File name:

hwmonitor_1.52.exe

Full analysis: https://app.any.run/tasks/d445eb04-d971-409f-a454-4f809d7ba8fe
Verdict: Malicious activity
Analysis date: December 31, 2023, 13:41:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C975D8D0CC0F49852DC41FDD2E0B8201

SHA1:

1FF6A10902D3FD343AAD94243C82DB3AFB9B8E04

SHA256:

11192B73BC70393F4AC655A49441FA352F52D011CDB3F86C77B73CF1EB7AC7E0

SSDEEP:

49152:2UJOVLra/ub+GHD0sB8/0xM8ImbiK06E7pqdg0kSKHDsCh5t2F04bMJYHSAgg/KE:9CrF+GHNB8/4TImDFVI/jsDCTX5DwddH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • hwmonitor_1.52.tmp (PID: 1380)

    • Reads the Internet Settings

      • HWMonitor.exe (PID: 1732)

    • Checks Windows Trust Settings

      • HWMonitor.exe (PID: 1732)

    • Reads security settings of Internet Explorer

      • HWMonitor.exe (PID: 1732)

    • Adds/modifies Windows certificates

      • HWMonitor.exe (PID: 1732)

    • Reads settings of System Certificates

      • HWMonitor.exe (PID: 1732)

    • Drops a system driver (possible attempt to evade defenses)

      • HWMonitor.exe (PID: 1732)

  • INFO

    • Checks supported languages

      • hwmonitor_1.52.exe (PID: 2040)
      • hwmonitor_1.52.tmp (PID: 124)
      • hwmonitor_1.52.exe (PID: 2016)
      • hwmonitor_1.52.tmp (PID: 1380)
      • HWMonitor.exe (PID: 1732)

    • Drops the executable file immediately after the start

      • hwmonitor_1.52.exe (PID: 2040)
      • hwmonitor_1.52.exe (PID: 2016)
      • hwmonitor_1.52.tmp (PID: 1380)
      • HWMonitor.exe (PID: 1732)

    • Reads the computer name

      • hwmonitor_1.52.tmp (PID: 124)
      • hwmonitor_1.52.tmp (PID: 1380)
      • HWMonitor.exe (PID: 1732)

    • Create files in a temporary directory

      • hwmonitor_1.52.exe (PID: 2040)
      • hwmonitor_1.52.exe (PID: 2016)
      • HWMonitor.exe (PID: 1732)

    • Creates files in the program directory

      • hwmonitor_1.52.tmp (PID: 1380)

    • Manual execution by a user

      • HWMonitor.exe (PID: 1780)
      • HWMonitor.exe (PID: 1732)

    • Checks proxy server information

      • HWMonitor.exe (PID: 1732)

    • Reads the machine GUID from the registry

      • HWMonitor.exe (PID: 1732)

    • Creates files or folders in the user directory

      • HWMonitor.exe (PID: 1732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (77.7)
.exe | Win32 Executable Delphi generic (10)
.dll | Win32 Dynamic Link Library (generic) (4.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Win16/32 Executable Delphi generic (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:20 00:22:17+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 41984
InitializedDataSize: 17920
UninitializedDataSize: -
EntryPoint: 0xaad0
OSVersion: 1
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: CPUID, Inc.
FileDescription: CPUID HWMonitor Setup
FileVersion:
LegalCopyright:
ProductName: CPUID HWMonitor
ProductVersion: 1.52
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
6
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start hwmonitor_1.52.exe no specs hwmonitor_1.52.tmp no specs hwmonitor_1.52.exe hwmonitor_1.52.tmp no specs hwmonitor.exe no specs hwmonitor.exe

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Users\admin\AppData\Local\Temp\is-8IHHN.tmp\hwmonitor_1.52.tmp" /SL5="$301AA,1234407,58368,C:\Users\admin\AppData\Local\Temp\hwmonitor_1.52.exe" C:\Users\admin\AppData\Local\Temp\is-8IHHN.tmp\hwmonitor_1.52.tmphwmonitor_1.52.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-8ihhn.tmp\hwmonitor_1.52.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1380"C:\Users\admin\AppData\Local\Temp\is-JRNCO.tmp\hwmonitor_1.52.tmp" /SL5="$601B2,1234407,58368,C:\Users\admin\AppData\Local\Temp\hwmonitor_1.52.exe" /SPAWNWND=$401AE /NOTIFYWND=$301AA C:\Users\admin\AppData\Local\Temp\is-JRNCO.tmp\hwmonitor_1.52.tmphwmonitor_1.52.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-jrnco.tmp\hwmonitor_1.52.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1732"C:\Program Files\CPUID\HWMonitor\HWMonitor.exe" C:\Program Files\CPUID\HWMonitor\HWMonitor.exe
explorer.exe
User:
admin
Company:
CPUID
Integrity Level:
HIGH
Description:
HWMonitor
Exit code:
0
Version:
1, 5, 2, 0
Modules
Images
c:\program files\cpuid\hwmonitor\hwmonitor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1780"C:\Program Files\CPUID\HWMonitor\HWMonitor.exe" C:\Program Files\CPUID\HWMonitor\HWMonitor.exeexplorer.exe
User:
admin
Company:
CPUID
Integrity Level:
MEDIUM
Description:
HWMonitor
Exit code:
3221226540
Version:
1, 5, 2, 0
Modules
Images
c:\program files\cpuid\hwmonitor\hwmonitor.exe
c:\windows\system32\ntdll.dll
2016"C:\Users\admin\AppData\Local\Temp\hwmonitor_1.52.exe" /SPAWNWND=$401AE /NOTIFYWND=$301AA C:\Users\admin\AppData\Local\Temp\hwmonitor_1.52.exe
hwmonitor_1.52.tmp
User:
admin
Company:
CPUID, Inc.
Integrity Level:
HIGH
Description:
CPUID HWMonitor Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\hwmonitor_1.52.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
2040"C:\Users\admin\AppData\Local\Temp\hwmonitor_1.52.exe" C:\Users\admin\AppData\Local\Temp\hwmonitor_1.52.exeexplorer.exe
User:
admin
Company:
CPUID, Inc.
Integrity Level:
MEDIUM
Description:
CPUID HWMonitor Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\hwmonitor_1.52.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
Total events
6 843
Read events
6 809
Write events
28
Delete events
6

Modification events

(PID) Process:(1380) hwmonitor_1.52.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
EDE927240962CF70238698761C228B80F6663406C98230180971AF6FB562DC20
(PID) Process:(1380) hwmonitor_1.52.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFiles0000
Value:
C:\Program Files\CPUID\HWMonitor\HWMonitor.exe
(PID) Process:(1380) hwmonitor_1.52.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:
1
(PID) Process:(1380) hwmonitor_1.52.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
C3A183703AF8372EEE45A486DDEE04EA1765431D4A17516116376E0E1030B495
(PID) Process:(1380) hwmonitor_1.52.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
64050000C6384A05EF3BDA01
(PID) Process:(1380) hwmonitor_1.52.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete keyName:(default)
Value:
(PID) Process:(1732) HWMonitor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1732) HWMonitor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1732) HWMonitor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1732) HWMonitor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
7
Suspicious files
15
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2040hwmonitor_1.52.exeC:\Users\admin\AppData\Local\Temp\is-8IHHN.tmp\hwmonitor_1.52.tmpexecutable
MD5:318AC5138773AED192C72971D28C3984
SHA256:1E618C685C04E75291F908E9F7FBE8060F9766E0E9711142ABC2A1E3961A63EB
2016hwmonitor_1.52.exeC:\Users\admin\AppData\Local\Temp\is-JRNCO.tmp\hwmonitor_1.52.tmpexecutable
MD5:318AC5138773AED192C72971D28C3984
SHA256:1E618C685C04E75291F908E9F7FBE8060F9766E0E9711142ABC2A1E3961A63EB
1380hwmonitor_1.52.tmpC:\Program Files\CPUID\HWMonitor\is-VQ3G6.tmpexecutable
MD5:D7F245246F2597F7F23E15EA779CC5AB
SHA256:62CD1A2E8FE364F954F56438F5DB89B54F9F085531833C236C54E9A0AF496BE5
1380hwmonitor_1.52.tmpC:\Program Files\CPUID\HWMonitor\hwm_readme.txttext
MD5:F86BFE7020B639F6A70F20C00CE12F90
SHA256:E94300217D273F11EBC58EB273E5000EC86471E5C10CA12BB36FFBCDCC9FA666
1380hwmonitor_1.52.tmpC:\Program Files\CPUID\HWMonitor\HWMonitor.exeexecutable
MD5:D7F245246F2597F7F23E15EA779CC5AB
SHA256:62CD1A2E8FE364F954F56438F5DB89B54F9F085531833C236C54E9A0AF496BE5
1380hwmonitor_1.52.tmpC:\Program Files\CPUID\HWMonitor\is-1HQ3S.tmptext
MD5:F86BFE7020B639F6A70F20C00CE12F90
SHA256:E94300217D273F11EBC58EB273E5000EC86471E5C10CA12BB36FFBCDCC9FA666
1380hwmonitor_1.52.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPUID\HWMonitor\HWMonitor.lnkbinary
MD5:AD6B1B757E0AB3EB52ECEB2F065203C9
SHA256:E42751E4F60D8584A87E5AF9C85AB65563337F2F4C6F8BADA2A4F1E2E5EE20C3
1732HWMonitor.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:BD0940A8C163D097FD5A252C7BE34F48
SHA256:55AF12C390A2B7C57C1607528D587ED224EAF5A7FCA83DF313B3AEBB07D1064B
1380hwmonitor_1.52.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPUID\HWMonitor\Uninstall HWMonitor.lnkbinary
MD5:3C61CC354097A4C3EAE437E8ABDBFA6B
SHA256:07CE4BCB244C0ABE77F53465518E464E8F3F3250167D9BC217883CCE800DE243
1732HWMonitor.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:870F0DD29F3B8BD9278333B8D4C3E48D
SHA256:43BC9486805B9DD1C5F47CB362F00F6AD9B76C1179E64D4C518D2F0E06691E9F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
8
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1732
HWMonitor.exe
GET
200
184.24.77.202:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3464d7097e0ab8ab
unknown
compressed
4.66 Kb
1732
HWMonitor.exe
GET
200
184.24.77.202:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ae5c3d36ab1426c9
unknown
compressed
65.2 Kb
1732
HWMonitor.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
binary
717 b
1732
HWMonitor.exe
GET
200
2.16.241.8:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgTN4TiYAHgnmEyPhblHc%2F5gew%3D%3D
unknown
binary
503 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
1732
HWMonitor.exe
195.154.81.43:443
download.cpuid.com
Online S.a.s.
FR
unknown
1732
HWMonitor.exe
184.24.77.202:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1732
HWMonitor.exe
69.192.161.44:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown
1732
HWMonitor.exe
2.16.241.8:80
r3.o.lencr.org
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
download.cpuid.com
  • 195.154.81.43
unknown
ctldl.windowsupdate.com
  • 184.24.77.202
  • 184.24.77.194
unknown
x1.c.lencr.org
  • 69.192.161.44
unknown
r3.o.lencr.org
  • 2.16.241.8
  • 2.16.241.15
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
hwmonitor_1.52.exe