File name:	HWiNFO64.exe
Full analysis:	https://app.any.run/tasks/05ace31b-1037-4e65-b484-66c1937548b8
Verdict:	Malicious activity
Analysis date:	March 07, 2025, 04:57:43
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	hwinfo tool upx antivm
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 3 sections
MD5:	70CB4F898C054CB67C809F6A1623FC7D
SHA1:	EDD32DBCC5A38743FF93F1AD0AA2FA1CFAC22D46
SHA256:	136AF1C5097D2BD04E1195C929124CE8545D16170D7B6E7AE6F13FEB61E3C0AE
SSDEEP:	98304:ojjt1JJNSYAlYsIVJ4i4NXQAJAKhjeeeI6hqPIb1KniD2FN8IMZP2K18NyGb7ocY:g89bOivmlX

.exe	\|	Win64 Executable (generic) (47)
.exe	\|	UPX compressed Win32 Executable (46.1)
.exe	\|	Generic Win/DOS Executable (3.4)
.exe	\|	DOS Executable Generic (3.4)

MachineType:	AMD AMD64
TimeStamp:	2025:02:26 08:44:34+00:00
ImageFileCharacteristics:	No relocs, Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.29
CodeSize:	9465856
InitializedDataSize:	114688
UninitializedDataSize:	19288064
EntryPoint:	0x1b6bd60
OSVersion:	6.1
ImageVersion:	-
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	8.22.5670.0
ProductVersionNumber:	8.22.5670.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	REALiX s.r.o.
FileVersion:	8.22-5670
ProductVersion:	8.22-5670
LegalCopyright:	Copyright (c)1999-2025 Martin Malik, REALiX s.r.o.
InternalName:	HWiNFO® 64
FileDescription:	HWiNFO® 64 (x64)
OriginalFileName:	HWiNFO64.EXE
ProductName:	Hardware Info Program for x64 (HWiNFO® 64)

PID	Process	Filename		Type
7156	HWiNFO64.exe	C:\Users\admin\AppData\Local\Temp\HWiNFO_x64_204.sys		executable
		MD5:3E7E10631FC581DBB9C5F97793F07F15	SHA256:F79C9CCF61C35B7DDAE2D68BF74DEDCD87364430E76CA4E9955B8E5F606EEE51
7156	HWiNFO64.exe	C:\Windows\INF\basicdisplay.PNF		binary
		MD5:914DCB989709A0CE3F4B24A4CD147F1A	SHA256:C2FEE0EAD23C7B3B509FDDE94DDD6A549F999F364C5CA9D09AC084F22BC0ECB4
7156	HWiNFO64.exe	C:\Windows\INF\machine.PNF		binary
		MD5:4C103190BC521FF032845C1B5FDADC4F	SHA256:28C1DEE803488C32BF5229B05FB3F6DA8959A436BB17D331E68AFA61A3BE932F
7156	HWiNFO64.exe	C:\Windows\INF\wvid.PNF		binary
		MD5:001A053A392EF45B9336D4CF9748BE29	SHA256:258ED93549F63B9A368086660F32A95DF07E7603ED01BA8722EE8C1DA27789C2
7156	HWiNFO64.exe	C:\Users\admin\Desktop\HWiNFO64.INI		text
		MD5:31EA0D720B02F5BE9A0A8C843FA525B6	SHA256:2B52116A161DB87EAD7FBA5329E113610A39EC5183D713A9D9A7222FE657C949
7156	HWiNFO64.exe	C:\Windows\INF\display.PNF		binary
		MD5:62887E3F2C67C748F05C629DB62182A4	SHA256:1B686CFC6E98A6034A28BA9BE22C190723467365477E75A18A78104A26554CE9
7156	HWiNFO64.exe	C:\Windows\INF\basicrender.PNF		binary
		MD5:8567F128605CC616A38D0870D077D165	SHA256:7B2D28D317F49EED7BC242241E54EB3FFFB512C5FB6F719C4F5E9395E6B1F533

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5024	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7156	HWiNFO64.exe	104.21.22.164:443	www.hwinfo.com	CLOUDFLARENET	—	whitelisted
6324	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3096	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59	whitelisted
google.com	142.250.184.206	whitelisted
www.hwinfo.com	104.21.22.164 172.67.205.235	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

HWiNFO64.exe

70CB4F898C054CB67C809F6A1623FC7D

EDD32DBCC5A38743FF93F1AD0AA2FA1CFAC22D46

136AF1C5097D2BD04E1195C929124CE8545D16170D7B6E7AE6F13FEB61E3C0AE

98304:ojjt1JJNSYAlYsIVJ4i4NXQAJAKhjeeeI6hqPIb1KniD2FN8IMZP2K18NyGb7ocY:g89bOivmlX

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executable content was dropped or overwritten

Drops a system driver (possible attempt to evade defenses)

The process checks if it is being run in the virtual environment

Reads the BIOS version

Reads security settings of Internet Explorer

There is functionality for VM detection antiVM strings (YARA)

INFO

The sample compiled with english language support

HWINFO mutex has been found

Reads the computer name

Checks supported languages

Create files in a temporary directory

Reads CPU info

Checks proxy server information

Reads the software policy settings

Reads the machine GUID from the registry

UPX packer has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings