2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe
Size

6.0MB
MD5

a5de7bed0ef68ae53f3b84e55b94c975
SHA1

dc89fe8da674de85d5283fd8b1ccdbf415af03fd
SHA256

2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696
SHA512

a6cd09447333823c3b57026d9d76c2f12dc790e0a3388ace7d99dea18db676aa7d5c9bf004b19cf27dfa38c731385324ad8f8432c1ec49fc114dd7541badb9b0
SSDEEP

98304:92i9SyjMmxu5fZIdtLiZT7y1jsL6EZXp8IOddaRuc5Gh5vH3CYht5fDC3jKAs7gc:9N9SyjoKz1jeNtUcUf/yiDC3jxsORwN

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Program Files\Common Files\System\symsrv.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

Windows10UpgraderApp.exe

pid process

1732 Windows10UpgraderApp.exe

Loads dropped DLL 13 IoCs

Processes:

2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.execmd.execmd.exeWindows10UpgraderApp.exe

pid	process
2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe
2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe
2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe
2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe
2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe
2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe
2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe
2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe
912	cmd.exe
2036	cmd.exe
1732	Windows10UpgraderApp.exe
1732	Windows10UpgraderApp.exe
1732	Windows10UpgraderApp.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2032-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
\Program Files\Common Files\System\symsrv.dll	upx
behavioral1/memory/2036-384-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/912-383-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/912-388-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2036-386-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1732-392-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2032-399-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1732-558-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1732-562-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1732-566-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1732-572-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1732-576-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1732-579-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exeWindows10UpgraderApp.exe

description	ioc	process
File opened (read-only)	\??\e:	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe
File opened (read-only)	\??\e:	Windows10UpgraderApp.exe

Drops file in Program Files directory 2 IoCs

Processes:

2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exeWindows10UpgraderApp.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\symsrv.dll	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	Windows10UpgraderApp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

Windows10UpgraderApp.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	Windows10UpgraderApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	Windows10UpgraderApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	Windows10UpgraderApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	Windows10UpgraderApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Windows10UpgraderApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Windows10UpgraderApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\International\CpMRU	Windows10UpgraderApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	Windows10UpgraderApp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exeWindows10UpgraderApp.exe

pid	process
2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe
1732	Windows10UpgraderApp.exe
1732	Windows10UpgraderApp.exe
1732	Windows10UpgraderApp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.execmd.execmd.exeWindows10UpgraderApp.exe

description	pid	process
Token: SeDebugPrivilege	2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe
Token: SeDebugPrivilege	912	cmd.exe
Token: SeDebugPrivilege	2036	cmd.exe
Token: SeDebugPrivilege	1732	Windows10UpgraderApp.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Windows10UpgraderApp.exe

pid	process
1732	Windows10UpgraderApp.exe
1732	Windows10UpgraderApp.exe
1732	Windows10UpgraderApp.exe
1732	Windows10UpgraderApp.exe
1732	Windows10UpgraderApp.exe
1732	Windows10UpgraderApp.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe

description	pid	process	target process
PID 2032 wrote to memory of 912	2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe	cmd.exe
PID 2032 wrote to memory of 912	2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe	cmd.exe
PID 2032 wrote to memory of 912	2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe	cmd.exe
PID 2032 wrote to memory of 912	2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe	cmd.exe
PID 2032 wrote to memory of 2036	2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe	cmd.exe
PID 2032 wrote to memory of 2036	2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe	cmd.exe
PID 2032 wrote to memory of 2036	2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe	cmd.exe
PID 2032 wrote to memory of 2036	2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe	cmd.exe
PID 2032 wrote to memory of 1732	2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe	Windows10UpgraderApp.exe
PID 2032 wrote to memory of 1732	2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe	Windows10UpgraderApp.exe
PID 2032 wrote to memory of 1732	2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe	Windows10UpgraderApp.exe
PID 2032 wrote to memory of 1732	2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe	Windows10UpgraderApp.exe
PID 2032 wrote to memory of 1732	2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe	Windows10UpgraderApp.exe
PID 2032 wrote to memory of 1732	2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe	Windows10UpgraderApp.exe
PID 2032 wrote to memory of 1732	2032	2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe	Windows10UpgraderApp.exe

C:\Users\Admin\AppData\Local\Temp\2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe
"C:\Users\Admin\AppData\Local\Temp\2bbe3441043c4665dac59e743ae6e12435c0c87afba23fc9309ff4d95aa8b696.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /S /Q "C:\Windows10Upgrade\Windows10UpgraderApp.exe.tmp"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del /F /Q "C:\Windows10Upgrade\Windows10UpgraderApp.exe.tmp"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows10Upgrade\Windows10UpgraderApp.exe
"C:\Windows10Upgrade\Windows10UpgraderApp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\COMMON~1\System\symsrv.dll.000
Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1C4E.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU13A0.tmp\2052\DWINTL20.DLL
Filesize
109KB

MD5
6ecb02e195cf345d72ff5eb73d250ec3

SHA1
2c5a797c406fa29bd19cecf6ea94abb8a11a1f10

SHA256
41a35d57a1ae29ae41a5150208363f7346d302ede90b3d0039e38a3d402c83b3

SHA512
f69372428d5a472d857317b72b90526fd40d7b53fe9070f34d3a5d870e8ffcbd69646ae2a38288a9672d397f6c393e0ddf906fdb596b8a46f8a82b0f68b3b15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU13A0.tmp\resources\i386\BiosBlocks.xml
Filesize
89KB

MD5
016caf04ffc6c87ddac9e1c43b161ef4

SHA1
e8bcbe431c5b9c0ff5da08c55f103166072cb8ce

SHA256
46d77b5101ca947d1ddd4d1dd727bfec6db65cb2d84ccb8817426aa5bf949bc4

SHA512
38085d057a0f988da5a2b33b31675339e9ee7e335bfe0cacca0b1f0209231de0deae931e38c28df15e698e7871d57ec11c74dfa9680c705dd91d245027584b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU13A0.tmp\resources\i386\nxquery.inf
Filesize
1KB

MD5
ae8053b0e0ed71b40da08ec58a9fd95a

SHA1
9ca4b71eae874fb37554d7c8898722160b2eb183

SHA256
563dc06f3f4a15860c2107181f6660aeff256b587748b6ce9df72c3ae1118d04

SHA512
5042ba84216bb312dbb91f9cc1be4e376105fa1a608a4b99cd7495afb7088243dcc701944da48751416a290c37ff71a153cbd2561fb2bff04bb5361e5c335dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU13A0.tmp\resources\ux\EULA\EULA_en-us.htm
Filesize
57KB

MD5
7c109a8b0471d8e9e30cc79e6cb5924e

SHA1
f29901be4eadee321d2054a95b95cc6bb0d8d05f

SHA256
4d57b34f6a5b7f54222a4660985dfbd0085aec044d304c33d3f45bd51a5a4b38

SHA512
55fe987593b5536b0aad4f0d2e762464a76e1102e42b5cc1c86e0324158dd15f93125bff756243d4c511395bf1f5762c81c35940d59cea0dff84215560044e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU13A0.tmp\resources\ux\EULA\EULA_es-mx.htm
Filesize
68KB

MD5
0c51b01fbe3482e4b45971f0d3aeb50b

SHA1
4b747adbce3c297eaec01ad9978fd274bacba9ba

SHA256
2e1db75000aac4df4765a74d3f763e3b1e2ccfb7f2ff04894899de735fda459e

SHA512
ed8ee1dbf1bc6a801fdcd32ad61ec9b558b192cd519d2b10550c600dcf9a8107ce5f908ccf3f175314d33cc065fa9046fe212504c6252e2d6b526458b370a7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU13A0.tmp\resources\ux\EULA\EULA_fr-fr.htm
Filesize
67KB

MD5
d01ab717aeda0f9ce5d71797e08dfb47

SHA1
535196ade3ada94262020612fea2442701e6c78a

SHA256
0fdcb589ffe9926017123e53f5d453aac8df8d222901d25efa30b7d027c944bd

SHA512
957b26b79bfd28094060365ae42b46e6937d063c4bff34c2781938ba6b434f5af7182accbb00860b167b236ac4bf0e3ebcc4cebad5aa7fa8a431239319ef622e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU13A0.tmp\resources\ux\EULA\EULA_zh-tw.htm
Filesize
143KB

MD5
5a48a6e0569768bf3e27ea2afb7c5c93

SHA1
3cd66bc29ff79b79fddc41afc1be92efc7203ab7

SHA256
0e8d3db5a662ed19d4dafce5bca4ef399a637c705e226718e3804f9664a1deb9

SHA512
f0a622baad0e30c66ac3422c49aa7074654cb6c246ecd7d69d5a8c198bd55e9bccd4cc2f89a9adf5b5f485892dbad2cbb97d15dc4a110b37b5fdb09a00fd505d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU13A0.tmp\resources\ux\Microsoft.WinJS\css\oobe-desktopRS2.css
Filesize
40KB

MD5
415d4bb726c52bd91be8f3afd81e50cc

SHA1
9732e1e6aeb13a6f180b21bb5bd8a4acf7d96dbd

SHA256
c6dd0940a263382fb735f1cdc8550234f9c081625bfe2e5363cb8bb65cc06440

SHA512
c7a8b805027906d8b67d50773a7e362f2e87d3af61b23fab33aec929e21f42610a35f857ede9a17772c5f2b42c1382f8daf7240b76f3996aa65988a87c367847

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU13A0.tmp\resources\ux\default_tens.htm
Filesize
57KB

MD5
63a4229ad01dbd6226ed35ec402f33ec

SHA1
6c905a00856737fb53ccac3febe5716668b65960

SHA256
0cc9b5da1f665df4758b81878f0fe32c69d5566665958cd6b0a6e11ab68ee879

SHA512
01d1cdfbb9f537062944a4edcd43a9286c161f9cc9ba75505e7617f58317590f4fbd2717f0589db73c83e04301baf8df8a149aa4ba359c71dca764c52dea0312

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows10UpgradeVersion.txt
Filesize
14B

MD5
b0148e6864dd056a75e1ac4ffa744c93

SHA1
dc27113b9da8673eddc65796696a0a0968f32ca8

SHA256
fbab2f3d224dc1aec3f23c7f969f87844b2e7e2bb267e257c391dabb02f6b4cd

SHA512
ae84e4702868c3b614a81517c39acb3c0922e680c39d176835c68eb3d5c2d3ed99b9732f2a5e13187ff78cb840eabbb2f38ba2f294db4163ebd5e0009cba996a

Download Submit
C:\Windows10Upgrade\Downloader.dll
Filesize
200KB

MD5
15546827068240b2d496b78b631c2736

SHA1
62131480789dd1f4121d0667d0b40c9c54e8bf2b

SHA256
c7fbfb2a1cb5fa223cbbeecc50353ea48146bd7a909366bdde7cf01d553c884e

SHA512
eb9a1ac5dff85c8e293e211d98f8963b76967de65d03a8b3fc67767665bcdc18156de6b5d211fb414d89adcd1cbc4915a22269077ed12c65adee54665ba99348

Download Submit
C:\Windows10Upgrade\Windows10UpgraderApp.exe
Filesize
1.9MB

MD5
4b24d6dd32482d252dd61f856c719531

SHA1
091977a8c83447b01bf9a0ca90e2e4f6e5de37a1

SHA256
daabb3aef3ba7bb5ef598f7c755ca417844622954a3d7128a3dbd0a5a40474f8

SHA512
3253dd913b5b6e2efd3c979158974425af9c8084d16fed003a31b12cd92d5eab4049fcc2e71ded728645fa9ee807195ced113d3a6633dce10ab2db9078d0a09d

Download Submit
C:\Windows10Upgrade\appraiserxp.dll
Filesize
456KB

MD5
94cad3dd15e842d074e60cd53d1a7703

SHA1
08eb5d659e951284d42e5ef9cdcb3bdf457c6de3

SHA256
1e13ad2b7890619ff3e651e5c0e93457e5438af941c989488e82f78847e4462f

SHA512
961ea96765f2341e2300e3536efa5b3b63d6c8e9cbed8a2c75ec58079cb2473492dfdf2a01050a6743132df38bb3a0dff1fa894774386357791dcd815ac79a3b

Download Submit
C:\Windows10Upgrade\resources\ux\EULA.css
Filesize
82B

MD5
b81d1e97c529ac3d7f5a699afce27080

SHA1
0a981264db289afd71695b4d6849672187e8120f

SHA256
35c6e30c7954f7e4b806c883576218621e2620166c8940701b33157bdd0ba225

SHA512
e5a8c95d0e9f7464f7bd908cf2f76c89100e69d9bc2e9354c0519bf7da15c5665b3ed97cd676d960d48c024993de0e9eb6683352d902eb86b8af68692334e607

Download Submit
C:\Windows10Upgrade\resources\ux\bullet.png
Filesize
221B

MD5
baaa93b2584336c8e2fd561ccaab5391

SHA1
0523f0a835781e2f499f166d405bcdaf48c89a3a

SHA256
d548b0a3da3f8aa61aa880b2af3ba7997304253d763de1b8b1e3906b9adb5363

SHA512
7ca20ee57a778ed02a1771a9b622aa7b0859cee55036ec323e00e0ab1f6be4defad45bd48aab62f54645fa13c3d49b30fd68c0318e3d83465b42e20d05f6c391

Download Submit
C:\Windows10Upgrade\resources\ux\default.css
Filesize
5KB

MD5
75dc1deb03880b98eea8c7aaa0290c48

SHA1
37e8ff2edb6a606c8455f2cef8d34e87c4ce22e0

SHA256
e5d182eb14246c3551bec763bfea90aaacb1338c3a41316502d4204eead79900

SHA512
09e2554785bf6494f64f6e0fe01ef048d8ed7ff9a6d88e9c490fb6815f934bb677880e8176b9131e037133840f96f157be7d226907fdc37142e7eee3f0f61125

Download Submit
C:\Windows10Upgrade\resources\ux\default.htm
Filesize
60KB

MD5
16c900c83a44eac2706a011d1244d88d

SHA1
2ac28524821d32780a618899adb1b1dc925dbad5

SHA256
22caf9de499840e34585efe0de7348aebfa2f38035f6941921434051d7b865d1

SHA512
e299f3915300be06b1027223294ed3019f6c90190f3d8967439b189acd5aaeb1a52e439572a8837854fb3a95f52d1ba2fbc1383501badda52fd33198cc7fcf5e

Download Submit
C:\Windows10Upgrade\resources\ux\loading.gif
Filesize
16KB

MD5
1a276cb116bdece96adf8e32c4af4fee

SHA1
6bc30738fcd0c04370436f4d3340d460d25b788f

SHA256
9d9a156c6ca2929f0f22c310260723e28428cb38995c0f940f2617b25e15b618

SHA512
5b515b5975fda333a6d9ca0e7de81dbc70311f4ecd8be22770d31c5f159807f653c87acf9df4a72b2d0664f0ef3141088de7f5aa12efc6307715c1c31ba55bb6

Download Submit
C:\Windows10Upgrade\resources\ux\logo.png
Filesize
2KB

MD5
afeed45df4d74d93c260a86e71e09102

SHA1
2cc520e3d23f6b371c288645649a482a5db7ccd9

SHA256
f5fb1e3a7bca4e2778903e8299c63ab34894e810a174b0143b79183c0fa5072f

SHA512
778a6c494eab333c5bb00905adf556c019160c5ab858415c1dd918933f494faf3650e60845d557171c6e1370bcff687672d5af0f647302867b449a2cff9b925d

Download Submit
C:\Windows10Upgrade\resources\ux\marketing.png
Filesize
493B

MD5
1c53c2d567ba6050d9a23d86cfba84cc

SHA1
3bc38656cadf574c377ec39733ebce9e8de75138

SHA256
81f5372b0875476184f7c4d04eb4c805706e41bd979a9acd1f1d55105e17e530

SHA512
3ed2dd645af7d3bd0026a253ac2c5a0503b04f88629012dd479d8068a8e6c07a916350f8ce54c0e21faf97b27a9e607eafe86edd28976b168914e3379bf272df

Download Submit
\Program Files\Common Files\System\symsrv.dll
Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Windows10Upgrade\Downloader.dll.tmp
Filesize
276KB

MD5
5ce8197f8719e0669209c46f137d59ef

SHA1
e06586ee81a41944048ea809d68acfdec984761c

SHA256
a473ac61697c95dd01fa67446391b9c32fcdc6215fc62eebe793a7d5f07a8e5a

SHA512
34e1c5d540c280920d78d38faa51cb6ee15201e2f435d07fce62bfd1c34928a301980501c3c53557a400b1364003760a9fb52222b62b778760d204ef1006aab6

Download Submit
\Windows10Upgrade\Windows10UpgraderApp.exe.tmp
Filesize
1.9MB

MD5
e52da68996e5577d3b94b3d01ddcc072

SHA1
a92ad1b0bb272726e9dbd6f4b731ddceb96ebcff

SHA256
7a069713c7733258e7c18baf1abedb426a960d99248619ecc154ca45aa3a21be

SHA512
ec5862abfc2bb66d78e29b3bada80cf1b578cff551ebbafdd0aaf240df3b45569ffa5c8008159f2c5382aa461930391c772d87d3da73bcd8ace613ab99a0ea38

Download Submit
\Windows10Upgrade\appraiserxp.dll.tmp
Filesize
532KB

MD5
1919e162fc72c34834359cff963efbc5

SHA1
306f6bc189139d4e719f2bd0790dabc91bee98a2

SHA256
6409d80b6e5f7932205e92966b4377f510fcc2fa7097ca0386618043e0173437

SHA512
a403ef0ae6315497adc08a6ecdc152d06b947383d0104f1158dd3969d00c116142b15b4bd07b95a3b442f02284e1cd54c5bc32c3a1335f90ff4c32c7c06fbc4e

Download Submit
memory/912-383-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/912-388-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1732-572-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1732-392-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1732-576-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1732-566-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1732-579-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1732-557-0x0000000074870000-0x00000000748A3000-memory.dmp

Filesize
204KB

Download
memory/1732-558-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1732-562-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2032-399-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2032-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2032-398-0x00000000011E0000-0x000000000127A000-memory.dmp

Filesize
616KB

Download
memory/2036-384-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2036-386-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download