File name:

AcWinRT.ps1

Full analysis: https://app.any.run/tasks/522512f4-c7a4-44d8-9f41-52c994646d22
Verdict: Malicious activity
Analysis date: October 21, 2024, 11:26:01
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (65527), with CRLF line terminators
MD5:

764C43128170E2762E2B5B8D5FB89800

SHA1:

31E232F33AC925B25B26989E0D41667503ED8E65

SHA256:

2EC59B8763ADC00F41E18D05C25B425BD212AE788CC00EDA99E9C0CEC5FC2D1E

SSDEEP:

24576:5tfWNyLYWbuoq4Ow0lrS1znNnKJeQmRzYAFU8bhqgnTKdrrwBRjJgQHaJs2h61I4:5AN09aS1zNaqUldYBVJmJtFRspsXEhX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5172)
      • powershell.exe (PID: 1784)
      • powershell.exe (PID: 5444)
      • powershell.exe (PID: 1568)
      • powershell.exe (PID: 4436)
      • powershell.exe (PID: 7964)
      • powershell.exe (PID: 8064)
      • powershell.exe (PID: 4548)
      • powershell.exe (PID: 7952)
      • powershell.exe (PID: 6244)
      • powershell.exe (PID: 7856)

    • Changes powershell execution policy (Bypass)

      • AcWinRT.exe (PID: 6132)
      • powershell.exe (PID: 1784)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5444)
      • powershell.exe (PID: 1568)
      • powershell.exe (PID: 4436)
      • powershell.exe (PID: 7856)
      • powershell.exe (PID: 6244)
      • powershell.exe (PID: 8064)
      • powershell.exe (PID: 7952)
      • powershell.exe (PID: 4548)
      • powershell.exe (PID: 7964)

    • Deletes shadow copies

      • powershell.exe (PID: 7952)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 5172)

    • Uses REG/REGEDIT.EXE to modify registry

      • powershell.exe (PID: 5172)
      • powershell.exe (PID: 5444)

    • Starts POWERSHELL.EXE for commands execution

      • AcWinRT.exe (PID: 6132)
      • powershell.exe (PID: 1784)

    • The process executes Powershell scripts

      • AcWinRT.exe (PID: 6132)
      • powershell.exe (PID: 1784)

    • The process hide an interactive prompt from the user

      • powershell.exe (PID: 1784)

    • Application launched itself

      • powershell.exe (PID: 1784)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 1784)

    • Uses ICACLS.EXE to modify access control lists

      • powershell.exe (PID: 1568)

    • Likely accesses (executes) a file from the Public directory

      • icacls.exe (PID: 7188)
      • icacls.exe (PID: 7948)

  • INFO

    • UPX packer has been detected

      • AcWinRT.exe (PID: 6132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
1 050
Monitored processes
178
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs reg.exe no specs reg.exe no specs THREAT acwinrt.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wmic.exe no specs powershell.exe no specs conhost.exe no specs reg.exe no specs dism.exe no specs searchapp.exe no specs reg.exe no specs dism.exe no specs searchapp.exe no specs searchapp.exe no specs reg.exe no specs dism.exe no specs searchapp.exe no specs reg.exe no specs dism.exe no specs searchapp.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs searchapp.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs reg.exe no specs dism.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
700"C:\Windows\system32\icacls.exe" "X:\*" /grant Everyone:F /q /t /c C:\Windows\SysWOW64\icacls.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
764"C:\WINDOWS\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 1C:\Windows\SysWOW64\reg.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
784"C:\WINDOWS\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 1C:\Windows\SysWOW64\reg.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
860"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Search application
Exit code:
4294967295
Version:
10.0.19041.3996 (WinBuild.160101.0800)
1376\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeicacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1452"C:\WINDOWS\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 1C:\Windows\SysWOW64\reg.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
1568"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -noninteractive -noprofile -file c:\programdata\APP002.ps1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1700"C:\WINDOWS\system32\Dism.exe" /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quietC:\Windows\SysWOW64\Dism.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Dism Image Servicing Utility
Exit code:
740
Version:
10.0.19041.1 (WinBuild.160101.0800)
1744\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1784powershell -exec bypass -file c:\programdata\APP01.ps1C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAcWinRT.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Total events
54 682
Read events
54 682
Write events
0
Delete events
0

Modification events

No data
Executable files
22
Suspicious files
3 077
Text files
638
Unknown types
4

Dropped files

PID
Process
Filename
Type
5172powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ovmok4bp.py5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5172powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:D508027BBFB52411F964A8D7B1F746E5
SHA256:12F88BCA03661227E1A9EE57659C3F989414D4FD31D4FCDABDAA3231D81602C3
5172powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_awtkqazp.5au.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1784powershell.exeC:\ProgramData\APP004.ps1text
MD5:176F2A1FEE1A3E303A151213EE45D539
SHA256:4474E7659A55601F123108403D4EBA63D4A711F02ABDC3A0A21BFA13760A4149
1784powershell.exeC:\ProgramData\APP006.ps1text
MD5:506B46EA0CD944258549A5B1AC3F15B8
SHA256:61898945882C9FA3B382E41BDA3A90CCBD0EBAF9A22CAFAF46D5DBC5A0AEBBBA
1784powershell.exeC:\ProgramData\APP003.ps1text
MD5:EF294EAF64B42211EB38785843B653C6
SHA256:0CA42096321BE68DEB96680EF4B13332066C74C4FD0B4D394A5770DA7C6A0D30
1784powershell.exeC:\ProgramData\APP009.ps1text
MD5:22D1BBCD47C1A6E23A688B751B0A7540
SHA256:7AEF3973158DFADD53ED24B29A243E38FA2A12F15A437E58474CB17D60F3DAA6
1784powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kwojsmhr.dxn.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5172powershell.exeC:\ProgramData\AcWinRT.exeexecutable
MD5:D76F118CC37D5F297F651292ADFA4B93
SHA256:0197970F61EFE6F979C47FD88872CB7D4B6ADE0C417AFD11C398FA9CDF909D7A
5172powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF8c3c6.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
80
DNS requests
27
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.33.209.121:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5824
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
8124
SIHClient.exe
GET
200
23.212.193.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8124
SIHClient.exe
GET
200
23.212.193.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4360
SearchApp.exe
2.16.110.120:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.33.209.121:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
4
System
192.168.100.255:138
whitelisted
5824
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5824
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 51.104.136.2
whitelisted
www.bing.com
  • 2.16.110.120
  • 2.16.110.195
  • 2.16.110.123
  • 2.16.110.193
  • 2.16.110.187
  • 2.16.110.202
  • 2.16.110.192
  • 2.16.110.203
  • 2.16.110.200
  • 2.16.101.98
  • 2.16.101.88
  • 2.16.101.106
  • 2.16.101.120
  • 2.16.101.97
  • 2.16.101.115
  • 2.16.101.91
  • 2.16.101.89
  • 2.16.101.99
  • 2.22.50.227
  • 2.22.50.217
  • 2.23.209.168
  • 2.23.209.156
  • 2.23.209.154
  • 2.23.209.162
  • 2.23.209.153
  • 2.23.209.171
  • 2.23.209.158
  • 2.23.209.160
  • 2.23.209.166
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
google.com
  • 142.250.185.174
whitelisted
www.microsoft.com
  • 23.33.209.121
  • 23.212.193.218
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.68
  • 20.190.159.2
  • 20.190.159.0
  • 20.190.159.73
  • 20.190.159.4
  • 40.126.31.69
  • 40.126.31.71
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
th.bing.com
  • 2.16.110.122
  • 2.16.110.136
  • 2.16.110.138
  • 2.16.110.131
  • 2.16.110.128
  • 2.16.110.139
  • 2.16.110.120
  • 2.16.110.123
  • 2.16.110.203
  • 2.23.209.150
  • 2.23.209.168
  • 2.23.209.180
  • 2.23.209.175
  • 2.23.209.166
  • 2.23.209.158
  • 2.23.209.153
  • 2.23.209.171
  • 2.23.209.176
whitelisted
go.microsoft.com
  • 84.53.189.169
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
AcWinRT.ps1