File name:

Windows10Upgrade9252.exe

Full analysis: https://app.any.run/tasks/887272ca-cd51-458d-96cb-1f2e45eeeaa1
Verdict: Malicious activity
Analysis date: August 20, 2024, 08:49:46
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C0B25DEF4312FBDDBCC4F01C6C0F5BA6

SHA1:

8D16A183D61233E7D6B6AF7B3CAFC6645AC2ACB1

SHA256:

C0424D0AE06CA1E6E0249B40D33AC40D74075856D543EC0924884664FBA52B79

SSDEEP:

98304:GgjXlctych4cCzJ8k2omX8sUf0ht5f/LyXtcH/B:JjKtych9CzJqXM32jyXE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • Windows10UpgraderApp.exe (PID: 6816)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • Windows10Upgrade9252.exe (PID: 6624)
      • Windows10Upgrade9252.exe (PID: 6672)

    • Process drops legitimate windows executable

      • Windows10Upgrade9252.exe (PID: 6672)

    • Drops the executable file immediately after the start

      • Windows10Upgrade9252.exe (PID: 6672)

    • Reads security settings of Internet Explorer

      • Windows10Upgrade9252.exe (PID: 6672)
      • Windows10UpgraderApp.exe (PID: 6816)

    • Executable content was dropped or overwritten

      • Windows10Upgrade9252.exe (PID: 6672)

    • Creates a software uninstall entry

      • Windows10Upgrade9252.exe (PID: 6672)

    • Reads the date of Windows installation

      • Windows10Upgrade9252.exe (PID: 6672)

    • Reads Microsoft Outlook installation path

      • Windows10UpgraderApp.exe (PID: 6816)

    • Reads Internet Explorer settings

      • Windows10UpgraderApp.exe (PID: 6816)

    • Checks Windows Trust Settings

      • Windows10UpgraderApp.exe (PID: 6816)

  • INFO

    • Creates files in the program directory

      • Windows10Upgrade9252.exe (PID: 6672)
      • Windows10UpgraderApp.exe (PID: 6816)

    • Checks supported languages

      • Windows10Upgrade9252.exe (PID: 6672)
      • Windows10UpgraderApp.exe (PID: 6816)

    • Create files in a temporary directory

      • Windows10Upgrade9252.exe (PID: 6672)
      • Windows10UpgraderApp.exe (PID: 6816)

    • Process checks computer location settings

      • Windows10Upgrade9252.exe (PID: 6672)

    • Reads the computer name

      • Windows10Upgrade9252.exe (PID: 6672)
      • Windows10UpgraderApp.exe (PID: 6816)

    • Checks proxy server information

      • Windows10UpgraderApp.exe (PID: 6816)

    • Creates files or folders in the user directory

      • Windows10UpgraderApp.exe (PID: 6816)

    • Reads the software policy settings

      • Windows10UpgraderApp.exe (PID: 6816)

    • Reads the machine GUID from the registry

      • Windows10UpgraderApp.exe (PID: 6816)

    • Process checks Internet Explorer phishing filters

      • Windows10UpgraderApp.exe (PID: 6816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2046:06:23 08:08:25+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.2
CodeSize: 473600
InitializedDataSize: 295424
UninitializedDataSize: -
EntryPoint: 0x71a80
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 10
Subsystem: Windows GUI
FileVersionNumber: 1.4.19041.2183
ProductVersionNumber: 1.4.19041.2183
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Bulgarian
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: WindowsInstallationAssistant
InternalName: WindowsInstallationAssistant.exe
LegalCopyright: © Microsoft Corporation. Всички права запазени.
OriginalFileName: WindowsInstallationAssistant.exe
ProductName: Помощник за инсталиране на Windows
FileVersion: 1.4.19041.2183
ProductVersion: 1.4.19041.2183
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start windows10upgrade9252.exe windows10upgraderapp.exe windows10upgrade9252.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6624"C:\Users\admin\AppData\Local\Temp\Windows10Upgrade9252.exe" C:\Users\admin\AppData\Local\Temp\Windows10Upgrade9252.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WindowsInstallationAssistant
Exit code:
3221226540
Version:
1.4.19041.2183
Modules
Images
c:\users\admin\appdata\local\temp\windows10upgrade9252.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6672"C:\Users\admin\AppData\Local\Temp\Windows10Upgrade9252.exe" C:\Users\admin\AppData\Local\Temp\Windows10Upgrade9252.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WindowsInstallationAssistant
Exit code:
0
Version:
1.4.19041.2183
Modules
Images
c:\users\admin\appdata\local\temp\windows10upgrade9252.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6816"C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe" C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe
Windows10Upgrade9252.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Installation Assistant
Exit code:
0
Version:
1.4.19041.2183
Modules
Images
c:\program files (x86)\windowsinstallationassistant\windows10upgraderapp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
2 811
Read events
2 769
Write events
40
Delete events
2

Modification events

(PID) Process:(6672) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:Publisher
Value:
Microsoft Corporation
(PID) Process:(6672) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:DisplayName
Value:
Windows 10 Update Assistant
(PID) Process:(6672) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:DisplayIcon
Value:
"C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe"
(PID) Process:(6672) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:DisplayVersion
Value:
1.4.19041.2183
(PID) Process:(6672) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe" /ForceUninstall
(PID) Process:(6672) Windows10Upgrade9252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}
Operation:writeName:EstimatedSize
Value:
5120
(PID) Process:(6672) Windows10Upgrade9252.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6672) Windows10Upgrade9252.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6672) Windows10Upgrade9252.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6672) Windows10Upgrade9252.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
16
Suspicious files
15
Text files
30
Unknown types
6

Dropped files

PID
Process
Filename
Type
6672Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUDC44.tmp\Windows10UpgraderApp.exeexecutable
MD5:AB38A78503D8AD3CE7D69F937D71A99C
SHA256:F635CD1996967C2297E3F20C4838D2F45D1535CFEA38971909683E26158FB782
6672Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUDC44.tmp\GetCurrentOOBE.dllexecutable
MD5:C062B03A177CF1D25B91D0A911784533
SHA256:396DF40ADAC039F8A6847B7C8EFFF7DFEAD7A77B93E12B0B141A4CFA808C0035
6672Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUDC44.tmp\GetCurrentRollback.EXEexecutable
MD5:D705A34A869AC46E3F07C9BE3EA1693A
SHA256:0436DEDA2DBBD46D74E4A83B5897BA26A3EC35A9AB77D4B46E7477D9CDD213B8
6672Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUDC44.tmp\WinDlp.dllexecutable
MD5:87BC3D50A51CAE672F2E3ED50691E5B5
SHA256:896994DF8E63229DC8C860F40CFD92C6FCEA6E684EC0D51F111C812EEE7349BA
6672Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUDC44.tmp\resources\ux\logo.pngimage
MD5:AFEED45DF4D74D93C260A86E71E09102
SHA256:F5FB1E3A7BCA4E2778903E8299C63AB34894E810A174B0143B79183C0FA5072F
6672Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUDC44.tmp\downloader.dllexecutable
MD5:5B62AD6AE42F32806062AD1BCB3E2DE5
SHA256:96F7B268820511ABEEB6BBFAD0918CF9161366BC2F558EF7F011331E7DE1D6F3
6672Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUDC44.tmp\ESDHelper.dllexecutable
MD5:C61DCF4DB82482A4498FCCA646A6C640
SHA256:C98289454CDCB2266E82204AF73A799B09458A899CDD8366E24FBB613273C0FF
6672Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUDC44.tmp\appraiserxp.dllexecutable
MD5:CBB270591C9A1BFB1B10559AB672F705
SHA256:770A9A15E1EB8E2729F23A3D262B55BEF16E4BB7822A2D16EEAC3DB35A116D7F
6672Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUDC44.tmp\resources\ux\Microsoft.WinJS\css\oobe-desktopRS2.csstext
MD5:415D4BB726C52BD91BE8F3AFD81E50CC
SHA256:C6DD0940A263382FB735F1CDC8550234F9C081625BFE2E5363CB8BB65CC06440
6672Windows10Upgrade9252.exeC:\Users\admin\AppData\Local\Temp\WXUDC44.tmp\resources\ux\eula.csstext
MD5:B81D1E97C529AC3D7F5A699AFCE27080
SHA256:35C6E30C7954F7E4B806C883576218621E2620166C8940701B33157BDD0BA225
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
31
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6816
Windows10UpgraderApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6816
Windows10UpgraderApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
2384
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6668
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7120
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2212
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6816
Windows10UpgraderApp.exe
23.213.166.81:443
go.microsoft.com
AKAMAI-AS
DE
unknown
6816
Windows10UpgraderApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6816
Windows10UpgraderApp.exe
2.18.160.223:443
download.microsoft.com
AKAMAI-AS
DE
unknown
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2384
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2384
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.174
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
download.microsoft.com
  • 2.18.160.223
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.0
  • 40.126.31.71
  • 20.190.159.68
  • 20.190.159.75
  • 20.190.159.64
  • 40.126.31.67
  • 20.190.159.23
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 13.85.23.86
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Windows10Upgrade9252.exe