× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 81b224cc37e5c6fd68186182b6fbc866f6cfbe9d04bae0bd5d8b4706e53446a9
File name: Windows10Upgrade24074.exe
Detection ratio: 0 / 68
Analysis date: 2019-02-12 22:32:34 UTC ( 3 days, 7 hours ago )
Antivirus Result Update
Acronis 20190212
Ad-Aware 20190212
AegisLab 20190213
AhnLab-V3 20190212
Alibaba 20180921
ALYac 20190212
Antiy-AVL 20190212
Arcabit 20190212
Avast 20190213
Avast-Mobile 20190212
AVG 20190213
Avira (no cloud) 20190212
Babable 20180918
Baidu 20190202
BitDefender 20190212
Bkav 20190201
CAT-QuickHeal 20190212
ClamAV 20190212
CMC 20190212
Comodo 20190212
CrowdStrike Falcon (ML) 20181023
Cybereason 20190109
Cyren 20190212
DrWeb 20190212
eGambit 20190212
Emsisoft 20190212
Endgame 20181108
ESET-NOD32 20190212
F-Prot 20190213
F-Secure 20190213
Fortinet 20190212
GData 20190212
Ikarus 20190212
Sophos ML 20181128
Jiangmin 20190212
K7AntiVirus 20190212
K7GW 20190212
Kaspersky 20190212
Kingsoft 20190212
Malwarebytes 20190212
MAX 20190212
McAfee 20190213
McAfee-GW-Edition 20190213
Microsoft 20190213
eScan 20190212
NANO-Antivirus 20190212
Palo Alto Networks (Known Signatures) 20190212
Panda 20190212
Qihoo-360 20190212
Rising 20190212
SentinelOne (Static ML) 20190203
Sophos AV 20190212
SUPERAntiSpyware 20190206
Symantec 20190212
Symantec Mobile Insight 20190207
TACHYON 20190212
Tencent 20190212
TheHacker 20190212
Trapmine 20190123
TrendMicro 20190213
TrendMicro-HouseCall 20190213
Trustlook 20190212
VBA32 20190212
ViRobot 20190212
Webroot 20190212
Yandex 20190212
Zillya 20190212
ZoneAlarm by Check Point 20190212
Zoner 20190212
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright © Microsoft Corporation. All rights reserved.

Product Windows 10 Upgrade Assistant
Original name Windows10Upgrader.exe
Internal name Windows10Upgrader.exe
File version 1.4.9200.17364
Description Windows 10 Upgrade Assistant
Signature verification Signed file, verified signature
Signing date 8:32 PM 10/10/2016
Signers
[+] Microsoft Corporation
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Code Signing PCA
Valid from 08:17 PM 08/18/2016
Valid to 08:17 PM 11/02/2017
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 98ED99A67886D020C564923B7DF25E9AC019DF26
Serial number 33 00 00 01 40 96 A9 EE 70 56 FE CC 07 00 01 00 00 01 40
[+] Microsoft Code Signing PCA
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 10:19 PM 08/31/2010
Valid to 10:29 PM 08/31/2020
Valid usage All
Algorithm sha1RSA
Thumbprint 3CAF9BA2DB5570CAF76942FF99101B993888E257
Serial number 61 33 26 1A 00 00 00 00 00 31
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 11:19 PM 05/09/2001
Valid to 11:28 PM 05/09/2021
Valid usage All
Algorithm sha1RSA
Thumbprint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
Counter signers
[+] Microsoft Time-Stamp Service
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Time-Stamp PCA
Valid from 07:21 PM 03/30/2016
Valid to 07:21 PM 06/30/2017
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint C414798E68B7F5B57B2F04B42B656A106316E386
Serial number 33 00 00 00 9A 9A 9B 16 C2 83 DA D5 C2 00 00 00 00 00 9A
[+] Microsoft Time-Stamp PCA
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:53 PM 04/03/2007
Valid to 01:03 PM 04/03/2021
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 375FCB825C3DC3752A02E34EB70993B4997191EF
Serial number 61 16 68 34 00 00 00 00 00 1C
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 11:19 PM 05/09/2001
Valid to 11:28 PM 05/09/2021
Valid usage All
Algorithm sha1RSA
Thumbrint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
Packers identified
F-PROT CAB
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-10-10 19:23:33
Entry Point 0x0004CCDA
Number of sections 6
PE sections
Overlays
MD5 a3d3d8c315c26ad8f3f29c457eb0a139
File type data
Offset 585216
Size 5156232
Entropy 8.00
PE imports
RegCreateKeyExW
CloseEncryptedFileRaw
RevertToSelf
RegCloseKey
WriteEncryptedFileRaw
RegSetValueExW
GetSecurityDescriptorGroup
GetSecurityDescriptorControl
ImpersonateSelf
GetSecurityDescriptorDacl
GetSecurityDescriptorSacl
GetSecurityDescriptorOwner
RegDeleteKeyW
ConvertStringSecurityDescriptorToSecurityDescriptorW
OpenEncryptedFileRawW
GetAclInformation
GetSecurityDescriptorLength
Ord(23)
Ord(20)
Ord(22)
GetDriveTypeW
ReleaseMutex
FileTimeToSystemTime
GetOverlappedResult
WaitForSingleObject
GetHandleInformation
GetFileAttributesW
VerifyVersionInfoW
DeleteCriticalSection
GetCurrentProcess
LocalAlloc
GetVolumeInformationW
GetFileInformationByHandle
WideCharToMultiByte
InterlockedExchange
GetTempPathW
GetSystemTimeAsFileTime
HeapReAlloc
SetEvent
LocalFree
FormatMessageW
InitializeCriticalSection
FindClose
InterlockedDecrement
GetFullPathNameW
OutputDebugStringA
WritePrivateProfileStringW
GetEnvironmentVariableW
SetLastError
GetUserDefaultUILanguage
DeviceIoControl
RemoveDirectoryW
HeapAlloc
VerSetConditionMask
InterlockedExchangeAdd
UnhandledExceptionFilter
TlsGetValue
SetFilePointerEx
SetFilePointer
SetFileAttributesW
LockFileEx
CreateThread
GetExitCodeThread
SetUnhandledExceptionFilter
CreateMutexW
SetThreadIdealProcessor
TerminateProcess
CreateSemaphoreW
GetModuleHandleExW
GlobalAlloc
LocalFileTimeToFileTime
SetEndOfFile
GetCurrentThreadId
InterlockedIncrement
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
LoadLibraryW
FreeLibrary
QueryPerformanceCounter
GetTickCount
TlsAlloc
GetStartupInfoA
OpenProcess
CreateDirectoryW
DeleteFileW
WaitForMultipleObjects
GetProcessHeap
GetTempFileNameW
CreateFileMappingW
CompareStringW
GetFileSizeEx
GetModuleFileNameW
FindNextFileW
FindFirstFileW
DuplicateHandle
GetProcAddress
CreateEventW
CreateFileW
TlsSetValue
CreateFileA
LeaveCriticalSection
GetLastError
DosDateTimeToFileTime
GetShortPathNameW
GetSystemInfo
GlobalFree
GetCurrentProcessId
SetFileTime
GetCommandLineW
HeapSize
CopyFileExW
InterlockedCompareExchange
GetCurrentThread
ReleaseSemaphore
MapViewOfFile
TlsFree
GetModuleHandleA
ReadFile
CloseHandle
OpenMutexW
UnlockFileEx
GetModuleHandleW
UnmapViewOfFile
WriteFile
Sleep
EnumProcesses
GetModuleFileNameExW
UuidCreate
RpcStringFreeW
SHGetFolderPathW
ShellExecuteExW
CommandLineToArgvW
StrStrIW
PathFindFileNameW
LoadStringW
MessageBoxW
SendMessageW
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
_purecall
__p__fmode
_lock
??0exception@@QAE@ABV0@@Z
__CxxFrameHandler
??1type_info@@UAE@XZ
memset
wcschr
__dllonexit
_CxxThrowException
towupper
_vsnwprintf
_cexit
?terminate@@YAXXZ
_errno
??0exception@@QAE@ABQBD@Z
qsort
iswdigit
_onexit
??1exception@@UAE@XZ
_amsg_exit
exit
_exit
memcmp
__setusermatherr
wcsrchr
_XcptFilter
_acmdln
_wcsicmp
_ismbblead
_unlock
_wcsnicmp
__p__commode
?what@exception@@UBEPBDXZ
wcsncmp
__getmainargs
memcpy
_vsnprintf
memmove
_vscwprintf
??0exception@@QAE@XZ
iswspace
_initterm
_controlfp
__set_app_type
RtlDeleteCriticalSection
RtlAllocateHeap
NtYieldExecution
RtlInitializeCriticalSection
RtlRaiseStatus
NtSetInformationFile
RtlReAllocateHeap
NtSetSecurityObject
RtlInitializeResource
RtlNtStatusToDosError
RtlAcquireResourceExclusive
RtlReleaseResource
RtlFreeHeap
RtlAdjustPrivilege
RtlSetControlSecurityDescriptor
RtlDeleteResource
RtlAcquireResourceShared
RtlLeaveCriticalSection
RtlUnwind
RtlDosPathNameToNtPathName_U
RtlEnterCriticalSection
CoUninitialize
CoCreateInstance
CoInitialize
Number of PE resources by type
RT_STRING 108
RT_VERSION 36
RT_ICON 12
RT_GROUP_ICON 1
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 18
HEBREW DEFAULT 4
SWEDISH 4
HUNGARIAN DEFAULT 4
ESTONIAN DEFAULT 4
LITHUANIAN 4
FRENCH 4
CHINESE SIMPLIFIED 4
SLOVENIAN DEFAULT 4
DUTCH 4
PORTUGUESE 4
ITALIAN 4
NORWEGIAN BOKMAL 4
FINNISH DEFAULT 4
PORTUGUESE BRAZILIAN 4
GREEK DEFAULT 4
KOREAN 4
CZECH DEFAULT 4
LATVIAN DEFAULT 4
TURKISH DEFAULT 4
GERMAN 4
BULGARIAN DEFAULT 4
POLISH DEFAULT 4
JAPANESE DEFAULT 4
DANISH DEFAULT 4
SLOVAK DEFAULT 4
CHINESE HONGKONG 4
UKRAINIAN DEFAULT 4
CHINESE TRADITIONAL 4
THAI DEFAULT 4
SERBIAN DEFAULT 4
ARABIC SAUDI ARABIA 4
ROMANIAN 4
RUSSIAN 4
SERBIAN LATIN 4
SPANISH MODERN 3
ENGLISH UK 1
PE resources
Debug information
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
10.1

ImageVersion
6.2

FileSubtype
0

FileVersionNumber
1.4.9200.17364

LanguageCode
Arabic

FileFlagsMask
0x003f

FileDescription
Windows 10

ImageFileCharacteristics
Executable, 32-bit

CharacterSet
Unicode

InitializedDataSize
160768

EntryPoint
0x4ccda

OriginalFileName
Windows10Upgrader.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright Microsoft Corporation. All rights reserved.

FileVersion
1.4.9200.17364

TimeStamp
2016:10:10 20:23:33+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Windows10Upgrader.exe

ProductVersion
1.4.9200.17364

SubsystemVersion
5.1

OSVersion
6.2

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
423424

ProductName
Windows 10 Upgrade Assistant

ProductVersionNumber
1.4.9200.17364

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
PE resource-wise parents
Compressed bundles
File identification
MD5 600d4bd7572b25bf1f504eada8fd6b56
SHA1 f94c2d8dd0c386e334cb4a408b40cdc5b259f509
SHA256 81b224cc37e5c6fd68186182b6fbc866f6cfbe9d04bae0bd5d8b4706e53446a9
ssdeep
98304:dSNtLpsoLuuP7HS5BdWaWo1dzKddpEpOnVrd+oBuvH3CySy1BORwu:defsoLuI7CWaWoXzaLE8VrZBu/yAnORh

authentihash ebdac98ce2b46dc93779cbc410a4971af434c2898f5826f10a70ee60198d7a88
imphash 9bb5194a7a584c1169b070a912f240d4
File size 5.5 MB ( 5741448 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (33.7%)
Win64 Executable (generic) (29.8%)
Microsoft Visual C++ compiled executable (generic) (17.8%)
Win32 Dynamic Link Library (generic) (7.1%)
Win32 Executable (generic) (4.8%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2016-10-12 00:11:57 UTC ( 2 years, 4 months ago )
Last submission 2019-02-12 22:32:34 UTC ( 3 days, 7 hours ago )
File names ba3dc-windows10upgrade24074.exe
assistant-de-mise-a-niveau-de-windows-10_1-4-9200-17364_fr_433659.exe
windows10upgrade9194.exe
windows10upgrade28084 (2).exe
windows10upgrade28084.exe
windows10upgrade9252[1].exe
Windows10Upgrade9252.exe
windows10upgrade[1].exe
Windows10Upgrade9252.exe
Windows10Upgrade28084 (1).exe
windows10upgrade9252.exe
data-0.23:9085302507:5741448&pb=U2FsdGVkX1_XlBoBQvFR774v8asoib9z5GQ5dCMfE2dL7LVuheLA3W7sX67GO4X3Onnc4sHD45WHCJ6nsk4oM8OZ63_6TJh66k-hLvkjlS8=
Обновить до Windows 10.exe
windows10upgrade9252.exe.4g1p78c.partial
Besplatnoe_obnovlenie_do_Windows_10-spaces.ru.exe
Windows10BuildUpdater.exe
Windows10Upgrade24074.exe
windows10upgrade24074 (1).exe
windows10upgrade9252.exe.93shpso.partial
windows 10 cracked by wyatt.exe
windows10upgrade28084 (1).exe
Windows10Upgrade24074.exe
Windows10Upgrade24074.exe
Windows10Upgrade.exe
windows10upgrade24074.exe.e8ww1bo.partial
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Deleted files
Created processes
Shell commands
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
DNS requests
TCP connections
UDP communications