Automated Malware Analysis Report for Update.exe - Joe

ID: 171697Sample Name: Update.exeCookbook: default.jbsTime: 00:19:21Date: 08/09/2019Version: 26.0.0 Aquamarine

244444556666777777

78888888899999999999999

101011111111111212121212131414151515

Table of Contents

Table of ContentsAnalysis Report Update.exe

OverviewGeneral InformationDetectionConfidenceClassificationAnalysis AdviceMitre Att&ck MatrixSignature Overview

Networking:System Summary:Data Obfuscation:Persistence and Installation Behavior:Hooking and other Techniques for Hiding and Protection:Malware Analysis System Evasion:Anti Debugging:Language, Device and Operating System Detection:

Behavior GraphSimulations

Behavior and APIsAntivirus, Machine Learning and Genetic Malware Detection

Initial SampleDropped FilesUnpacked PE FilesDomainsURLs

Yara OverviewInitial SamplePCAP (Network Traffic)Dropped FilesMemory DumpsUnpacked PEs

Joe Sandbox View / ContextIPsDomainsASNJA3 FingerprintsDropped Files

ScreenshotsThumbnails

StartupCreated / dropped FilesDomains and IPs

Contacted DomainsURLs from Memory and BinariesContacted IPs

Static File InfoGeneralFile IconStatic PE Info

GeneralAuthenticode SignatureEntrypoint PreviewData DirectoriesSectionsResourcesImportsVersion Infos

Copyright Joe Security LLC 2019 Page 2 of 18

15151616161616161617

1818

Network BehaviorCode ManipulationsStatisticsSystem Behavior

Analysis Process: Update.exe PID: 4272 Parent PID: 2712GeneralFile Activities

File CreatedFile WrittenFile Read

DisassemblyCode Analysis


Analysis Report Update.exe

Overview

General Information

Joe Sandbox Version: 26.0.0 Aquamarine

Analysis ID: 171697

Start date: 08.09.2019

Start time: 00:19:21

Joe Sandbox Product: CloudBasic

Overall analysis duration: 0h 4m 24s

Hypervisor based Inspection enabled: false

Report type: light

Sample file name: Update.exe

Cookbook file name: default.jbs

Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113

Number of analysed new started processes analysed: 2

Number of new started drivers analysed: 0

Number of existing processes analysed: 0

Number of existing drivers analysed: 0

Number of injected processes analysed: 0

Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled

Analysis stop reason: Timeout

Detection: CLEAN

Classification: clean4.winEXE@1/3@0/0

EGA Information: Successful, ratio: 100%

HDC Information: Successful, ratio: 0.7% (good quality ratio 0.5%)Quality average: 53.6%Quality standard deviation: 34.9%

HCA Information: Successful, ratio: 100%Number of executed functions: 0Number of non-executed functions: 0

Cookbook Comments: Adjust boot timeEnable AMSIFound application associated with file extension: .exeStop behavior analysis, all processes terminated

Warnings:

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 4 0 - 100 false

Confidence

Exclude process from analysis (whitelisted): dllhost.exe

Show All


Strategy Score Range Further Analysis Required? Confidence

Threshold 3 0 - 5 true

Analysis Advice

Ransomware

Spreading

Phishing

Banker

Trojan / Bot

Adware

Spyware

Exploiter

Evader

Miner

clean

clean

clean

clean

clean

clean

clean

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

malicious

malicious

malicious

malicious

malicious

malicious

malicious

Classification


Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additionalcharacters like: "-", "/", "--")

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Initial Access Execution PersistencePrivilegeEscalation

DefenseEvasion

CredentialAccess Discovery

LateralMovement Collection Exfiltration

Command andControl

Valid Accounts WindowsRemoteManagement

WinlogonHelper DLL

Port Monitors DisablingSecurityTools 1

CredentialDumping

QueryRegistry 1

ApplicationDeploymentSoftware

Data from LocalSystem

DataEncrypted 1

StandardCryptographicProtocol 1

ReplicationThroughRemovableMedia

ServiceExecution

Port Monitors AccessibilityFeatures

DLL Side-Loading 1

NetworkSniffing

SystemInformationDiscovery 1

Remote Services Data fromRemovableMedia

Exfiltration OverOther NetworkMedium

FallbackChannels

Signature Overview

• Networking

• System Summary

• Data Obfuscation

• Persistence and Installation Behavior

• Hooking and other Techniques for Hiding and Protection

• Malware Analysis System Evasion

• Anti Debugging

• Language, Device and Operating System Detection

Click to jump to signature section

Networking:

Urls found in memory or binary data

System Summary:

Detected potential crypto function

PE file contains strange resources

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Classification label

Creates files inside the user directory

PE file has an executable .text section and no other executable section

Parts of this applications are using the .NET runtime (Probably coded in C#)

Reads software policies

Sample might require command line arguments

PE file contains a COM descriptor data directory

PE file has a big code size

PE file has a valid certificate

PE file has a valid certificate with Microsoft as Issuer

Submission file is bigger than most known malware samples


PE file has a big raw section

Contains modern PE file flags such as dynamic base (ASLR) or NX

Data Obfuscation:

PE file contains an invalid checksum

Persistence and Installation Behavior:

Creates install or setup log file

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

May sleep (evasive loops) to hinder dynamic analysis

Anti Debugging:

Creates guard pages, often used to prevent reverse engineering and debugging

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Queries the cryptographic machine GUID

Behavior Graph


Behavior GraphID: 171697

Sample: Update.exe

Startdate: 08/09/2019

Architecture: WINDOWS

Score: 4

Update.exe

3

started

Legend:

Process

Signature

Created File

DNS/IP Info

Is Dropped

Is Windows Process

Number of created Registry Values

Number of created Files

Visual Basic

Delphi

Java

.Net C# or VB.NET

C, C++ or other language

Is malicious

Internet

Hide Legend

No simulations

Source Detection Scanner Label Link

Update.exe 0% virustotal Browse

No Antivirus matches



Simulations

Behavior and APIs

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs


https://www.virustotal.com/file/0683a18cc60d259920281ce6f3c20b5524dea4d84fa0c8d194be96f7da8db605/analysis/1560862315/


No yara matches

No yara matches

No yara matches

No yara matches

No yara matches

No context

No context

No context

No context

No context

ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots


System is w10x64

Update.exe (PID: 4272 cmdline: 'C:\Users\user\Desktop\Update.exe' MD5: 498E357CE42BC8FC6D043DE9A10646F4)

cleanup

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Update.exe.logProcess: C:\Users\user\Desktop\Update.exe

File Type: ASCII text, with CRLF line terminators

Size (bytes): 1265

Entropy (8bit): 5.345885356924421

Encrypted: false

MD5: 088B949FA02D80036941FAA30667E29A

SHA1: B600127A5E14E737E654EA5019AA87DC63D7435E

SHA-256: A48C2312B556B2993E0523804B4644372C669371A669F7382F377712CD2538F2

SHA-512: E7EA7D212CC1E8447F478CAE38FBAD1507B26780893232285D7297F047E9FF342D0EC260D8D9D21A1BD793E5040777436D854F3A712F9563EA225A7DB444C98B

Malicious: false

Reputation: moderate, very likely benign file

Startup

Created / dropped Files


Static File Info

Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\84b9171c43be8428a7ceaf253e5d7738\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\2da4cf2bb9a8f8a554da96d83ee20d39\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\7ede7502bdd935f2e31c32146e8206cf\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\74e4951d24e78d60061b6f9f8d6f49f4\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Update.exe.log

C:\Users\user\Desktop\SquirrelSetup.logProcess: C:\Users\user\Desktop\Update.exe

File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators

Size (bytes): 62

Entropy (8bit): 4.651067479427662

Encrypted: false

MD5: 85166F613C6912B20B88BC2147FAB977

SHA1: 73038EA0F7D3A8E15D0843128A6A6E29FEF95E41

SHA-256: E7B85B78309D0E2BCFD6395E91C2D2CCFB84A6C273FD1839807DF634D7BA7A4A

SHA-512: F2C3586056FB51C434A67A60609F3F2DF70F2C150585BC2AA1B248731E4B67F8A23946B572498C9A9543114CFADA41EF3F36C576CC40981B6B3B2610D00D00AE

Malicious: false

Reputation: low

Preview: .2019-09-08 00:20:26> Program: Starting Squirrel Updater: ..

\Device\ConDrvProcess: C:\Users\user\Desktop\Update.exe

File Type: ASCII text, with CRLF line terminators

Size (bytes): 2691

Entropy (8bit): 4.1822000607901115

Encrypted: false

MD5: B00FD939F0AA67BD5FCC0C3401951F02

SHA1: 176E4B31F5534B4A7E0E618AE18F539D6FBD5A40

SHA-256: 523E8FA39AA80F81273E1CB7B3C010EFC0F97087C4CE462289DA23DAFD0DD7C6

SHA-512: FD10E275ED0D1B449D4FF553D5C1ED8F9290ED02CEB1BA3B790F6A0AEC701A9644BD656626091290E540EE0ADFC29D8491A1D0780F8517E479911DA5E5335AC4

Malicious: false

Reputation: low

Preview: Usage: Squirrel.exe command [OPTS]..Manages Squirrel packages....Commands.. --install=VALUE Install the app whose package is in the specified.. directory.. --uninstall Uninstall the app the same dir as Update.exe.. --download=VALUE Download the releases specified by the URL and.. write new results to stdout as JSON.. --checkForUpdate=VALUE Check for one available update and writes new.. results to stdout as JSON.. --update=VALUE Update the application to the latest remote.. version specified by URL.. --releasify=VALUE Update or generate a releases directory with a.. given NuGet package.. --generateMsi=VALUE Generate MSI with a given installer package.. --createShortcut=VALUE Create a shortcut for the given executable name.. --removeShortcut=VALUE Remove a

No contacted domains info

Name Source Malicious Antivirus Detection Reputation

https://github.com/myuser/myrepo Update.exe false high

https://api.github.com/# Update.exe false high

https://api.github.com/ Update.exe false high

No contacted IP infos

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs


GeneralFile type: PE32 executable (GUI) Intel 80386 Mono/.Net assemb

ly, for MS Windows

Entropy (8bit): 5.903169445866686

TrID: Win32 Executable (generic) a (10002005/4) 99.94%Generic Win/DOS Executable (2004/3) 0.02%DOS Executable Generic (2002/1) 0.02%Java Script embedded in Visual Basic Script (1500/0) 0.01%Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%

File name: Update.exe

File size: 1801840

MD5: 498e357ce42bc8fc6d043de9a10646f4

SHA1: 62f6b53f0403611552a7f0c52628e83a8934a07e

SHA256: 0683a18cc60d259920281ce6f3c20b5524dea4d84fa0c8d194be96f7da8db605

SHA512: 35332b2cceb4e64dadd64c523297cead93cba91d6286c0ed43913fc8f080ca65a21edd6c42b7ee11ecff6fbebe3c0598a9de597384c18e7faebe1dca6ce1a8de

SSDEEP: 24576:n8miYPA0nRGvaslXipNdspqH2w6wXm/L2oU81YhZYxQlZRjmWmP:n8miAdRGvw+kZ6wX1P0

File Content Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......\.............................%... ........@.. ....................................@................................

File Icon

Icon Hash: 10e2acaca4e47a90

GeneralEntrypoint: 0x58259e

Entrypoint Section: .text

Digitally signed: true

Imagebase: 0x400000

Subsystem: windows gui

Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE

DLL Characteristics: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Time Stamp: 0x5C9308FE [Thu Mar 21 03:46:06 2019 UTC]

TLS Callbacks:

CLR (.Net) Version: v4.0.30319

OS Version Major: 4

OS Version Minor: 0

File Version Major: 4

File Version Minor: 0

Subsystem Version Major: 4

Subsystem Version Minor: 0

Import Hash: f34d5f2d4577ed6d9ceec516c1f5a744

Signature Valid: true

Signature Issuer: CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

Signature Validation Error: The operation completed successfully

Error Number: 0

Not Before, Not After 2/14/2019 1:52:07 PM 7/31/2020 2:52:07 PM

Subject Chain CN=Microsoft 3rd Party Application Component, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

Version: 3

Thumbprint MD5: 71261DF8F445393D830596103B6B6B3B

Thumbprint SHA-1: 32F28ACBC1B26F28D0EF6773E3E6FBF5E13F3BB0

Thumbprint SHA-256: 8C109F1C8051F398E17FE11AB721B732F84B32D52D8C5958793A4D282610DFAD

Static PE Info

Authenticode Signature


Serial: 330000014161EC27309807CFB6000000000141

Instruction

jmp dword ptr [00402000h]

add byte ptr [eax], al



























































Entrypoint Preview








































Instruction

Name Virtual Address Virtual Size Is in Section

IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_IMPORT 0x182548 0x53 .text

IMAGE_DIRECTORY_ENTRY_RESOURCE 0x184000 0x30b94 .rsrc

IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0

IMAGE_DIRECTORY_ENTRY_SECURITY 0x1b1600 0x6870

IMAGE_DIRECTORY_ENTRY_BASERELOC 0x1b6000 0xc .reloc

IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0

IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0

IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0

IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0

IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_IAT 0x2000 0x8 .text

IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x2008 0x48 .text

IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics

.text 0x2000 0x1805a4 0x180600 False 0.372134146341 data 5.83928870766 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Data Directories

Sections


No network behavior found

Code Manipulations

.rsrc 0x184000 0x30b94 0x30c00 False 0.260061097756 data 4.44539452832 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

.reloc 0x1b6000 0xc 0x200 False 0.044921875 data 0.101910425663 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics

Name RVA Size Type Language Country

RT_ICON 0x184340 0x6ee4 PNG image data, 1024 x 1024, 8-bit/color RGBA, non-interlaced

RT_ICON 0x18b224 0x32c3 PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced

RT_ICON 0x18e4e8 0x181f PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

RT_ICON 0x18fd08 0x10828 dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0

RT_ICON 0x1a0530 0x94a8 data

RT_ICON 0x1a99d8 0x4228 dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 3238002687, next used block 4294967043

RT_ICON 0x1adc00 0x25a8 data

RT_ICON 0x1b01a8 0x1a68 data

RT_ICON 0x1b1c10 0x10a8 data

RT_ICON 0x1b2cb8 0x988 data

RT_ICON 0x1b3640 0x6b8 data

RT_ICON 0x1b3cf8 0x468 GLS_BINARY_LSB_FIRST

RT_GROUP_ICON 0x1b4160 0xae data

RT_VERSION 0x1b4210 0x3a0 data

RT_MANIFEST 0x1b45b0 0x5e1 XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

DLL Import

mscoree.dll _CorExeMain

Description Data

LegalCopyright Microsoft Corporation

Assembly Version 1.4.4.0

InternalName Update.exe

FileVersion 1.4.4.0

CompanyName Microsoft Corporation

LegalTrademarks

Comments Microsoft Teams

ProductName Microsoft Teams

ProductVersion 1.4.4.0

FileDescription Microsoft Teams

OriginalFilename Update.exe

Translation 0x0000 0x04b0

Network Behavior

Resources

Imports

Version Infos


Statistics

Statistics

System Behavior

File ActivitiesFile Activities

Start time: 00:20:25

Start date: 08/09/2019

Path: C:\Users\user\Desktop\Update.exe

Wow64 process (32bit): true

Commandline: 'C:\Users\user\Desktop\Update.exe'

Imagebase: 0x470000

File size: 1801840 bytes

MD5 hash: 498E357CE42BC8FC6D043DE9A10646F4

Has administrator privileges: true

Programmed in: .Net C# or VB.NET

Reputation: low

File Path Access Attributes Options Completion CountSourceAddress Symbol

C:\Users\user\Desktop\SquirrelSetup.log read attributes | synchronize | generic write

none synchronous io non alert | non directory file | open no recall

success or wait 1 6C561E60 CreateFileW


read attributes | synchronize | generic write

normal synchronous io non alert | non directory file

success or wait 1 6DA2CA8D CreateFileW

File Path Offset Length Value Ascii Completion CountSourceAddress Symbol

\Device\ConDrv unknown 0 success or wait 1 6C561B4F WriteFile

\Device\ConDrv unknown 36 55 73 61 67 65 3a 20 53 71 75 69 72 72 65 6c 2e 65 78 65 20 63 6f 6d 6d 61 6e 64 20 5b 4f 50 54 53 5d 0d 0a

Usage: Squirrel.exe command [OPTS]..

success or wait 6 6C561B4F WriteFile

\Device\ConDrv unknown 8 20 20 20 20 20 20 2d 2d

-- success or wait 20 6C561B4F WriteFile

\Device\ConDrv unknown 7 69 6e 73 74 61 6c 6c install success or wait 20 6C561B4F WriteFile

\Device\ConDrv unknown 6 3d 56 41 4c 55 45 =VALUE success or wait 21 6C561B4F WriteFile

\Device\ConDrv unknown 8 20 20 20 20 20 20 20 20


\Device\ConDrv unknown 51 49 6e 73 74 61 6c 6c 20 74 68 65 20 61 70 70 20 77 68 6f 73 65 20 70 61 63 6b 61 67 65 20 69 73 20 69 6e 20 74 68 65 20 73 70 65 63 69 66 69 65 64 0d 0a

Install the app whose package is in the specified..


\Device\ConDrv unknown 31 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20


\Device\ConDrv unknown 3 20 20 2d - success or wait 8 6C561B4F WriteFile

\Device\ConDrv unknown 1 68 h success or wait 8 6C561B4F WriteFile

Analysis Process: Update.exe PID: 4272 Parent PID: 2712Analysis Process: Update.exe PID: 4272 Parent PID: 2712

General

File CreatedFile Created

File WrittenFile Written


\Device\ConDrv unknown 2 2c 20 , success or wait 9 6C561B4F WriteFile

\Device\ConDrv unknown 1 2d - success or wait 9 6C561B4F WriteFile

\Device\ConDrv unknown 1 3f ? success or wait 9 6C561B4F WriteFile

\Device\ConDrv unknown 2 0d 0a .. success or wait 2 6C561B4F WriteFile

\Device\ConDrv unknown 29 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20


C:\Users\user\Desktop\SquirrelSetup.log unknown 62 ef bb bf 32 30 31 39 2d 30 39 2d 30 38 20 30 30 3a 32 30 3a 32 36 3e 20 50 72 6f 67 72 61 6d 3a 20 53 74 61 72 74 69 6e 67 20 53 71 75 69 72 72 65 6c 20 55 70 64 61 74 65 72 3a 20 0d 0a

...2019-09-08 00:20:26> Program: Starting Squirrel Updater: ..



unknown 1265 31 2c 22 66 75 73 69 6f 6e 22 2c 22 47 41 43 22 2c 30 0d 0a 31 2c 22 57 69 6e 52 54 22 2c 22 4e 6f 74 41 70 70 22 2c 31 0d 0a 33 2c 22 53 79 73 74 65 6d 2c 20 56 65 72 73 69 6f 6e 3d 34 2e 30 2e 30 2e 30 2c 20 43 75 6c 74 75 72 65 3d 6e 65 75 74 72 61 6c 2c 20 50 75 62 6c 69 63 4b 65 79 54 6f 6b 65 6e 3d 62 37 37 61 35 63 35 36 31 39 33 34 65 30 38 39 22 2c 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 61 73 73 65 6d 62 6c 79 5c 4e 61 74 69 76 65 49 6d 61 67 65 73 5f 76 34 2e 30 2e 33 30 33 31 39 5f 33 32 5c 53 79 73 74 65 6d 5c 38 34 62 39 31 37 31 63 34 33 62 65 38 34 32 38 61 37 63 65 61 66 32 35 33 65 35 64 37 37 33 38 5c 53 79 73 74 65 6d 2e 6e 69 2e 64 6c 6c 22 2c 30 0d 0a 33 2c 22 53 79 73 74 65 6d 2e 43 6f 72 65 2c 20 56 65 72 73 69 6f 6e 3d 34 2e 30 2e 30

1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\84b9171c43be8428a7ceaf253e5d7738\System.ni.dll",0..3,"System.Core, Version=4.0.0

success or wait 1 6DA2CC07 WriteFile

File Path Offset Length Value Ascii Completion CountSourceAddress Symbol

File Path Offset Length Completion CountSourceAddress Symbol

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D663625 unknown





C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll.aux

unknown 176 success or wait 1 6D5CEE1E ReadFile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D66A974 ReadFile





C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\2da4cf2bb9a8f8a554da96d83ee20d39\System.Core.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System\84b9171c43be8428a7ceaf253e5d7738\System.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\b8254ec01c31459d7f6f66e4d6a670a5\PresentationFramework.ni.dll.aux


File ReadFile Read


Disassembly

Code Analysis

C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\7ede7502bdd935f2e31c32146e8206cf\WindowsBase.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\74e4951d24e78d60061b6f9f8d6f49f4\PresentationCore.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\95f7be3abae719343f354f3adc883704\System.Xaml.ni.dll.aux


File Path Offset Length Completion CountSourceAddress Symbol


Documents

Automated Malware Analysis Report for Update.exe - Joe