File name:

hwmonitor_1.52.exe

Full analysis: https://app.any.run/tasks/d445eb04-d971-409f-a454-4f809d7ba8fe
Verdict: Malicious activity
Analysis date: December 31, 2023, 13:41:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C975D8D0CC0F49852DC41FDD2E0B8201

SHA1:

1FF6A10902D3FD343AAD94243C82DB3AFB9B8E04

SHA256:

11192B73BC70393F4AC655A49441FA352F52D011CDB3F86C77B73CF1EB7AC7E0

SSDEEP:

49152:2UJOVLra/ub+GHD0sB8/0xM8ImbiK06E7pqdg0kSKHDsCh5t2F04bMJYHSAgg/KE:9CrF+GHNB8/4TImDFVI/jsDCTX5DwddH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • hwmonitor_1.52.tmp (PID: 1380)

    • Reads the Internet Settings

      • HWMonitor.exe (PID: 1732)

    • Reads security settings of Internet Explorer

      • HWMonitor.exe (PID: 1732)

    • Reads settings of System Certificates

      • HWMonitor.exe (PID: 1732)

    • Adds/modifies Windows certificates

      • HWMonitor.exe (PID: 1732)

    • Drops a system driver (possible attempt to evade defenses)

      • HWMonitor.exe (PID: 1732)

    • Checks Windows Trust Settings

      • HWMonitor.exe (PID: 1732)

  • INFO

    • Checks supported languages

      • hwmonitor_1.52.tmp (PID: 124)
      • hwmonitor_1.52.exe (PID: 2016)
      • hwmonitor_1.52.tmp (PID: 1380)
      • hwmonitor_1.52.exe (PID: 2040)
      • HWMonitor.exe (PID: 1732)

    • Drops the executable file immediately after the start

      • hwmonitor_1.52.exe (PID: 2040)
      • hwmonitor_1.52.exe (PID: 2016)
      • hwmonitor_1.52.tmp (PID: 1380)
      • HWMonitor.exe (PID: 1732)

    • Create files in a temporary directory

      • hwmonitor_1.52.exe (PID: 2040)
      • hwmonitor_1.52.exe (PID: 2016)
      • HWMonitor.exe (PID: 1732)

    • Reads the computer name

      • hwmonitor_1.52.tmp (PID: 124)
      • HWMonitor.exe (PID: 1732)
      • hwmonitor_1.52.tmp (PID: 1380)

    • Manual execution by a user

      • HWMonitor.exe (PID: 1732)
      • HWMonitor.exe (PID: 1780)

    • Reads the machine GUID from the registry

      • HWMonitor.exe (PID: 1732)

    • Checks proxy server information

      • HWMonitor.exe (PID: 1732)

    • Creates files or folders in the user directory

      • HWMonitor.exe (PID: 1732)

    • Creates files in the program directory

      • hwmonitor_1.52.tmp (PID: 1380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (77.7)
.exe | Win32 Executable Delphi generic (10)
.dll | Win32 Dynamic Link Library (generic) (4.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Win16/32 Executable Delphi generic (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:20 00:22:17+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 41984
InitializedDataSize: 17920
UninitializedDataSize: -
EntryPoint: 0xaad0
OSVersion: 1
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: CPUID, Inc.
FileDescription: CPUID HWMonitor Setup
FileVersion:
LegalCopyright:
ProductName: CPUID HWMonitor
ProductVersion: 1.52
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
6
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start hwmonitor_1.52.exe no specs hwmonitor_1.52.tmp no specs hwmonitor_1.52.exe hwmonitor_1.52.tmp no specs hwmonitor.exe no specs hwmonitor.exe

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Users\admin\AppData\Local\Temp\is-8IHHN.tmp\hwmonitor_1.52.tmp" /SL5="$301AA,1234407,58368,C:\Users\admin\AppData\Local\Temp\hwmonitor_1.52.exe" C:\Users\admin\AppData\Local\Temp\is-8IHHN.tmp\hwmonitor_1.52.tmphwmonitor_1.52.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-8ihhn.tmp\hwmonitor_1.52.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1380"C:\Users\admin\AppData\Local\Temp\is-JRNCO.tmp\hwmonitor_1.52.tmp" /SL5="$601B2,1234407,58368,C:\Users\admin\AppData\Local\Temp\hwmonitor_1.52.exe" /SPAWNWND=$401AE /NOTIFYWND=$301AA C:\Users\admin\AppData\Local\Temp\is-JRNCO.tmp\hwmonitor_1.52.tmphwmonitor_1.52.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-jrnco.tmp\hwmonitor_1.52.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1732"C:\Program Files\CPUID\HWMonitor\HWMonitor.exe" C:\Program Files\CPUID\HWMonitor\HWMonitor.exe
explorer.exe
User:
admin
Company:
CPUID
Integrity Level:
HIGH
Description:
HWMonitor
Exit code:
0
Version:
1, 5, 2, 0
Modules
Images
c:\program files\cpuid\hwmonitor\hwmonitor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1780"C:\Program Files\CPUID\HWMonitor\HWMonitor.exe" C:\Program Files\CPUID\HWMonitor\HWMonitor.exeexplorer.exe
User:
admin
Company:
CPUID
Integrity Level:
MEDIUM
Description:
HWMonitor
Exit code:
3221226540
Version:
1, 5, 2, 0
Modules
Images
c:\program files\cpuid\hwmonitor\hwmonitor.exe
c:\windows\system32\ntdll.dll
2016"C:\Users\admin\AppData\Local\Temp\hwmonitor_1.52.exe" /SPAWNWND=$401AE /NOTIFYWND=$301AA C:\Users\admin\AppData\Local\Temp\hwmonitor_1.52.exe
hwmonitor_1.52.tmp
User:
admin
Company:
CPUID, Inc.
Integrity Level:
HIGH
Description:
CPUID HWMonitor Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\hwmonitor_1.52.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
2040"C:\Users\admin\AppData\Local\Temp\hwmonitor_1.52.exe" C:\Users\admin\AppData\Local\Temp\hwmonitor_1.52.exeexplorer.exe
User:
admin
Company:
CPUID, Inc.
Integrity Level:
MEDIUM
Description:
CPUID HWMonitor Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\hwmonitor_1.52.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
Total events
6 843
Read events
6 809
Write events
28
Delete events
6

Modification events

(PID) Process:(1380) hwmonitor_1.52.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
EDE927240962CF70238698761C228B80F6663406C98230180971AF6FB562DC20
(PID) Process:(1380) hwmonitor_1.52.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFiles0000
Value:
C:\Program Files\CPUID\HWMonitor\HWMonitor.exe
(PID) Process:(1380) hwmonitor_1.52.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:
1
(PID) Process:(1380) hwmonitor_1.52.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
C3A183703AF8372EEE45A486DDEE04EA1765431D4A17516116376E0E1030B495
(PID) Process:(1380) hwmonitor_1.52.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
64050000C6384A05EF3BDA01
(PID) Process:(1380) hwmonitor_1.52.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete keyName:(default)
Value:
(PID) Process:(1732) HWMonitor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1732) HWMonitor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1732) HWMonitor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1732) HWMonitor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
7
Suspicious files
15
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1380hwmonitor_1.52.tmpC:\Program Files\CPUID\HWMonitor\HWMonitor.exeexecutable
MD5:D7F245246F2597F7F23E15EA779CC5AB
SHA256:62CD1A2E8FE364F954F56438F5DB89B54F9F085531833C236C54E9A0AF496BE5
1380hwmonitor_1.52.tmpC:\Users\Public\Desktop\CPUID HWMonitor.lnkbinary
MD5:4D80698184D1529C72FF2A15EE3379AA
SHA256:831BEDE4DCEBE2DE9AE4B43BA58E02467AF82388DFBC131C727E31EF4DDA5FC2
1380hwmonitor_1.52.tmpC:\Program Files\CPUID\HWMonitor\hwm_readme.txttext
MD5:F86BFE7020B639F6A70F20C00CE12F90
SHA256:E94300217D273F11EBC58EB273E5000EC86471E5C10CA12BB36FFBCDCC9FA666
1732HWMonitor.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
2016hwmonitor_1.52.exeC:\Users\admin\AppData\Local\Temp\is-JRNCO.tmp\hwmonitor_1.52.tmpexecutable
MD5:318AC5138773AED192C72971D28C3984
SHA256:1E618C685C04E75291F908E9F7FBE8060F9766E0E9711142ABC2A1E3961A63EB
1380hwmonitor_1.52.tmpC:\Program Files\CPUID\HWMonitor\unins000.msgbinary
MD5:2019EFB38EB66ED6ECA1747CE0E0A7DC
SHA256:D816931A62CB3BC09FF5D8326D33DBE7C6129C3E804321DFD6C57F5BA93FB715
1380hwmonitor_1.52.tmpC:\Program Files\CPUID\HWMonitor\is-BEBNA.tmpexecutable
MD5:318AC5138773AED192C72971D28C3984
SHA256:1E618C685C04E75291F908E9F7FBE8060F9766E0E9711142ABC2A1E3961A63EB
1732HWMonitor.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
1380hwmonitor_1.52.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPUID\HWMonitor\Uninstall HWMonitor.lnkbinary
MD5:3C61CC354097A4C3EAE437E8ABDBFA6B
SHA256:07CE4BCB244C0ABE77F53465518E464E8F3F3250167D9BC217883CCE800DE243
1380hwmonitor_1.52.tmpC:\Program Files\CPUID\HWMonitor\unins000.exeexecutable
MD5:318AC5138773AED192C72971D28C3984
SHA256:1E618C685C04E75291F908E9F7FBE8060F9766E0E9711142ABC2A1E3961A63EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
8
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1732
HWMonitor.exe
GET
200
184.24.77.202:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3464d7097e0ab8ab
unknown
compressed
4.66 Kb
unknown
1732
HWMonitor.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
binary
717 b
unknown
1732
HWMonitor.exe
GET
200
184.24.77.202:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ae5c3d36ab1426c9
unknown
compressed
65.2 Kb
unknown
1732
HWMonitor.exe
GET
200
2.16.241.8:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgTN4TiYAHgnmEyPhblHc%2F5gew%3D%3D
unknown
binary
503 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1732
HWMonitor.exe
195.154.81.43:443
download.cpuid.com
Online S.a.s.
FR
unknown
1732
HWMonitor.exe
184.24.77.202:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1732
HWMonitor.exe
69.192.161.44:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown
1732
HWMonitor.exe
2.16.241.8:80
r3.o.lencr.org
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
download.cpuid.com
  • 195.154.81.43
whitelisted
ctldl.windowsupdate.com
  • 184.24.77.202
  • 184.24.77.194
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted
r3.o.lencr.org
  • 2.16.241.8
  • 2.16.241.15
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
hwmonitor_1.52.exe