Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report PRTService.exe

Overview

General Information

Sample Name:PRTService.exe
Analysis ID:452460
MD5:4a838989da416e3d16c520d03c3ba192
SHA1:f2fb096d74527a06c5b5c2975fd438419ec171b6
SHA256:26c2caf1eb317e9354cec8a92e824a495ce7d253f6d1779226138e6994553cf9
Infos:

Most interesting Screenshot:

Detection

Score:26
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Tries to detect virtualization through RDTSC time measurements
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
One or more processes crash
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample crashes during execution, try analyze it on another analysis machine
Sample may be VM or Sandbox-aware, try analysis on a native machine
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

  • System is w10x64
  • PRTService.exe (PID: 5480 cmdline: 'C:\Users\user\Desktop\PRTService.exe' MD5: 4A838989DA416E3D16C520D03C3BA192)
    • dw20.exe (PID: 5976 cmdline: dw20.exe -x -s 852 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results
Source: PRTService.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\PRTService.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
Source: PRTService.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Dev\CliSecure\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: PRTService.exe, 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp, AgileDotNetRT.dll.1.dr
Source: Binary string: C:\Windows\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: V:\ID-CHECK\Windows\NetDLL\Release\IDCheckNet.pdb source: PRTService.exe
Source: Binary string: C:\Windows\symbols\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: V:\ID-Check\IDCDeviceController\NetDeviceController\Release\IDCDeviceControllerNet.pdb source: PRTService.exe
Source: Binary string: mscorjit.pdb source: PRTService.exe, 00000001.00000002.207332184.0000000005A60000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\PRTService.pdb` source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: indows\PRTService.pdbpdbice.pdbs\ source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: .pdb3 source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: V:\ID-Check\IDCDeviceController\NetDeviceController\Release\IDCDeviceControllerNet.pdb source: PRTService.exe
Source: Binary string: c:\Users\CarlosQ\Documents\Visual Studio 2012\Projects\ASAIComLayer\PRTService\obj\Release\PRTService.pdb source: PRTService.exe
Source: Binary string: C:\Users\user\Desktop\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: mscorjit.pdb{ source: PRTService.exe, 00000001.00000002.207332184.0000000005A60000.00000004.00000001.sdmp
Source: Binary string: symbols\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: 1<pC:\Windows\PRTService.pdb source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: PRTService.exe, 00000001.00000002.207107980.00000000057B0000.00000002.00000001.sdmp
Source: Binary string: c:\Users\CarlosQ\Documents\Visual Studio 2012\Projects\ASAIComLayer\PRTService\obj\Release\PRTService.pdb\ source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: C:\Users\user\Desktop.pdbervice.exe < source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00EC29D8
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00EC345E
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00EC2050
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00F529D8
Source: C:\Users\user\Desktop\PRTService.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 852
Source: PRTService.exeBinary or memory string: OriginalFilename vs PRTService.exe
Source: PRTService.exe, 00000001.00000002.207476598.000000006E486000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs PRTService.exe
Source: PRTService.exe, 00000001.00000000.197033489.0000000000EF8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIDCDeviceControllerNet.dllD vs PRTService.exe
Source: PRTService.exe, 00000001.00000000.197033489.0000000000EF8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIDCheckNet.dllH vs PRTService.exe
Source: PRTService.exe, 00000001.00000002.207107980.00000000057B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PRTService.exe
Source: PRTService.exe, 00000001.00000002.207177360.0000000005810000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PRTService.exe
Source: PRTService.exeBinary or memory string: OriginalFilenameIDCDeviceControllerNet.dllD vs PRTService.exe
Source: PRTService.exeBinary or memory string: OriginalFilenameIDCheckNet.dllH vs PRTService.exe
Source: PRTService.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: AgileDotNetRT.dll.1.drStatic PE information: Section: .reloc IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: AgileDotNetRT.dll.1.drStatic PE information: Section: .reloc IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: sus26.evad.winEXE@3/4@0/0
Source: C:\Users\user\Desktop\PRTService.exeFile created: C:\Users\user\AppData\Local\Temp\1d7a2c72-3aee-4299-91f8-2280595a512bJump to behavior
Source: PRTService.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PRTService.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\PRTService.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\PRTService.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\PRTService.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: PRTService.exeString found in binary or memory: Load Timed Out/LoadJurisTable Status:
Source: C:\Users\user\Desktop\PRTService.exeFile read: C:\Users\user\Desktop\PRTService.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\PRTService.exe 'C:\Users\user\Desktop\PRTService.exe'
Source: C:\Users\user\Desktop\PRTService.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 852
Source: C:\Users\user\Desktop\PRTService.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 852
Source: C:\Users\user\Desktop\PRTService.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
Source: C:\Users\user\Desktop\PRTService.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
Source: PRTService.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\PRTService.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
Source: PRTService.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: PRTService.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Dev\CliSecure\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: PRTService.exe, 00000001.00000002.207457246.000000006E481000.00000002.00020000.sdmp, AgileDotNetRT.dll.1.dr
Source: Binary string: C:\Windows\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: V:\ID-CHECK\Windows\NetDLL\Release\IDCheckNet.pdb source: PRTService.exe
Source: Binary string: C:\Windows\symbols\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: V:\ID-Check\IDCDeviceController\NetDeviceController\Release\IDCDeviceControllerNet.pdb source: PRTService.exe
Source: Binary string: mscorjit.pdb source: PRTService.exe, 00000001.00000002.207332184.0000000005A60000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\PRTService.pdb` source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: indows\PRTService.pdbpdbice.pdbs\ source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: .pdb3 source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: V:\ID-Check\IDCDeviceController\NetDeviceController\Release\IDCDeviceControllerNet.pdb source: PRTService.exe
Source: Binary string: c:\Users\CarlosQ\Documents\Visual Studio 2012\Projects\ASAIComLayer\PRTService\obj\Release\PRTService.pdb source: PRTService.exe
Source: Binary string: C:\Users\user\Desktop\PRTService.pdb source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: mscorjit.pdb{ source: PRTService.exe, 00000001.00000002.207332184.0000000005A60000.00000004.00000001.sdmp
Source: Binary string: symbols\exe\PRTService.pdb source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: 1<pC:\Windows\PRTService.pdb source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: PRTService.exe, 00000001.00000002.207107980.00000000057B0000.00000002.00000001.sdmp
Source: Binary string: c:\Users\CarlosQ\Documents\Visual Studio 2012\Projects\ASAIComLayer\PRTService\obj\Release\PRTService.pdb\ source: PRTService.exe, 00000001.00000002.206457935.0000000003195000.00000004.00000040.sdmp
Source: Binary string: C:\Users\user\Desktop.pdbervice.exe < source: PRTService.exe, 00000001.00000002.206095329.0000000001336000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E478500 GetCurrentProcess,GetCurrentProcess,GetFileVersionInfoSizeW,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,LoadLibraryW,GetProcAddress,GetProcessHeap,HeapFree,
Source: AgileDotNetRT.dll.1.drStatic PE information: section name: .textbss
Source: AgileDotNetRT.dll.1.drStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00EC31F4 push ecx; retf 0000h
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00F19CD4 push eax; ret
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00F19CD4 push eax; ret
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00F70498 push eax; ret
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00F70498 push eax; ret
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_00F19EA7 push ecx; ret
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E47569E push eax; ret
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48AE07 push 00000C3Fh; mov dword ptr [esp], eax
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48A621 push 000003C8h; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48A688 push 000023F7h; mov dword ptr [esp], eax
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E488F68 push 000073FDh; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E488717 push 000010B9h; mov dword ptr [esp], eax
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48B7C3 push 00001947h; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E489C41 push 00001F00h; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E489463 push 00007DDCh; mov dword ptr [esp], ebp
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E488C34 push 00007802h; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48B4AA push 00007F81h; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48AD67 push 0000183Fh; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E487DCD push 00000237h; mov dword ptr [esp], esi
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48AA36 push 00003619h; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48C348 push 00004A85h; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48831F push 000008ABh; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48A3AE push 000063D4h; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48B068 push 00000FACh; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48902C push 00002D0Eh; mov dword ptr [esp], edi
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48A82F push 000019CCh; mov dword ptr [esp], esp
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48B8D6 push 0000142Bh; mov dword ptr [esp], eax
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48997F push 0000120Bh; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48A93F push 00005B3Dh; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E48A1D0 push 00000289h; mov dword ptr [esp], edi
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E4889FD push 00006D00h; mov dword ptr [esp], eax
Source: initial sampleStatic PE information: section name: .text entropy: 6.82449258024
Source: initial sampleStatic PE information: section name: .reloc entropy: 7.44136591955
Source: C:\Users\user\Desktop\PRTService.exeFile created: C:\Users\user\AppData\Local\Temp\1d7a2c72-3aee-4299-91f8-2280595a512b\AgileDotNetRT.dllJump to dropped file
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PRTService.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\PRTService.exeRDTSC instruction interceptor: First address: 000000006E472D12 second address: 000000006E472D96 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-10h], eax 0x00000005 mov dword ptr [ebp-0Ch], edx 0x00000008 mov eax, dword ptr [ebp-10h] 0x0000000b sub eax, dword ptr [ebp-08h] 0x0000000e mov edx, dword ptr [ebp-0Ch] 0x00000011 sbb edx, dword ptr [ebp-04h] 0x00000014 pop edi 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 mov esp, ebp 0x00000019 pop ebp 0x0000001a ret 0x0000001b mov dword ptr [6E4833C0h], eax 0x00000020 mov dword ptr [6E4833C4h], edx 0x00000026 mov dword ptr [ebp-0Ch], 00000000h 0x0000002d jmp 00007FF90CA8700Bh 0x0000002f mov eax, dword ptr [ebp-0Ch] 0x00000032 cmp eax, dword ptr [ebp+08h] 0x00000035 jnl 00007FF90CA87046h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E472D50 rdtsc
Source: PRTService.exe, 00000001.00000002.207177360.0000000005810000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PRTService.exe, 00000001.00000002.207177360.0000000005810000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PRTService.exe, 00000001.00000002.207177360.0000000005810000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: PRTService.exe, 00000001.00000002.207177360.0000000005810000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\PRTService.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\PRTService.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E472D50 rdtsc
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E478500 GetCurrentProcess,GetCurrentProcess,GetFileVersionInfoSizeW,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,LoadLibraryW,GetProcAddress,GetProcessHeap,HeapFree,
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E47EF00 GetProcessHeap,RtlAllocateHeap,
Source: C:\Users\user\Desktop\PRTService.exeMemory allocated: page read and write | page guard
Source: C:\Users\user\Desktop\PRTService.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 852
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E4767C0 MessageBoxW,GetSystemTimeAsFileTime,CompareFileTime,MessageBoxW,
Source: C:\Users\user\Desktop\PRTService.exeCode function: 1_2_6E471EA0 GetVersionExW,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection11Virtualization/Sandbox Evasion11OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery131Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerVirtualization/Sandbox Evasion11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsSystem Information Discovery13SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
PRTService.exe6%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\1d7a2c72-3aee-4299-91f8-2280595a512b\AgileDotNetRT.dll1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\1d7a2c72-3aee-4299-91f8-2280595a512b\AgileDotNetRT.dll2%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\1d7a2c72-3aee-4299-91f8-2280595a512b\AgileDotNetRT.dll2%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:452460
Start date:22.07.2021
Start time:12:04:10
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 15s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:PRTService.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:SUS
Classification:sus26.evad.winEXE@3/4@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 68%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): svchost.exe
  • Excluded IPs from analysis (whitelisted): 168.61.161.212, 52.147.198.201, 40.88.32.150
  • Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, watson.telemetry.microsoft.com

Simulations

Behavior and APIs

TimeTypeDescription
12:04:59API Interceptor1x Sleep call for process: dw20.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_prtservice.exe_9a52ed83f9a038e8d5d8a8b157025a4bf964059_00000000_170c17b5\Report.wer
Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):12060
Entropy (8bit):3.77494316680188
Encrypted:false
SSDEEP:192:qukBTvHiNmXmhnZaKsn9fXeewQlfY/u7s6S274ItxUn:r2TiraDfY/u7s6X4ItW
MD5:BC1FC11A79D4F343E5BB91CE09B7E8AD
SHA1:D7B371EAEFB34AF61C2D839AB37529D9ACBFB38E
SHA-256:157F9E47E5C2B3807B350974B124C7F32129A991AD8B1F8092B3D33CCE9EA5CF
SHA-512:460570B46667510C06D40CAAD8B61EF7B8444A4BB13DC899DA97C5D9ED2B5C30582A2B5EEBA13B980B7D66A68DDB87309B8CC133EE274F3233335C95A71AE5D2
Malicious:false
Reputation:low
Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.1.4.5.4.2.9.7.2.5.0.4.9.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.1.4.5.4.2.9.7.5.4.7.3.8.4.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.a.a.9.f.8.6.7.-.5.c.8.2.-.4.4.6.3.-.9.4.7.f.-.3.1.8.b.e.5.8.7.b.9.f.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.R.T.S.e.r.v.i.c.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.6.8.-.0.0.0.1.-.0.0.1.7.-.9.8.a.3.-.4.c.7.5.2.c.7.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.d.4.4.3.3.7.a.a.a.c.6.2.e.9.a.f.7.2.5.a.0.b.2.6.a.b.f.5.d.7.3.0.0.0.0.0.0.0.0.!.0.0.0.0.f.2.f.b.0.9.6.d.7.4.5.2.7.a.0.6.c.5.b.5.c.2.9.7.5.f.d.4.3.8.4.1.9.e.c.1.7.1.b.6.!.P.R.T.S.e.r.v.i.c.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.7././.1.1././.2.9.:.2.0.:.0.9.:.3.3.!.0.!.P.R.T.S.e.r.v.i.c.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC2.tmp.WERInternalMetadata.xml
Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):7680
Entropy (8bit):3.696497169104449
Encrypted:false
SSDEEP:192:Rrl7r3GLNik6U6ksMe6YSKSUNC1lgmfZJAdS+Cp1yb1fYqGm:RrlsNiI696YfSUNC1lgmfXOSnypfr
MD5:1EBF2F48397EFDD1021EDE3AF4B317DC
SHA1:48847211A8D7E6385E13908B6F951483DDAD5AED
SHA-256:55ABEF9712C023C23556FBE0439396D36F9626F229BB144475BAB8A1FAEAD0FD
SHA-512:F9E1F2EA19AE2BFE6C7814B6F27748C16DAA0C423AFEEB02EC845E1198C7B6D5038D844AC0C26361F5D269DFDCB18055703268F3475D21C058AE48BD7868A782
Malicious:false
Reputation:low
Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.8.0.<./.P.i.d.>.......
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE60.tmp.xml
Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4699
Entropy (8bit):4.4714599202674306
Encrypted:false
SSDEEP:48:cvIwSD8zsvJgtWI9ZVWSC8Bhs8fm8M4JFKzLtJ2F3f+q8vCLtJfebF9pd:uITfR6kSNbRJFKsfKMep9pd
MD5:BF3AD03AC5C53F7BD1E72D3B3BB4C4E1
SHA1:3F8D93C4AEECFE1BFC18E53DC9C758F6AC7D3E8B
SHA-256:80E099F69D975A62E4B82EC1E9AD616938D4A425EE51BB4EDAB3E5EABEFB49D1
SHA-512:494C602BD5A3ACDAA155379483A070611E77772F1A54B2A7339E106025A145829FC2785E7888F2A8D8457A6D6764C80DDDA5AEBF0F5D11CDFE625120127BA7E5
Malicious:false
Reputation:low
Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1088895" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
C:\Users\user\AppData\Local\Temp\1d7a2c72-3aee-4299-91f8-2280595a512b\AgileDotNetRT.dll
Process:C:\Users\user\Desktop\PRTService.exe
File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):123285
Entropy (8bit):6.470545105128027
Encrypted:false
SSDEEP:3072:eoVfy2n+bR4l+w5wIDn+1HcR6bpMpImsGPZni2:ly2n+bR42xcR6bpUxni2
MD5:F377D15AD215C779E12775DE2B42C965
SHA1:59409AC15E0535CEA47EC5AC5968867E8FF8C0E6
SHA-256:BC2440A2A185006247BE562F4D6B67560309E48694CC854308E00C41F02CA7D8
SHA-512:11AFDD6F098AB7D7466A764868D9E163142836B11044A0A2572EAC305454328B6FADE08929F93BD9E5FA9436435C5566A3C2EE86F1CDA6457B908F1198E22CF1
Malicious:false
Antivirus:
  • Antivirus: Virustotal, Detection: 1%, Browse
  • Antivirus: Metadefender, Detection: 2%, Browse
  • Antivirus: ReversingLabs, Detection: 2%
Reputation:low
Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............F...F...F..TF...F..lF...F...F...F..aF...F.wTF...F.wdF...F.weF...F.wbF...FRich...F........PE..L....9VS...........!.........8............................................... .......|....@..........................#.......@..d....`.......................p.......................................................B.. ....P..`....................textbss.................................text...)........................... ..`.rdata..............................@..@.data........0......................@....idata.......@......................@....didat..a....P.......*..............@....rsrc........`......................@..@.reloc.......p.......2..............`...................................................................................................................................................................................................................

Static File Info

General

File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):6.818104665244162
TrID:
  • Win32 Executable (generic) Net Framework (10011505/4) 49.69%
  • Win32 Executable (generic) a (10002005/4) 49.65%
  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
  • InstallShield setup (43055/19) 0.21%
  • Windows Screen Saver (13104/52) 0.07%
File name:PRTService.exe
File size:957952
MD5:4a838989da416e3d16c520d03c3ba192
SHA1:f2fb096d74527a06c5b5c2975fd438419ec171b6
SHA256:26c2caf1eb317e9354cec8a92e824a495ce7d253f6d1779226138e6994553cf9
SHA512:ab62430a4d72f4e6d71c489fe45e338a8b877f5d9936bd10ea60a6d325fa02e03d25652a04a3262fcff8347e121fee876b4b98c8f767f5339ba8c01c1d0d9f9c
SSDEEP:12288:4BnFzJLhIE3wD2gM+L+GQtXJoqWJ+7MVOIVcD:cFprPDtPW87MVOs8
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z............................z.... ........@.. ....................................@................................

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x4eb17a
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x5A1F13FD [Wed Nov 29 20:09:33 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:v2.0.50727
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc ecx
adc ebx, dword ptr [edi]
pop edx
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [ecx+esi*4-6C43FFF2h], bh
push cs
add byte ptr [edx+53h], dl
inc esp
push ebx
jne 00007FF90C769D74h
pop ebp
add cl, byte ptr [edx]
jp 00007FF90C769D72h
inc edx
mov eax, 70716149h
std
sub dword ptr [edx+01h], edx
add byte ptr [eax], al
add byte ptr [ebx+3Ah], ah
pop esp
push ebp
jnc 00007FF90C769DA7h
jc 00007FF90C769DB5h
pop esp
inc ebx
popad
jc 00007FF90C769DAEh
outsd
jnc 00007FF90C769D93h
pop esp
inc esp
outsd
arpl word ptr [ebp+6Dh], si
outsb
je 00007FF90C769DB5h
pop esp
push esi
imul esi, dword ptr [ebx+75h], 53206C61h
je 00007FF90C769DB7h
imul ebp, dword ptr fs:[edi+20h], 32313032h
pop esp
push eax
jc 00007FF90C769DB1h
push 00000065h
arpl word ptr [ebx+esi*2+5Ch], si
inc ecx
push ebx
inc ecx
dec ecx
inc ebx
outsd
insd
dec esp
popad
jns 00007FF90C769DA7h
jc 00007FF90C769D9Eh
push eax
push edx
push esp
push ebx
jc 00007FF90C769DB9h
imul esp, dword ptr [ebx+65h], 6A626F5Ch
pop esp
push edx
insb
popad
jnc 00007FF90C769DA7h
pop esp
push eax
push edx
push esp
push ebx
jc 00007FF90C769DB9h
imul esp, dword ptr [ebx+65h], 6264702Eh
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xeb1200x57.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0xec0000x54c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xee0000xc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0xeb1a00x1c.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x20000xe92400xe9400False0.431423960008data6.82449258024IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc0xec0000x54c0x600False0.391927083333data3.95297327924IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xee0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_VERSION0xec0a00x2c0data
RT_MANIFEST0xec3600x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLLImport
mscoree.dll_CorExeMain

Version Infos

DescriptionData
Translation0x0000 0x04b0
LegalCopyrightCopyright 2015
Assembly Version1.0.0.0
InternalNamePRTService.exe
FileVersion1.0.0.0
ProductNamePRTService
ProductVersion1.0.0.0
FileDescriptionPRTService
OriginalFilenamePRTService.exe

Network Behavior

Network Port Distribution

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Jul 22, 2021 12:04:49.281429052 CEST5754453192.168.2.38.8.8.8
Jul 22, 2021 12:04:49.338541985 CEST53575448.8.8.8192.168.2.3
Jul 22, 2021 12:04:50.223974943 CEST5598453192.168.2.38.8.8.8
Jul 22, 2021 12:04:50.283888102 CEST53559848.8.8.8192.168.2.3
Jul 22, 2021 12:04:51.742949009 CEST6418553192.168.2.38.8.8.8
Jul 22, 2021 12:04:51.795140028 CEST53641858.8.8.8192.168.2.3
Jul 22, 2021 12:04:52.562978029 CEST6511053192.168.2.38.8.8.8
Jul 22, 2021 12:04:52.612060070 CEST53651108.8.8.8192.168.2.3
Jul 22, 2021 12:04:56.747797012 CEST5836153192.168.2.38.8.8.8
Jul 22, 2021 12:04:56.800153017 CEST53583618.8.8.8192.168.2.3
Jul 22, 2021 12:04:57.887835026 CEST6349253192.168.2.38.8.8.8
Jul 22, 2021 12:04:57.937417030 CEST53634928.8.8.8192.168.2.3
Jul 22, 2021 12:04:57.998963118 CEST6083153192.168.2.38.8.8.8
Jul 22, 2021 12:04:58.055975914 CEST53608318.8.8.8192.168.2.3
Jul 22, 2021 12:04:58.842502117 CEST6010053192.168.2.38.8.8.8
Jul 22, 2021 12:04:58.891685963 CEST53601008.8.8.8192.168.2.3
Jul 22, 2021 12:05:00.004996061 CEST5319553192.168.2.38.8.8.8
Jul 22, 2021 12:05:00.065162897 CEST53531958.8.8.8192.168.2.3
Jul 22, 2021 12:05:01.762751102 CEST5014153192.168.2.38.8.8.8
Jul 22, 2021 12:05:01.812561035 CEST53501418.8.8.8192.168.2.3
Jul 22, 2021 12:05:02.623524904 CEST5302353192.168.2.38.8.8.8
Jul 22, 2021 12:05:02.676060915 CEST53530238.8.8.8192.168.2.3
Jul 22, 2021 12:05:04.735703945 CEST4956353192.168.2.38.8.8.8
Jul 22, 2021 12:05:04.791460037 CEST53495638.8.8.8192.168.2.3
Jul 22, 2021 12:05:05.813606024 CEST5135253192.168.2.38.8.8.8
Jul 22, 2021 12:05:05.865675926 CEST53513528.8.8.8192.168.2.3
Jul 22, 2021 12:05:06.653266907 CEST5934953192.168.2.38.8.8.8
Jul 22, 2021 12:05:06.705532074 CEST53593498.8.8.8192.168.2.3

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: PRTService.exe PID: 5480 Parent PID: 5724

General

Start time:12:04:55
Start date:22/07/2021
Path:C:\Users\user\Desktop\PRTService.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user\Desktop\PRTService.exe'
Imagebase:0xec0000
File size:957952 bytes
MD5 hash:4A838989DA416E3D16C520D03C3BA192
Has elevated privileges:true
Has administrator privileges:true
Programmed in:.Net C# or VB.NET
Reputation:low

Analysis Process: dw20.exe PID: 5976 Parent PID: 5480

General

Start time:12:04:56
Start date:22/07/2021
Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
Wow64 process (32bit):true
Commandline:dw20.exe -x -s 852
Imagebase:0x10000000
File size:33936 bytes
MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Disassembly

Code Analysis

Reset < >