcess
    • String ID:
    • API String ID: 3859560861-0
    • Opcode ID: 91c09e43e625a9b4281a13529a99fd5f64b555a504f9a8f7428e43d6dcecabe7
    • Instruction ID: fbdf09ea9dcbfdee1f6be442d471a9a5000b68380b3ff96903ffa18c00cd64cd
    • Opcode Fuzzy Hash: 91c09e43e625a9b4281a13529a99fd5f64b555a504f9a8f7428e43d6dcecabe7
    • Instruction Fuzzy Hash: AE11F674A04218EFCB14DFE8D994F9EB7B9FB0A301F104499E615A7390C771AE41CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E479440, Relevance: 5.1, APIs: 4, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32(00000000,?), ref: 6E479492
    • HeapFree.KERNEL32(00000000), ref: 6E479499
    • GetProcessHeap.KERNEL32(00000000,?), ref: 6E4794B3
    • HeapFree.KERNEL32(00000000), ref: 6E4794BA
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Heap$FreeProcess
    • String ID:
    • API String ID: 3859560861-0
    • Opcode ID: 91c09e43e625a9b4281a13529a99fd5f64b555a504f9a8f7428e43d6dcecabe7
    • Instruction ID: d78d0906d4ab18bb7595133b6022c6289a4b0ed6ce8e8c93873acd19cb31edc2
    • Opcode Fuzzy Hash: 91c09e43e625a9b4281a13529a99fd5f64b555a504f9a8f7428e43d6dcecabe7
    • Instruction Fuzzy Hash: 2111F674A08208EFCB14DFE9D888FAEB7B8FB49301F104499E615A7390C771AE41CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E478CC0, Relevance: 5.1, APIs: 4, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32(00000000,?), ref: 6E478D12
    • HeapFree.KERNEL32(00000000), ref: 6E478D19
    • GetProcessHeap.KERNEL32(00000000,?), ref: 6E478D33
    • HeapFree.KERNEL32(00000000), ref: 6E478D3A
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Heap$FreeProcess
    • String ID:
    • API String ID: 3859560861-0
    • Opcode ID: 91c09e43e625a9b4281a13529a99fd5f64b555a504f9a8f7428e43d6dcecabe7
    • Instruction ID: 45f465d25426c8ef3700fc60670f3fecd19f91ceb52c28ed76a9ce167918384c
    • Opcode Fuzzy Hash: 91c09e43e625a9b4281a13529a99fd5f64b555a504f9a8f7428e43d6dcecabe7
    • Instruction Fuzzy Hash: B611E475A04218EFDB14DFE8D984F9EB7B8FB09301F10449AE515AB390C770AE41CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6E47E0D0, Relevance: 5.0, APIs: 4, Instructions: 29memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32(00000000,00000000,?), ref: 6E47E0E9
    • HeapReAlloc.KERNEL32(00000000), ref: 6E47E0F0
    • GetProcessHeap.KERNEL32(00000000,?), ref: 6E47E100
    • HeapAlloc.KERNEL32(00000000), ref: 6E47E107
    Memory Dump Source
    • Source File: 00000001.00000002.207438735.000000006E471000.00000020.00020000.sdmp, Offset: 6E460000, based on PE: true
    • Associated: 00000001.00000002.207432971.000000006E460000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207466433.000000006E483000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.207471583.000000006E485000.00000008.00020000.sdmp Download File
    • Associated: 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.207481972.000000006E487000.00000040.00020000.sdmp Download File
    • Associated: 00000001.00000002.207486937.000000006E488000.00000080.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_6e460000_PRTService.jbxd
    Similarity
    • API ID: Heap$AllocProcess
    • String ID:
    • API String ID: 1617791916-0
    • Opcode ID: 9b00db31ce4d10e4fdd52cd12873f765b5b75cba25321b5350293662b1228fc3
    • Instruction ID: 0d1ae907e2ad8f101c5938929e4e39053b748b8372f2a60219b026c2ac7d81cb
    • Opcode Fuzzy Hash: 9b00db31ce4d10e4fdd52cd12873f765b5b75cba25321b5350293662b1228fc3
    • Instruction Fuzzy Hash: ABE0E575204114BBDB446BF9EC4DFEF376CE7463D2F008159FA19C6180D670D81287A1
    Uniqueness

    Uniqueness Score: -1.00%