File name:

ACSaveTool_x64

Full analysis: https://app.any.run/tasks/318c712e-9fc2-46e7-ab9b-ce4e7611a572
Verdict: Malicious activity
Analysis date: June 21, 2025, 10:33:24
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

0BF7D2A2CA40538B8B02B393EAC995AF

SHA1:

BCB7C00E2F9EA3FF85D7092A00FC17536C9F8369

SHA256:

4CC25D80D1F4AEDEEA67EBE9DF48A346B25C81EB582421F4B8EAC29B3F2FEE68

SSDEEP:

98304:p1E4A+hpWar6pha+xXZzIODV+WP3C/T5HsWd8QNsynwuFaBIQLOUNHxpswPchnlm:339F3hfJbR+QJJb78e8q+7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ACSaveTool_x64.exe (PID: 3976)

    • The process drops C-runtime libraries

      • ACSaveTool_x64.exe (PID: 3976)

    • Process drops legitimate windows executable

      • ACSaveTool_x64.exe (PID: 3976)

    • Reads security settings of Internet Explorer

      • ACSaveTool_x64.exe (PID: 3976)

    • Reads the date of Windows installation

      • ACSaveTool_x64.exe (PID: 3976)

    • There is functionality for taking screenshot (YARA)

      • ACSaveTool.exe (PID: 6612)
      • ACSaveTool_x64.exe (PID: 3976)

  • INFO

    • Checks supported languages

      • ACSaveTool_x64.exe (PID: 3976)

    • The sample compiled with english language support

      • ACSaveTool_x64.exe (PID: 3976)

    • Reads the computer name

      • ACSaveTool_x64.exe (PID: 3976)

    • Create files in a temporary directory

      • ACSaveTool_x64.exe (PID: 3976)

    • Process checks computer location settings

      • ACSaveTool_x64.exe (PID: 3976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2017:06:15 00:09:18+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 10
CodeSize: 131072
InitializedDataSize: 314880
UninitializedDataSize: -
EntryPoint: 0x206bc
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 2.6.0.0
ProductVersionNumber: 2.6.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileDescription: ACSaveTool
FileVersion: 2.6.0.0
LegalCopyright: Linus L.
OriginalFileName: ACSaveTool.exe
ProductName: ACST
ProductVersion: 2.6.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start acsavetool_x64.exe acsavetool.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3640C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3976"C:\Users\admin\AppData\Local\Temp\ACSaveTool_x64.exe" C:\Users\admin\AppData\Local\Temp\ACSaveTool_x64.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\acsavetool_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
6612"C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\ACST\ACSaveTool.exe" C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\ACST\ACSaveTool.exeACSaveTool_x64.exe
User:
admin
Integrity Level:
MEDIUM
Total events
829
Read events
829
Write events
0
Delete events
0

Modification events

No data
Executable files
12
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3976ACSaveTool_x64.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\ACST\Qt6Core.dllexecutable
MD5:8B1CE7C4AE80F5A2EF4D968E5A78B8D6
SHA256:130C6EF3C126E97AAEC1A5CB1C638D7404473A3DDA837D6E161C69DB7A5BC339
3976ACSaveTool_x64.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\ACST\acst_r2.dllexecutable
MD5:ED265DD6E4DF02B22C453243DBE5C9CE
SHA256:8A92D3BA78C65BB33463F82D7785873DE7FA4D155229412C4F51D4B470C7994F
3976ACSaveTool_x64.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\ACST\msvcp140_1.dllexecutable
MD5:EB221297B66B80F34D1B959438CB85AD
SHA256:A8678363EC5CC5D17BF2475426C66E7E0539E7A46FE8B106F577F0BC636C1DAE
3976ACSaveTool_x64.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\ACST\Qt6Widgets.dllexecutable
MD5:6532269DC53D121B4F5129FD96789D74
SHA256:0D07A57F8FB298BC57FB66E49C6580094F8FE979D9F5DEAFCFC87FE1ED2E9F0F
3976ACSaveTool_x64.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\ACST\platforms\qwindows.dllexecutable
MD5:CBB594A2C2708F51F83134D527A01CD5
SHA256:87B2A5889A45B4DA2387B223B855E43D56CA30C90B18449553F8D756E7F2C681
3976ACSaveTool_x64.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\ACST\msvcp140_2.dllexecutable
MD5:6FD1ABFC3BB7051F76502BED89AAD34F
SHA256:54D60E5B7A715192166A03DE9B0FF69E9ECF196713E728208F81D7BDF43C2EE8
3976ACSaveTool_x64.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\ACST\Qt6Gui.dllexecutable
MD5:C9E8AF54833D05FE951DB2DE478CAC98
SHA256:AE656B4D85FED20042A7FB2F4F71BD0C14B4797C740BEDC005805F1040B73B83
3976ACSaveTool_x64.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\ACST\styles\qmodernwindowsstyle.dllexecutable
MD5:C530EC3F535E240809312C791B414499
SHA256:0B4925B59BFC864FB25688AC73A44C790B2162FED670602B922A74AB1FA07B51
3976ACSaveTool_x64.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\ACST\vcruntime140_1.dllexecutable
MD5:C0C0B4C611561F94798B62EB43097722
SHA256:497A280550443E3E9F89E428E51CB795139CA8944D5DEDD54A7083C00E7164E5
3976ACSaveTool_x64.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\ACST\vcruntime140.dllexecutable
MD5:32DA96115C9D783A0769312C0482A62D
SHA256:8B10C53241726B0ACC9F513157E67FCB01C166FEC69E5E38CA6AADA8F9A3619F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
21
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4700
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5924
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4700
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4700
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
4700
SIHClient.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 23.55.104.190
  • 23.55.104.172
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
login.live.com
  • 20.190.159.73
  • 20.190.159.131
  • 40.126.31.69
  • 20.190.159.4
  • 40.126.31.71
  • 20.190.159.23
  • 20.190.159.75
  • 40.126.31.130
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ACSaveTool_x64