File name:

Windows10Upgrade9252.exe

Full analysis: https://app.any.run/tasks/f4d869a7-3a44-414e-92e9-ee099139352b
Verdict: Malicious activity
Analysis date: April 21, 2020, 00:42:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

AE21A2989E1EF2EABA2F35EB21DF7EF5

SHA1:

3C1B09E3159281ED643F8C636E11D072E1A431DA

SHA256:

079AB78611F3868F55CCC9B9413EEB2085F33EA5346D2AC8CCE320487226084D

SSDEEP:

98304:/f0KEpTqZzpNSgT0CfWxeI8QJFjAJqiqwZ0T9fOhBvH3Cyht5fDC3jK6slgLnhUt:/cKEp2hpwYvW48bAggZ0JGT/yMDC3jVs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Windows10UpgraderApp.exe (PID: 2156)

    • Loads dropped or rewritten executable

      • Windows10UpgraderApp.exe (PID: 2156)

    • Changes settings of System certificates

      • Windows10UpgraderApp.exe (PID: 2156)

  • SUSPICIOUS

    • Creates files in the program directory

      • Windows10Upgrade9252.exe (PID: 2372)

    • Reads internet explorer settings

      • Windows10UpgraderApp.exe (PID: 2156)

    • Creates files in the Windows directory

      • Windows10UpgraderApp.exe (PID: 2156)
      • Windows10Upgrade9252.exe (PID: 2372)

    • Creates a software uninstall entry

      • Windows10Upgrade9252.exe (PID: 2372)

    • Reads Internet Cache Settings

      • Windows10UpgraderApp.exe (PID: 2156)

    • Executable content was dropped or overwritten

      • Windows10Upgrade9252.exe (PID: 2372)

    • Adds / modifies Windows certificates

      • Windows10UpgraderApp.exe (PID: 2156)

  • INFO

    • Manual execution by user

      • regedit.exe (PID: 2948)
      • regedit.exe (PID: 2316)

    • Reads settings of System Certificates

      • Windows10UpgraderApp.exe (PID: 2156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:11:13 00:15:12+01:00
PEType: PE32
LinkerVersion: 10.1
CodeSize: 437760
InitializedDataSize: 169984
UninitializedDataSize: -
EntryPoint: 0x4f3e9
OSVersion: 6.2
ImageVersion: 6.2
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.4.9200.22925
ProductVersionNumber: 1.4.9200.22925
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Arabic
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: مساعد تحديث Windows 10
InternalName: Windows10Upgrader.exe
LegalCopyright: Copyright © Microsoft Corporation. All rights reserved.
OriginalFileName: Windows10Upgrader.exe
ProductName: Windows 10 Update Assistant
FileVersion: 1.4.9200.22925
ProductVersion: 1.4.9200.22925

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 12-Nov-2019 23:15:12
Detected languages:
  • Arabic - Saudi Arabia
  • Bulgarian - Bulgaria
  • Chinese - Hong Kong SAR
  • Chinese - PRC
  • Chinese - Taiwan
  • Croatian - Croatia
  • Czech - Czech Republic
  • Danish - Denmark
  • Dutch - Netherlands
  • English - United Kingdom
  • English - United States
  • Estonian - Estonia
  • Finnish - Finland
  • French - France
  • German - Germany
  • Greek - Greece
  • Hebrew - Israel
  • Hungarian - Hungary
  • Italian - Italy
  • Japanese - Japan
  • Korean - Korea
  • Latvian - Latvia
  • Lithuanian - Lithuania
  • Norwegian - Norway (Bokmal)
  • Polish - Poland
  • Portuguese - Brazil
  • Portuguese - Portugal
  • Romanian - Romania
  • Russian - Russia
  • Serbian - Serbia (Latin)
  • Slovak - Slovakia
  • Slovenian - Slovenia
  • Spanish - Spain (International sort)
  • Swedish - Sweden
  • Thai - Thailand
  • Turkish - Turkey
  • Ukrainian - Ukraine
Debug artifacts:
  • upgraderstub.pdb
CompanyName: Microsoft Corporation
FileDescription: Asistente para actualización a Windows 10
InternalName: Windows10Upgrader.exe
LegalCopyright: Copyright © Microsoft Corporation. Todos los derechos reservados.
OriginalFilename: Windows10Upgrader.exe
ProductName: Asistente para actualización a Windows 10
FileVersion: 1.4.9200.22925
ProductVersion: 1.4.9200.22925

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 12-Nov-2019 23:15:12
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0006ADEC
0x0006AE00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.59103
.data
0x0006C000
0x00001EAC
0x00000C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.43287
.idata
0x0006E000
0x00001956
0x00001A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.5769
.boxloadV
0x00070000
0x00000056
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.942162
.rsrc
0x00071000
0x00022000
0x00021800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.31378
.reloc
0x00093000
0x0000564C
0x00005800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
5.03105

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.9036
1900
Latin 1 / Western European
English - United States
RT_MANIFEST
2
0.903812
36
Latin 1 / Western European
Chinese - Hong Kong SAR
RT_STRING
3
3.13127
1162
Latin 1 / Western European
Spanish - Spain (International sort)
RT_STRING
4
2.30706
80
Latin 1 / Western European
Lithuanian - Lithuania
RT_STRING
5
4.59938
1384
Latin 1 / Western European
English - United States
RT_ICON
6
2.79537
16936
Latin 1 / Western European
English - United States
RT_ICON
7
3.12441
9640
Latin 1 / Western European
English - United States
RT_ICON
8
3.00143
6760
Latin 1 / Western European
English - United States
RT_ICON
9
3.41612
4264
Latin 1 / Western European
English - United States
RT_ICON
10
3.35245
2440
Latin 1 / Western European
English - United States
RT_ICON

Imports

ADVAPI32.dll
Cabinet.dll
KERNEL32.dll
PSAPI.DLL
RPCRT4.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
VERSION.dll
msvcrt.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start windows10upgrade9252.exe windows10upgraderapp.exe regedit.exe no specs regedit.exe windows10upgrade9252.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2156"C:\Windows10Upgrade\Windows10UpgraderApp.exe" C:\Windows10Upgrade\Windows10UpgraderApp.exe
Windows10Upgrade9252.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows 10 Update Assistant
Exit code:
1073807364
Version:
1.4.9200.22925
Modules
Images
c:\windows10upgrade\windows10upgraderapp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mfc42u.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2316"C:\Windows\regedit.exe" C:\Windows\regedit.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
1073807364
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2372"C:\Users\admin\AppData\Local\Temp\Windows10Upgrade9252.exe" C:\Users\admin\AppData\Local\Temp\Windows10Upgrade9252.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows 10 Update Assistant
Exit code:
0
Version:
1.4.9200.22925
Modules
Images
c:\users\admin\appdata\local\temp\windows10upgrade9252.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2948"C:\Windows\regedit.exe" C:\Windows\regedit.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\systemroot\system32\ntdll.dll
3636"C:\Users\admin\AppData\Local\Temp\Windows10Upgrade9252.exe" C:\Users\admin\AppData\Local\Temp\Windows10Upgrade9252.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows 10 Update Assistant
Exit code:
3221226540
Version:
1.4.9200.22925
Modules
Images
c:\users\admin\appdata\local\temp\windows10upgrade9252.exe
c:\systemroot\system32\ntdll.dll
Total events
3 744
Read events
295
Write events
1 208
Delete events
2 241

Modification events

(PID) Process:(2372) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:Publisher
Value:
Microsoft Corporation
(PID) Process:(2372) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:DisplayName
Value:
Windows 10 Update Assistant
(PID) Process:(2372) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:DisplayIcon
Value:
"C:\Windows10Upgrade\Windows10UpgraderApp.exe"
(PID) Process:(2372) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:DisplayVersion
Value:
1.4.9200.22925
(PID) Process:(2372) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:UninstallString
Value:
"C:\Windows10Upgrade\Windows10UpgraderApp.exe" /Uninstall
(PID) Process:(2372) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:EstimatedSize
Value:
5120
(PID) Process:(2372) Windows10Upgrade9252.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2372) Windows10Upgrade9252.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2156) Windows10UpgraderApp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2156) Windows10UpgraderApp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
54
Suspicious files
2
Text files
159
Unknown types
7

Dropped files

PID
Process
Filename
Type
2372Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUEA68.tmp\Windows10UpgraderApp.exeexecutable
MD5:EE1EA0F90183C25841AD4BB9C2877C57
SHA256:1D59E5F8A48C8878FAF8B713AB12E1E271914D19E84B29C3A886A99E92D71BE2
2372Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUEA68.tmp\ESDHelper.dllexecutable
MD5:4E5BBEC9902BBFA99A794823BC017AE9
SHA256:33E5D9BC5F84D9948C20ABE273A04B75661C882017A923305FF5D85ABFC309EF
2372Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUEA68.tmp\appraiserxp.dllexecutable
MD5:B59DEF9C5CB3E16D1532A607A6271E7F
SHA256:589541475B91034F125F2E392C6D174D4518D92D4FD50147EF7B722E572D7017
2372Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUEA68.tmp\DWTRIG20.EXEexecutable
MD5:0AE71EC7B6DD4A4EB8CCD133542C52C3
SHA256:3190181C570F50A2FB0D157985AFF0F6968C0A4C64A58FB80586DD4E138F6B56
2372Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUEA68.tmp\DW20.EXEexecutable
MD5:1F72306A11D4DE3233EA19250469A9EE
SHA256:226210E3DFF8FB5691F17BCDE628A08953D422D0D9CDEB16EFC02F3A4D5AF00D
2372Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUEA68.tmp\cosquery.dllexecutable
MD5:F6F6913BE848F72FF7D012FE77AB07EE
SHA256:BB186553C6E7E76DE7A45773770C59833DCDF4F74B94F8F47C2514057418450C
2372Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUEA68.tmp\downloader.dllexecutable
MD5:1BC95FAE57967A598FF5ABE4BE67E53C
SHA256:AB4F4C5F1A603ED446A74F8CCC0CF24698C4858A30D48ED0BA939309A78E5DCA
2372Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUEA68.tmp\bootsect.exeexecutable
MD5:EE0689F3E8311D242C79733436BEA940
SHA256:D47060C4DE1DF3A0A6FCDC5C7FF0800E79B8BE7FBB31D2874FAB5D02330B62F0
2372Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUEA68.tmp\HttpHelper.exeexecutable
MD5:E9E82C573468116E7AAEABA91A16DDD3
SHA256:9AE15916C026FC077164994AEB4B0A4E7A4BDCCB90564640B885E4CA2E365CA1
2372Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUEA68.tmp\DevInv.dllexecutable
MD5:261AC59F28E83677D1DF6236E6AF5A9B
SHA256:948FA2A3FC2644912CA041C4F7B61D8F5DA2504817DE0DE03FD4C44780B715B2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2156
Windows10UpgraderApp.exe
104.96.146.202:443
go.microsoft.com
Akamai Technologies, Inc.
NL
malicious
2156
Windows10UpgraderApp.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 104.96.146.202
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Windows10Upgrade9252.exe