File name:

AcWinRT.ps1

Full analysis: https://app.any.run/tasks/522512f4-c7a4-44d8-9f41-52c994646d22
Verdict: Malicious activity
Analysis date: October 21, 2024, 11:26:01
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (65527), with CRLF line terminators
MD5:

764C43128170E2762E2B5B8D5FB89800

SHA1:

31E232F33AC925B25B26989E0D41667503ED8E65

SHA256:

2EC59B8763ADC00F41E18D05C25B425BD212AE788CC00EDA99E9C0CEC5FC2D1E

SSDEEP:

24576:5tfWNyLYWbuoq4Ow0lrS1znNnKJeQmRzYAFU8bhqgnTKdrrwBRjJgQHaJs2h61I4:5AN09aS1zNaqUldYBVJmJtFRspsXEhX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5172)
      • powershell.exe (PID: 1784)
      • powershell.exe (PID: 5444)
      • powershell.exe (PID: 1568)
      • powershell.exe (PID: 4436)
      • powershell.exe (PID: 7856)
      • powershell.exe (PID: 7952)
      • powershell.exe (PID: 8064)
      • powershell.exe (PID: 4548)
      • powershell.exe (PID: 6244)
      • powershell.exe (PID: 7964)
    • Changes powershell execution policy (Bypass)

      • AcWinRT.exe (PID: 6132)
      • powershell.exe (PID: 1784)
    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5444)
      • powershell.exe (PID: 1568)
      • powershell.exe (PID: 4436)
      • powershell.exe (PID: 7964)
      • powershell.exe (PID: 7856)
      • powershell.exe (PID: 8064)
      • powershell.exe (PID: 7952)
      • powershell.exe (PID: 4548)
      • powershell.exe (PID: 6244)
    • Deletes shadow copies

      • powershell.exe (PID: 7952)
  • SUSPICIOUS

    • Uses REG/REGEDIT.EXE to modify registry

      • powershell.exe (PID: 5172)
      • powershell.exe (PID: 5444)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 5172)
    • Starts POWERSHELL.EXE for commands execution

      • AcWinRT.exe (PID: 6132)
      • powershell.exe (PID: 1784)
    • The process executes Powershell scripts

      • AcWinRT.exe (PID: 6132)
      • powershell.exe (PID: 1784)
    • Application launched itself

      • powershell.exe (PID: 1784)
    • The process hide an interactive prompt from the user

      • powershell.exe (PID: 1784)
    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 1784)
    • Uses ICACLS.EXE to modify access control lists

      • powershell.exe (PID: 1568)
    • Likely accesses (executes) a file from the Public directory

      • icacls.exe (PID: 7948)
      • icacls.exe (PID: 7188)
  • INFO

    • UPX packer has been detected

      • AcWinRT.exe (PID: 6132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
1 050
Monitored processes
178
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs reg.exe no specs reg.exe no specs THREAT acwinrt.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wmic.exe no specs powershell.exe no specs conhost.exe no specs reg.exe no specs dism.exe no specs searchapp.exe no specs reg.exe no specs dism.exe no specs searchapp.exe no specs searchapp.exe no specs reg.exe no specs dism.exe no specs searchapp.exe no specs reg.exe no specs dism.exe no specs searchapp.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs searchapp.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
700"C:\Windows\system32\icacls.exe" "X:\*" /grant Everyone:F /q /t /c C:\Windows\SysWOW64\icacls.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
764"C:\WINDOWS\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 1C:\Windows\SysWOW64\reg.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
784"C:\WINDOWS\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 1C:\Windows\SysWOW64\reg.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
860"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Search application
Exit code:
4294967295
Version:
10.0.19041.3996 (WinBuild.160101.0800)
1376\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeicacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1452"C:\WINDOWS\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 1C:\Windows\SysWOW64\reg.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
1568"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -noninteractive -noprofile -file c:\programdata\APP002.ps1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1700"C:\WINDOWS\system32\Dism.exe" /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quietC:\Windows\SysWOW64\Dism.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Dism Image Servicing Utility
Exit code:
740
Version:
10.0.19041.1 (WinBuild.160101.0800)
1744\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1784powershell -exec bypass -file c:\programdata\APP01.ps1C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAcWinRT.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Total events
54 682
Read events
54 682
Write events
0
Delete events
0

Modification events

No data
Executable files
22
Suspicious files
3 077
Text files
638
Unknown types
4

Dropped files

PID
Process
Filename
Type
1784powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tje5kvmg.51g.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1784powershell.exeC:\ProgramData\APP008.ps1text
MD5:BEA26B28614C5D3740911E5960C52376
SHA256:220609F59B54B45F1A8BB6CE5F651EBFDC199D9E9E363783748A2A0632966231
1784powershell.exeC:\ProgramData\APP002.ps1text
MD5:0207CF65889CF4D2ED8CE98154A9E170
SHA256:670E6989D3956C72E462D81C28D2806402B93131FFB4D431C1BDE1D95567DD57
6132AcWinRT.exeC:\ProgramData\APP01.ps1text
MD5:A5F8678EE153269F935C0122467B4F60
SHA256:4E06431085633A902C835F1033A7C073930835A9BA0A495770591BBF3C2AA621
1784powershell.exeC:\ProgramData\APP004.ps1text
MD5:176F2A1FEE1A3E303A151213EE45D539
SHA256:4474E7659A55601F123108403D4EBA63D4A711F02ABDC3A0A21BFA13760A4149
5172powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:D508027BBFB52411F964A8D7B1F746E5
SHA256:12F88BCA03661227E1A9EE57659C3F989414D4FD31D4FCDABDAA3231D81602C3
1784powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kwojsmhr.dxn.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5172powershell.exeC:\ProgramData\icon.icoimage
MD5:51A4696865C6E6818EA4404F45A4639C
SHA256:36C84C4D00651D44857F7D8429365B7884821935382C39030934C893D37CE963
5172powershell.exeC:\ProgramData\AcWinRT.exeexecutable
MD5:D76F118CC37D5F297F651292ADFA4B93
SHA256:0197970F61EFE6F979C47FD88872CB7D4B6ADE0C417AFD11C398FA9CDF909D7A
5172powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_awtkqazp.5au.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
80
DNS requests
27
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5824
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.33.209.121:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
8124
SIHClient.exe
GET
200
23.212.193.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
8124
SIHClient.exe
GET
200
23.212.193.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4360
SearchApp.exe
2.16.110.120:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.33.209.121:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
4
System
192.168.100.255:138
whitelisted
5824
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5824
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 51.104.136.2
whitelisted
www.bing.com
  • 2.16.110.120
  • 2.16.110.195
  • 2.16.110.123
  • 2.16.110.193
  • 2.16.110.187
  • 2.16.110.202
  • 2.16.110.192
  • 2.16.110.203
  • 2.16.110.200
  • 2.16.101.98
  • 2.16.101.88
  • 2.16.101.106
  • 2.16.101.120
  • 2.16.101.97
  • 2.16.101.115
  • 2.16.101.91
  • 2.16.101.89
  • 2.16.101.99
  • 2.22.50.227
  • 2.22.50.217
  • 2.23.209.168
  • 2.23.209.156
  • 2.23.209.154
  • 2.23.209.162
  • 2.23.209.153
  • 2.23.209.171
  • 2.23.209.158
  • 2.23.209.160
  • 2.23.209.166
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
google.com
  • 142.250.185.174
whitelisted
www.microsoft.com
  • 23.33.209.121
  • 23.212.193.218
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.68
  • 20.190.159.2
  • 20.190.159.0
  • 20.190.159.73
  • 20.190.159.4
  • 40.126.31.69
  • 40.126.31.71
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
th.bing.com
  • 2.16.110.122
  • 2.16.110.136
  • 2.16.110.138
  • 2.16.110.131
  • 2.16.110.128
  • 2.16.110.139
  • 2.16.110.120
  • 2.16.110.123
  • 2.16.110.203
  • 2.23.209.150
  • 2.23.209.168
  • 2.23.209.180
  • 2.23.209.175
  • 2.23.209.166
  • 2.23.209.158
  • 2.23.209.153
  • 2.23.209.171
  • 2.23.209.176
whitelisted
go.microsoft.com
  • 84.53.189.169
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted

Threats

No threats detected
No debug info