File name:

pcimpact.exe

Full analysis: https://app.any.run/tasks/82bb5617-c752-4a34-9250-2230920d38d3
Verdict: Malicious activity
Analysis date: December 22, 2024, 18:43:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

0B11A5EFCD36B41BC13BA9DEFA8B98C3

SHA1:

AF50C8BCEB7E11C9A8EC8CA1C3ECD93ED9E51A0D

SHA256:

BAA472BBD6C492E6706B3EA473BCF30B8E98B4DBE92D927DD07EDB9A4C7B3F5E

SSDEEP:

98304:HJ3IaeN+wcTAScUCYDOSA2ibMlq0Ti7UJDZ2pli9TZIATPSkO2CGi2pYmJNHaEJL:eTy6wnG/t

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Deletes shadow copies

      • pcimpact.exe (PID: 6536)

  • SUSPICIOUS

    • Process drops python dynamic module

      • pcimpact.exe (PID: 6504)

    • Executable content was dropped or overwritten

      • pcimpact.exe (PID: 6504)

    • The process drops C-runtime libraries

      • pcimpact.exe (PID: 6504)

    • Application launched itself

      • pcimpact.exe (PID: 6504)

    • Loads Python modules

      • pcimpact.exe (PID: 6536)

    • Process drops legitimate windows executable

      • pcimpact.exe (PID: 6504)

  • INFO

    • Reads the computer name

      • pcimpact.exe (PID: 6504)

    • The sample compiled with english language support

      • pcimpact.exe (PID: 6504)

    • Checks supported languages

      • pcimpact.exe (PID: 6504)
      • pcimpact.exe (PID: 6536)

    • Create files in a temporary directory

      • pcimpact.exe (PID: 6504)

    • Process checks whether UAC notifications are on

      • pcimpact.exe (PID: 6536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:12:22 18:39:49+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 172032
InitializedDataSize: 154624
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start pcimpact.exe pcimpact.exe no specs vssadmin.exe no specs conhost.exe no specs vssadmin.exe no specs conhost.exe no specs vssadmin.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6504"C:\Users\admin\Desktop\pcimpact.exe" C:\Users\admin\Desktop\pcimpact.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\pcimpact.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6536"C:\Users\admin\Desktop\pcimpact.exe" C:\Users\admin\Desktop\pcimpact.exepcimpact.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\pcimpact.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6556vssadmin list shadowsC:\Windows\System32\vssadmin.exepcimpact.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6572\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exevssadmin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6652vssadmin delete shadows /all /quietC:\Windows\System32\vssadmin.exepcimpact.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6668\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exevssadmin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6748vssadmin list shadowsC:\Windows\System32\vssadmin.exepcimpact.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6764\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exevssadmin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
186
Read events
186
Write events
0
Delete events
0

Modification events

No data
Executable files
10
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6504pcimpact.exeC:\Users\admin\AppData\Local\Temp\_MEI65042\_socket.pydexecutable
MD5:FE896371430BD9551717EF12A3E7E818
SHA256:35246B04C6C7001CA448554246445A845CE116814A29B18B617EA38752E4659B
6504pcimpact.exeC:\Users\admin\AppData\Local\Temp\_MEI65042\_decimal.pydexecutable
MD5:F3377F3DE29579140E2BBAEEFD334D4F
SHA256:B715D1C18E9A9C1531F21C02003B4C6726742D1A2441A1893BC3D79D7BB50E91
6504pcimpact.exeC:\Users\admin\AppData\Local\Temp\_MEI65042\select.pydexecutable
MD5:20831703486869B470006941B4D996F2
SHA256:78E5994C29D8851F28B5B12D59D742D876683AEA58ECEEA1FB895B2036CDCDEB
6504pcimpact.exeC:\Users\admin\AppData\Local\Temp\_MEI65042\_bz2.pydexecutable
MD5:CB8C06C8FA9E61E4AC5F22EEBF7F1D00
SHA256:FC3B481684B926350057E263622A2A5335B149A0498A8D65C4F37E39DD90B640
6504pcimpact.exeC:\Users\admin\AppData\Local\Temp\_MEI65042\_lzma.pydexecutable
MD5:1BA022D42024A655CF289544AE461FB8
SHA256:D080EABD015A3569813A220FD4EA74DFF34ED2A8519A10473EB37E22B1118A06
6504pcimpact.exeC:\Users\admin\AppData\Local\Temp\_MEI65042\python313.dllexecutable
MD5:B9DE917B925DD246B709BB4233777EFD
SHA256:0C0A66505093B6A4BB3475F716BD3D9552095776F6A124709C13B3F9552C7D99
6504pcimpact.exeC:\Users\admin\AppData\Local\Temp\_MEI65042\VCRUNTIME140.dllexecutable
MD5:862F820C3251E4CA6FC0AC00E4092239
SHA256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
6504pcimpact.exeC:\Users\admin\AppData\Local\Temp\_MEI65042\base_library.zipcompressed
MD5:A9CBD0455B46C7D14194D1F18CA8719E
SHA256:DF6C19637D239BFEDC8CD13D20E0938C65E8FDF340622FF334DB533F2D30FA19
6504pcimpact.exeC:\Users\admin\AppData\Local\Temp\_MEI65042\unicodedata.pydexecutable
MD5:0902D299A2A487A7B0C2D75862B13640
SHA256:2693C7EE4FBA55DC548F641C0CB94485D0E18596FFEF16541BD43A5104C28B20
6504pcimpact.exeC:\Users\admin\AppData\Local\Temp\_MEI65042\_hashlib.pydexecutable
MD5:32D76C9ABD65A5D2671AEEDE189BC290
SHA256:838D5C8B7C3212C8429BAF612623ABBBC20A9023EEC41E34E5461B76A285B86C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
20
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.23.9.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.212.110.186:443
www.bing.com
Akamai International B.V.
CZ
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.9.218:80
www.microsoft.com
AKAMAI-AS
CZ
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3976
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
www.bing.com
  • 23.212.110.186
  • 23.212.110.202
  • 23.212.110.185
  • 23.212.110.217
  • 23.212.110.208
  • 23.212.110.210
  • 23.212.110.200
  • 23.212.110.187
  • 23.212.110.203
whitelisted
google.com
  • 142.250.185.142
unknown
crl.microsoft.com
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 2.23.9.218
whitelisted
self.events.data.microsoft.com
  • 52.168.117.170
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
pcimpact.exe