File name:

Windows10Upgrade9252.exe

Full analysis: https://app.any.run/tasks/f4d869a7-3a44-414e-92e9-ee099139352b
Verdict: Malicious activity
Analysis date: April 21, 2020, 00:42:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

AE21A2989E1EF2EABA2F35EB21DF7EF5

SHA1:

3C1B09E3159281ED643F8C636E11D072E1A431DA

SHA256:

079AB78611F3868F55CCC9B9413EEB2085F33EA5346D2AC8CCE320487226084D

SSDEEP:

98304:/f0KEpTqZzpNSgT0CfWxeI8QJFjAJqiqwZ0T9fOhBvH3Cyht5fDC3jK6slgLnhUt:/cKEp2hpwYvW48bAggZ0JGT/yMDC3jVs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Windows10UpgraderApp.exe (PID: 2156)

    • Loads dropped or rewritten executable

      • Windows10UpgraderApp.exe (PID: 2156)

    • Changes settings of System certificates

      • Windows10UpgraderApp.exe (PID: 2156)

  • SUSPICIOUS

    • Creates files in the Windows directory

      • Windows10UpgraderApp.exe (PID: 2156)
      • Windows10Upgrade9252.exe (PID: 2372)

    • Reads Internet Cache Settings

      • Windows10UpgraderApp.exe (PID: 2156)

    • Reads internet explorer settings

      • Windows10UpgraderApp.exe (PID: 2156)

    • Creates files in the program directory

      • Windows10Upgrade9252.exe (PID: 2372)

    • Creates a software uninstall entry

      • Windows10Upgrade9252.exe (PID: 2372)

    • Executable content was dropped or overwritten

      • Windows10Upgrade9252.exe (PID: 2372)

    • Adds / modifies Windows certificates

      • Windows10UpgraderApp.exe (PID: 2156)

  • INFO

    • Manual execution by user

      • regedit.exe (PID: 2948)
      • regedit.exe (PID: 2316)

    • Reads settings of System Certificates

      • Windows10UpgraderApp.exe (PID: 2156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:11:13 00:15:12+01:00
PEType: PE32
LinkerVersion: 10.1
CodeSize: 437760
InitializedDataSize: 169984
UninitializedDataSize: -
EntryPoint: 0x4f3e9
OSVersion: 6.2
ImageVersion: 6.2
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.4.9200.22925
ProductVersionNumber: 1.4.9200.22925
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Arabic
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: مساعد تحديث Windows 10
InternalName: Windows10Upgrader.exe
LegalCopyright: Copyright © Microsoft Corporation. All rights reserved.
OriginalFileName: Windows10Upgrader.exe
ProductName: Windows 10 Update Assistant
FileVersion: 1.4.9200.22925
ProductVersion: 1.4.9200.22925

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 12-Nov-2019 23:15:12
Detected languages:
  • Arabic - Saudi Arabia
  • Bulgarian - Bulgaria
  • Chinese - Hong Kong SAR
  • Chinese - PRC
  • Chinese - Taiwan
  • Croatian - Croatia
  • Czech - Czech Republic
  • Danish - Denmark
  • Dutch - Netherlands
  • English - United Kingdom
  • English - United States
  • Estonian - Estonia
  • Finnish - Finland
  • French - France
  • German - Germany
  • Greek - Greece
  • Hebrew - Israel
  • Hungarian - Hungary
  • Italian - Italy
  • Japanese - Japan
  • Korean - Korea
  • Latvian - Latvia
  • Lithuanian - Lithuania
  • Norwegian - Norway (Bokmal)
  • Polish - Poland
  • Portuguese - Brazil
  • Portuguese - Portugal
  • Romanian - Romania
  • Russian - Russia
  • Serbian - Serbia (Latin)
  • Slovak - Slovakia
  • Slovenian - Slovenia
  • Spanish - Spain (International sort)
  • Swedish - Sweden
  • Thai - Thailand
  • Turkish - Turkey
  • Ukrainian - Ukraine
Debug artifacts:
  • upgraderstub.pdb
CompanyName: Microsoft Corporation
FileDescription: Asistente para actualización a Windows 10
InternalName: Windows10Upgrader.exe
LegalCopyright: Copyright © Microsoft Corporation. Todos los derechos reservados.
OriginalFilename: Windows10Upgrader.exe
ProductName: Asistente para actualización a Windows 10
FileVersion: 1.4.9200.22925
ProductVersion: 1.4.9200.22925

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 12-Nov-2019 23:15:12
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0006ADEC
0x0006AE00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.59103
.data
0x0006C000
0x00001EAC
0x00000C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.43287
.idata
0x0006E000
0x00001956
0x00001A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.5769
.boxloadV
0x00070000
0x00000056
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.942162
.rsrc
0x00071000
0x00022000
0x00021800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.31378
.reloc
0x00093000
0x0000564C
0x00005800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
5.03105

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.9036
1900
Latin 1 / Western European
English - United States
RT_MANIFEST
2
0.903812
36
Latin 1 / Western European
Chinese - Hong Kong SAR
RT_STRING
3
3.13127
1162
Latin 1 / Western European
Spanish - Spain (International sort)
RT_STRING
4
2.30706
80
Latin 1 / Western European
Lithuanian - Lithuania
RT_STRING
5
4.59938
1384
Latin 1 / Western European
English - United States
RT_ICON
6
2.79537
16936
Latin 1 / Western European
English - United States
RT_ICON
7
3.12441
9640
Latin 1 / Western European
English - United States
RT_ICON
8
3.00143
6760
Latin 1 / Western European
English - United States
RT_ICON
9
3.41612
4264
Latin 1 / Western European
English - United States
RT_ICON
10
3.35245
2440
Latin 1 / Western European
English - United States
RT_ICON

Imports

ADVAPI32.dll
Cabinet.dll
KERNEL32.dll
PSAPI.DLL
RPCRT4.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
VERSION.dll
msvcrt.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start windows10upgrade9252.exe windows10upgraderapp.exe regedit.exe no specs regedit.exe windows10upgrade9252.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2156"C:\Windows10Upgrade\Windows10UpgraderApp.exe" C:\Windows10Upgrade\Windows10UpgraderApp.exe
Windows10Upgrade9252.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows 10 Update Assistant
Exit code:
1073807364
Version:
1.4.9200.22925
Modules
Images
c:\windows10upgrade\windows10upgraderapp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mfc42u.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2316"C:\Windows\regedit.exe" C:\Windows\regedit.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
1073807364
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2372"C:\Users\admin\AppData\Local\Temp\Windows10Upgrade9252.exe" C:\Users\admin\AppData\Local\Temp\Windows10Upgrade9252.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows 10 Update Assistant
Exit code:
0
Version:
1.4.9200.22925
Modules
Images
c:\users\admin\appdata\local\temp\windows10upgrade9252.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2948"C:\Windows\regedit.exe" C:\Windows\regedit.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\systemroot\system32\ntdll.dll
3636"C:\Users\admin\AppData\Local\Temp\Windows10Upgrade9252.exe" C:\Users\admin\AppData\Local\Temp\Windows10Upgrade9252.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows 10 Update Assistant
Exit code:
3221226540
Version:
1.4.9200.22925
Modules
Images
c:\users\admin\appdata\local\temp\windows10upgrade9252.exe
c:\systemroot\system32\ntdll.dll
Total events
3 744
Read events
295
Write events
1 208
Delete events
2 241

Modification events

(PID) Process:(2372) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:Publisher
Value:
Microsoft Corporation
(PID) Process:(2372) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:DisplayName
Value:
Windows 10 Update Assistant
(PID) Process:(2372) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:DisplayIcon
Value:
"C:\Windows10Upgrade\Windows10UpgraderApp.exe"
(PID) Process:(2372) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:DisplayVersion
Value:
1.4.9200.22925
(PID) Process:(2372) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:UninstallString
Value:
"C:\Windows10Upgrade\Windows10UpgraderApp.exe" /Uninstall
(PID) Process:(2372) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:EstimatedSize
Value:
5120
(PID) Process:(2372) Windows10Upgrade9252.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2372) Windows10Upgrade9252.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2156) Windows10UpgraderApp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2156) Windows10UpgraderApp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
54
Suspicious files
2
Text files
159
Unknown types
7

Dropped files

PID
Process
Filename
Type
2372Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUEA68.tmp\GetCurrentDeploy.dllexecutable
MD5:
SHA256:
2372Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUEA68.tmp\Windows10UpgraderApp.exeexecutable
MD5:
SHA256:
2372Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUEA68.tmp\appraiserxp.dllexecutable
MD5:
SHA256:
2372Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUEA68.tmp\ESDHelper.dllexecutable
MD5:
SHA256:
2372Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUEA68.tmp\wimgapi.dllexecutable
MD5:
SHA256:
2372Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUEA68.tmp\cosquery.dllexecutable
MD5:F6F6913BE848F72FF7D012FE77AB07EE
SHA256:BB186553C6E7E76DE7A45773770C59833DCDF4F74B94F8F47C2514057418450C
2372Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUEA68.tmp\DevInv.dllexecutable
MD5:261AC59F28E83677D1DF6236E6AF5A9B
SHA256:948FA2A3FC2644912CA041C4F7B61D8F5DA2504817DE0DE03FD4C44780B715B2
2372Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUEA68.tmp\DWTRIG20.EXEexecutable
MD5:0AE71EC7B6DD4A4EB8CCD133542C52C3
SHA256:3190181C570F50A2FB0D157985AFF0F6968C0A4C64A58FB80586DD4E138F6B56
2372Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUEA68.tmp\GatherOSState.EXEexecutable
MD5:C8F114021CBABFB4BF0E0EA27B6DA833
SHA256:763420C1E090636450180B3ADF76101BDAC131A26D47214D635AB17A472453D8
2372Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUEA68.tmp\GetCurrentOOBE.dllexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2156
Windows10UpgraderApp.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2156
Windows10UpgraderApp.exe
104.96.146.202:443
go.microsoft.com
Akamai Technologies, Inc.
NL
malicious

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 104.96.146.202
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Windows10Upgrade9252.exe