File name:

PCOptimizerProInstaller.exe

Full analysis: https://app.any.run/tasks/0e064131-5316-4d29-83bf-09179546f926
Verdict: Malicious activity
Analysis date: December 27, 2024, 07:38:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

A50C74202E2F4D938BABF556B9F54725

SHA1:

6810DB1606CAC6AB19EDBAA49620BA197EF7BC64

SHA256:

937CCAD21C0271169104539269B5F3FAA43D6CA2E36D676FBF9B6FA6DF41B40A

SSDEEP:

49152:ow3E/lpFJpOhj8ZJvL/QAwN1h1zjZblxwr2UGlm3qnzvSZsrKCB4TlwuwHNBb2j:paa4Zpc7h15bDwvGA6zvSZse7TSoj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • PCOptimizerProInstaller.exe (PID: 6524)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • PCOptimizerProInstaller.exe (PID: 6524)

    • The process creates files with name similar to system file names

      • PCOptimizerProInstaller.exe (PID: 6524)

    • Creates a software uninstall entry

      • PCOptimizerProInstaller.exe (PID: 6524)

    • Reads security settings of Internet Explorer

      • PCOptimizerProStartApps.exe (PID: 7008)
      • PCOptimizerPro.exe (PID: 7144)

    • Checks Windows Trust Settings

      • PCOptimizerPro.exe (PID: 7144)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • PCOptimizerProInstaller.exe (PID: 6524)

  • INFO

    • The sample compiled with english language support

      • PCOptimizerProInstaller.exe (PID: 6524)

    • Checks supported languages

      • PCOptimizerProInstaller.exe (PID: 6524)
      • PCOptimizerProStartApps.exe (PID: 7008)
      • PCOptimizerPro.exe (PID: 7144)

    • Reads the computer name

      • PCOptimizerPro.exe (PID: 7144)
      • PCOptimizerProInstaller.exe (PID: 6524)

    • Reads CPU info

      • PCOptimizerPro.exe (PID: 7144)

    • Creates files in the program directory

      • PCOptimizerProInstaller.exe (PID: 6524)
      • PCOptimizerPro.exe (PID: 7144)

    • The process uses the downloaded file

      • PCOptimizerProStartApps.exe (PID: 7008)

    • Process checks computer location settings

      • PCOptimizerProStartApps.exe (PID: 7008)

    • Checks proxy server information

      • PCOptimizerPro.exe (PID: 7144)

    • Reads the software policy settings

      • PCOptimizerPro.exe (PID: 7144)

    • Sends debugging messages

      • regsvr32.exe (PID: 6960)

    • Reads the machine GUID from the registry

      • PCOptimizerPro.exe (PID: 7144)

    • Create files in a temporary directory

      • PCOptimizerPro.exe (PID: 7144)
      • PCOptimizerProInstaller.exe (PID: 6524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:12:16 00:50:56+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 25600
InitializedDataSize: 162816
UninitializedDataSize: 1024
EntryPoint: 0x326b
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 8.1.1.6
ProductVersionNumber: 8.1.1.6
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Spanish (Castilian)
CharacterSet: Windows, Latin1
Comments: PC Optimizer Pro Nothing optimize your PC better for more details visit http://www.pcoptmizerpro.com
CompanyName: Xportsoft.com
FileDescription: PC Optimizer Pro
FileVersion: 8.1.1.6
InternalName: PC Optimizer Pro Nothing optimize your PC better
LegalCopyright: (c) Xportsoft Technologies. All rights reserved.
LegalTrademarks: Xportsoft Technoliges Pvt. Ltd.
OriginalFileName: PC Optimizer Pro
ProductName: PC Optimizer Pro
ProductVersion: 8.1.1.6
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start pcoptimizerproinstaller.exe regsvr32.exe pcoptimizerprostartapps.exe no specs pcoptimizerpro.exe pcoptimizerproinstaller.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6320"C:\Users\admin\AppData\Local\Temp\PCOptimizerProInstaller.exe" C:\Users\admin\AppData\Local\Temp\PCOptimizerProInstaller.exeexplorer.exe
User:
admin
Company:
Xportsoft.com
Integrity Level:
MEDIUM
Description:
PC Optimizer Pro
Exit code:
3221226540
Version:
8.1.1.6
Modules
Images
c:\users\admin\appdata\local\temp\pcoptimizerproinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6524"C:\Users\admin\AppData\Local\Temp\PCOptimizerProInstaller.exe" C:\Users\admin\AppData\Local\Temp\PCOptimizerProInstaller.exe
explorer.exe
User:
admin
Company:
Xportsoft.com
Integrity Level:
HIGH
Description:
PC Optimizer Pro
Exit code:
0
Version:
8.1.1.6
Modules
Images
c:\users\admin\appdata\local\temp\pcoptimizerproinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6960regsvr32.exe /s "C:\Program Files\PC Optimizer Pro\PCOptProCtxMenu.dll" C:\Windows\SysWOW64\regsvr32.exe
PCOptimizerProInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7008"C:\Program Files\PC Optimizer Pro\PCOPtimizerproStartApps.exe" "C:\Program Files\PC Optimizer Pro\PCOptimizerPro.exe"C:\Program Files\PC Optimizer Pro\PCOptimizerProStartApps.exePCOptimizerProInstaller.exe
User:
admin
Company:
Xportsoft Technologies
Integrity Level:
HIGH
Description:
Starting up the applicaiton
Exit code:
0
Version:
1.0.0.9
Modules
Images
c:\program files\pc optimizer pro\pcoptimizerprostartapps.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7144"C:\Program Files\PC Optimizer Pro\PCOptimizerPro.exe" C:\Program Files\PC Optimizer Pro\PCOptimizerPro.exe
PCOptimizerProStartApps.exe
User:
admin
Company:
Xportsoft Technologies
Integrity Level:
HIGH
Description:
Nothing optimize your PC better
Version:
8, 1, 1, 6
Modules
Images
c:\program files\pc optimizer pro\pcoptimizerpro.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
1 347
Read events
1 316
Write events
26
Delete events
5

Modification events

(PID) Process:(6960) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(6960) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}\InprocServer32
Operation:delete keyName:(default)
Value:
(PID) Process:(6960) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}
Operation:delete keyName:(default)
Value:
(PID) Process:(6960) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PCProCtxMenu
Operation:delete keyName:(default)
Value:
(PID) Process:(6960) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\PCProCtxMenu
Operation:delete keyName:(default)
Value:
(PID) Process:(6960) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(6960) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{12AB121E-44C6-488B-8773-B0AE25E662E1}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(6524) PCOptimizerProInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Optimizer Pro
Operation:writeName:DisplayName
Value:
PC Optimizer Pro
(PID) Process:(6524) PCOptimizerProInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Optimizer Pro
Operation:writeName:UninstallString
Value:
C:\Program Files\PC Optimizer Pro\uninst.exe
(PID) Process:(6524) PCOptimizerProInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Optimizer Pro
Operation:writeName:DisplayIcon
Value:
C:\Program Files\PC Optimizer Pro\PCOptimizerPro.exe
Executable files
10
Suspicious files
14
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
6524PCOptimizerProInstaller.exeC:\Users\admin\AppData\Local\Temp\nsr5BD0.tmp\LangDLL.dllexecutable
MD5:DE3558CE305E32F742FF25B697407FEC
SHA256:98160B4EBB4870F64B13A45F5384B693614AE5CA1B5243EDF461CA0B5A6D479A
6524PCOptimizerProInstaller.exeC:\Users\admin\AppData\Local\Temp\nsr5BD0.tmp\modern-header.bmpimage
MD5:2E9AD88F5A52C0CBDBE3D4FD93DCF6CC
SHA256:D31D0DA901EDA4A56BC1AA899F69BA90CC2B8338AE382CEFA088DDFDBCA41A58
6524PCOptimizerProInstaller.exeC:\Users\admin\AppData\Local\Temp\nsr5BD0.tmp\nsDialogs.dllexecutable
MD5:AB101F38562C8545A641E95172C354B4
SHA256:3CDF3E24C87666ED5C582B8B028C01EE6AC16D5A9B8D8D684AE67605376786EA
6524PCOptimizerProInstaller.exeC:\Users\admin\AppData\Local\Temp\nsr5BD0.tmp\System.dllexecutable
MD5:FBE295E5A1ACFBD0A6271898F885FE6A
SHA256:A1390A78533C47E55CC364E97AF431117126D04A7FAED49390210EA3E89DD0E1
6524PCOptimizerProInstaller.exeC:\Program Files\PC Optimizer Pro\PCOptimizerProStartApps.exeexecutable
MD5:FEF32B3E500338788F90A80DF1CE328B
SHA256:877E4CE4230C68504DBA02BE9EA2A17D5FF52FC08E1E25A386F1E49BAF2373B8
6524PCOptimizerProInstaller.exeC:\Program Files\PC Optimizer Pro\PCOptimizerProTrays.exeexecutable
MD5:1AE41A873E8D0C6E4A37C6FB366AC235
SHA256:3287724F1F2E5AF5004082C0B7DC8ADE2B20CC86BA4044A81B5C4942C5634644
6524PCOptimizerProInstaller.exeC:\Users\admin\AppData\Local\Temp\nsr5BD0.tmp\GetVersion.dllexecutable
MD5:DC9562578490DF8BC464071F125BFC19
SHA256:0351FE33A6EB13417437C1BAAEE248442FB1ECC2C65940C9996BCDA574677C3F
6524PCOptimizerProInstaller.exeC:\Program Files\PC Optimizer Pro\PCOptimizerPro.exeexecutable
MD5:E3EAF30B68A0D5D7ECC66EE20245DA04
SHA256:81AC2BF8338D5068BF224A058B9DA8F45CF7CD19F76EAD74DC356A1CAB305DC4
6524PCOptimizerProInstaller.exeC:\Program Files\PC Optimizer Pro\Languages\EN.xmlxml
MD5:78FF55F081E2266EDB914AA426FB521B
SHA256:4CC17D1D813574363E030EDF6A09D398916C4C3BD2B7F5E25DD7FFD94D3B0018
6524PCOptimizerProInstaller.exeC:\Program Files\PC Optimizer Pro\Languages\DE.xmlxml
MD5:1EBD8CC9732943E9D794CCDB80BFEE75
SHA256:642906467DA21E57419ADF9597477DC4A8E14221274AD286F6497CF34AB2B0CE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
35
DNS requests
17
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7144
PCOptimizerPro.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7144
PCOptimizerPro.exe
GET
200
172.64.149.23:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEGxVq9vQB5LHnQcM2BGe1r8%3D
unknown
whitelisted
7144
PCOptimizerPro.exe
GET
301
50.63.8.124:80
http://www.pcoptimizerpro.com/admin/isrenewed.aspx?bitver=32&h=&uq=525400A80C84&uq1=18F7786F96EE&uq2=000000000000&tid=GLF&tidsub=1
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.23.209.177:443
www.bing.com
Akamai International B.V.
GB
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1176
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1076
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
google.com
  • 216.58.206.46
whitelisted
www.bing.com
  • 2.23.209.177
  • 2.23.209.179
  • 2.23.209.150
  • 2.23.209.182
  • 2.23.209.133
  • 2.23.209.176
  • 2.23.209.140
  • 2.23.209.161
  • 2.23.209.149
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.75
  • 20.190.159.73
  • 20.190.159.4
  • 20.190.159.68
  • 40.126.31.69
  • 20.190.159.64
  • 40.126.31.71
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
www.pcoptimizerpro.com
  • 50.63.8.124
malicious
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted

Threats

PID
Process
Class
Message
7144
PCOptimizerPro.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
7144
PCOptimizerPro.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
7144
PCOptimizerPro.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
Process
Message
regsvr32.exe
HKCR { NoRemove CLSID { ForceRemove {203ABD21-41F1-4F1B-BAE3-D6A89A90D239} = s 'PCProCtxMenu Class' { InprocServer32 = s 'C:\Program Files\PC Optimizer Pro\PCOptProCtxMenu.dll' { val ThreadingModel = s 'Apartment' } } } NoRemove * { NoRemove ShellEx { NoRemove ContextMenuHandlers { ForceRemove PCProCtxMenu = s '{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}' } } } NoRemove lnkfile { NoRemove ShellEx { NoRemove ContextMenuHandlers { ForceRemove PCProCtxMenu = s '{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}' } } } }
regsvr32.exe
HKCR { NoRemove CLSID { ForceRemove {203ABD21-41F1-4F1B-BAE3-D6A89A90D239} = s 'PCProCtxMenu Class' { InprocServer32 = s 'C:\Program Files\PC Optimizer Pro\PCOptProCtxMenu.dll' { val ThreadingModel = s 'Apartment' } } } NoRemove * { NoRemove ShellEx { NoRemove ContextMenuHandlers { ForceRemove PCProCtxMenu = s '{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}' } } } NoRemove lnkfile { NoRemove ShellEx { NoRemove ContextMenuHandlers { ForceRemove PCProCtxMenu = s '{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}' } } } }
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PCOptimizerProInstaller.exe