download:

Windows10Upgrade9252.exe

Full analysis: https://app.any.run/tasks/a22d9d57-7b87-4c24-970f-f9cc92a1fbe2
Verdict: Malicious activity
Analysis date: February 23, 2020, 17:19:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

AE21A2989E1EF2EABA2F35EB21DF7EF5

SHA1:

3C1B09E3159281ED643F8C636E11D072E1A431DA

SHA256:

079AB78611F3868F55CCC9B9413EEB2085F33EA5346D2AC8CCE320487226084D

SSDEEP:

98304:/f0KEpTqZzpNSgT0CfWxeI8QJFjAJqiqwZ0T9fOhBvH3Cyht5fDC3jK6slgLnhUt:/cKEp2hpwYvW48bAggZ0JGT/yMDC3jVs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Windows10UpgraderApp.exe (PID: 3000)

    • Loads dropped or rewritten executable

      • Windows10UpgraderApp.exe (PID: 3000)

    • Changes settings of System certificates

      • Windows10UpgraderApp.exe (PID: 3000)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Windows10Upgrade9252.exe (PID: 256)

    • Creates a software uninstall entry

      • Windows10Upgrade9252.exe (PID: 256)

    • Reads Internet Cache Settings

      • Windows10UpgraderApp.exe (PID: 3000)

    • Creates files in the program directory

      • Windows10Upgrade9252.exe (PID: 256)

    • Reads internet explorer settings

      • Windows10UpgraderApp.exe (PID: 3000)

    • Creates files in the Windows directory

      • Windows10UpgraderApp.exe (PID: 3000)
      • Windows10Upgrade9252.exe (PID: 256)

    • Low-level read access rights to disk partition

      • Windows10UpgraderApp.exe (PID: 3000)

    • Adds / modifies Windows certificates

      • Windows10UpgraderApp.exe (PID: 3000)

  • INFO

    • Reads settings of System Certificates

      • Windows10UpgraderApp.exe (PID: 3000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:11:13 00:15:12+01:00
PEType: PE32
LinkerVersion: 10.1
CodeSize: 437760
InitializedDataSize: 169984
UninitializedDataSize: -
EntryPoint: 0x4f3e9
OSVersion: 6.2
ImageVersion: 6.2
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.4.9200.22925
ProductVersionNumber: 1.4.9200.22925
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Arabic
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: مساعد تحديث Windows 10
InternalName: Windows10Upgrader.exe
LegalCopyright: Copyright © Microsoft Corporation. All rights reserved.
OriginalFileName: Windows10Upgrader.exe
ProductName: Windows 10 Update Assistant
FileVersion: 1.4.9200.22925
ProductVersion: 1.4.9200.22925

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 12-Nov-2019 23:15:12
Detected languages:
  • Arabic - Saudi Arabia
  • Bulgarian - Bulgaria
  • Chinese - Hong Kong SAR
  • Chinese - PRC
  • Chinese - Taiwan
  • Croatian - Croatia
  • Czech - Czech Republic
  • Danish - Denmark
  • Dutch - Netherlands
  • English - United Kingdom
  • English - United States
  • Estonian - Estonia
  • Finnish - Finland
  • French - France
  • German - Germany
  • Greek - Greece
  • Hebrew - Israel
  • Hungarian - Hungary
  • Italian - Italy
  • Japanese - Japan
  • Korean - Korea
  • Latvian - Latvia
  • Lithuanian - Lithuania
  • Norwegian - Norway (Bokmal)
  • Polish - Poland
  • Portuguese - Brazil
  • Portuguese - Portugal
  • Romanian - Romania
  • Russian - Russia
  • Serbian - Serbia (Latin)
  • Slovak - Slovakia
  • Slovenian - Slovenia
  • Spanish - Spain (International sort)
  • Swedish - Sweden
  • Thai - Thailand
  • Turkish - Turkey
  • Ukrainian - Ukraine
Debug artifacts:
  • upgraderstub.pdb
CompanyName: Microsoft Corporation
FileDescription: Asistente para actualización a Windows 10
InternalName: Windows10Upgrader.exe
LegalCopyright: Copyright © Microsoft Corporation. Todos los derechos reservados.
OriginalFilename: Windows10Upgrader.exe
ProductName: Asistente para actualización a Windows 10
FileVersion: 1.4.9200.22925
ProductVersion: 1.4.9200.22925

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 12-Nov-2019 23:15:12
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0006ADEC
0x0006AE00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.59103
.data
0x0006C000
0x00001EAC
0x00000C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.43287
.idata
0x0006E000
0x00001956
0x00001A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.5769
.boxloadV
0x00070000
0x00000056
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.942162
.rsrc
0x00071000
0x00022000
0x00021800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.31378
.reloc
0x00093000
0x0000564C
0x00005800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
5.03105

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.9036
1900
Latin 1 / Western European
English - United States
RT_MANIFEST
2
0.903812
36
Latin 1 / Western European
Chinese - Hong Kong SAR
RT_STRING
3
3.13127
1162
Latin 1 / Western European
Spanish - Spain (International sort)
RT_STRING
4
2.30706
80
Latin 1 / Western European
Lithuanian - Lithuania
RT_STRING
5
4.59938
1384
Latin 1 / Western European
English - United States
RT_ICON
6
2.79537
16936
Latin 1 / Western European
English - United States
RT_ICON
7
3.12441
9640
Latin 1 / Western European
English - United States
RT_ICON
8
3.00143
6760
Latin 1 / Western European
English - United States
RT_ICON
9
3.41612
4264
Latin 1 / Western European
English - United States
RT_ICON
10
3.35245
2440
Latin 1 / Western European
English - United States
RT_ICON

Imports

ADVAPI32.dll
Cabinet.dll
KERNEL32.dll
PSAPI.DLL
RPCRT4.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
VERSION.dll
msvcrt.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start windows10upgrade9252.exe windows10upgraderapp.exe windows10upgrade9252.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
256"C:\Users\admin\AppData\Local\Temp\Windows10Upgrade9252.exe" C:\Users\admin\AppData\Local\Temp\Windows10Upgrade9252.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows 10 Update Assistant
Exit code:
0
Version:
1.4.9200.22925
Modules
Images
c:\users\admin\appdata\local\temp\windows10upgrade9252.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3000"C:\Windows10Upgrade\Windows10UpgraderApp.exe" C:\Windows10Upgrade\Windows10UpgraderApp.exe
Windows10Upgrade9252.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows 10 Update Assistant
Exit code:
0
Version:
1.4.9200.22925
Modules
Images
c:\windows10upgrade\windows10upgraderapp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mfc42u.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3776"C:\Users\admin\AppData\Local\Temp\Windows10Upgrade9252.exe" C:\Users\admin\AppData\Local\Temp\Windows10Upgrade9252.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows 10 Update Assistant
Exit code:
3221226540
Version:
1.4.9200.22925
Modules
Images
c:\users\admin\appdata\local\temp\windows10upgrade9252.exe
c:\systemroot\system32\ntdll.dll
Total events
1 523
Read events
312
Write events
1 211
Delete events
0

Modification events

(PID) Process:(256) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:Publisher
Value:
Microsoft Corporation
(PID) Process:(256) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:DisplayName
Value:
Windows 10 Update Assistant
(PID) Process:(256) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:DisplayIcon
Value:
"C:\Windows10Upgrade\Windows10UpgraderApp.exe"
(PID) Process:(256) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:DisplayVersion
Value:
1.4.9200.22925
(PID) Process:(256) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:UninstallString
Value:
"C:\Windows10Upgrade\Windows10UpgraderApp.exe" /Uninstall
(PID) Process:(256) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:EstimatedSize
Value:
5120
(PID) Process:(256) Windows10Upgrade9252.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(256) Windows10Upgrade9252.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3000) Windows10UpgraderApp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3000) Windows10UpgraderApp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
53
Suspicious files
2
Text files
163
Unknown types
7

Dropped files

PID
Process
Filename
Type
256Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXU770D.tmp\ESDHelper.dllexecutable
MD5:
SHA256:
256Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXU770D.tmp\appraiserxp.dllexecutable
MD5:
SHA256:
256Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXU770D.tmp\cosquery.dllexecutable
MD5:F6F6913BE848F72FF7D012FE77AB07EE
SHA256:BB186553C6E7E76DE7A45773770C59833DCDF4F74B94F8F47C2514057418450C
256Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXU770D.tmp\DW20.EXEexecutable
MD5:1F72306A11D4DE3233EA19250469A9EE
SHA256:226210E3DFF8FB5691F17BCDE628A08953D422D0D9CDEB16EFC02F3A4D5AF00D
256Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXU770D.tmp\Windows10UpgraderApp.exeexecutable
MD5:
SHA256:
256Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXU770D.tmp\DevInv.dllexecutable
MD5:261AC59F28E83677D1DF6236E6AF5A9B
SHA256:948FA2A3FC2644912CA041C4F7B61D8F5DA2504817DE0DE03FD4C44780B715B2
256Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXU770D.tmp\DWTRIG20.EXEexecutable
MD5:0AE71EC7B6DD4A4EB8CCD133542C52C3
SHA256:3190181C570F50A2FB0D157985AFF0F6968C0A4C64A58FB80586DD4E138F6B56
256Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXU770D.tmp\GetCurrentDeploy.dllexecutable
MD5:
SHA256:
256Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXU770D.tmp\wimgapi.dllexecutable
MD5:
SHA256:
256Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXU770D.tmp\downloader.dllexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3000
Windows10UpgraderApp.exe
GET
205.185.216.10:80
http://dl.delivery.mp.microsoft.com/filestreamingservice/files/8cb2b661-147d-4532-9528-2eb5156d3811/18363.418.191007-0143.19h2_release_svc_refresh_CLIENTCONSUMER_RET_x86FRE_en-us.esd
US
whitelisted
3000
Windows10UpgraderApp.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3000
Windows10UpgraderApp.exe
2.19.38.59:443
go.microsoft.com
Akamai International B.V.
whitelisted
3000
Windows10UpgraderApp.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3000
Windows10UpgraderApp.exe
92.122.255.148:443
download.microsoft.com
GTT Communications Inc.
malicious
3000
Windows10UpgraderApp.exe
205.185.216.10:80
dl.delivery.mp.microsoft.com
Highwinds Network Group, Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 2.19.38.59
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
download.microsoft.com
  • 92.122.255.148
whitelisted
dl.delivery.mp.microsoft.com
  • 205.185.216.10
  • 205.185.216.42
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Windows10Upgrade9252.exe