File name:

openhardwaremonitor-v0.9.6.zip

Full analysis: https://app.any.run/tasks/cee6153d-c0ed-47f1-80a8-415ce76684f1
Verdict: Malicious activity
Analysis date: January 07, 2024, 06:46:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

6F649C4615A01A4911283F2FECC00211

SHA1:

BE8214DE9EBE3B9DC7470F3F10321AA2043F20F0

SHA256:

5E238C36AE5F8A8AB9AA5E6FA3C568967D61953393384C7C8FD6370F8BC86B85

SSDEEP:

12288:X1lKssKgSWgd+8RzGs4VcyB/kMNikz6FXSTjKTe9IAaV:X1Qssi+8R54vhtNf+FpxAq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file in the system directory

      • OpenHardwareMonitor.exe (PID: 696)
      • mofcomp.exe (PID: 1924)

    • Starts Visual C# compiler

      • OpenHardwareMonitor.exe (PID: 696)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • OpenHardwareMonitor.exe (PID: 696)

    • Uses .NET C# to load dll

      • OpenHardwareMonitor.exe (PID: 696)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 124)
      • OpenHardwareMonitor.exe (PID: 696)
      • csc.exe (PID: 1384)

    • Checks supported languages

      • OpenHardwareMonitor.exe (PID: 696)
      • csc.exe (PID: 1384)
      • cvtres.exe (PID: 2428)

    • Reads the computer name

      • OpenHardwareMonitor.exe (PID: 696)

    • Reads the machine GUID from the registry

      • OpenHardwareMonitor.exe (PID: 696)
      • csc.exe (PID: 1384)
      • cvtres.exe (PID: 2428)

    • Manual execution by a user

      • OpenHardwareMonitor.exe (PID: 696)
      • OpenHardwareMonitor.exe (PID: 1504)

    • Create files in a temporary directory

      • mofcomp.exe (PID: 1924)
      • OpenHardwareMonitor.exe (PID: 696)
      • cvtres.exe (PID: 2428)
      • csc.exe (PID: 1384)

    • Reads Environment values

      • OpenHardwareMonitor.exe (PID: 696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2020:12:27 16:06:36
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: OpenHardwareMonitor/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs openhardwaremonitor.exe no specs openhardwaremonitor.exe mofcomp.exe no specs csc.exe no specs cvtres.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\openhardwaremonitor-v0.9.6.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
696"C:\Users\admin\Desktop\OpenHardwareMonitor\OpenHardwareMonitor.exe" C:\Users\admin\Desktop\OpenHardwareMonitor\OpenHardwareMonitor.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Open Hardware Monitor
Exit code:
0
Version:
0.9.6.0
Modules
Images
c:\users\admin\desktop\openhardwaremonitor\openhardwaremonitor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1384"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\gydn0pxk\gydn0pxk.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeOpenHardwareMonitor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.3761.0 built by: NET48REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
1504"C:\Users\admin\Desktop\OpenHardwareMonitor\OpenHardwareMonitor.exe" C:\Users\admin\Desktop\OpenHardwareMonitor\OpenHardwareMonitor.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Open Hardware Monitor
Exit code:
3221226540
Version:
0.9.6.0
Modules
Images
c:\users\admin\desktop\openhardwaremonitor\openhardwaremonitor.exe
c:\windows\system32\ntdll.dll
1924"C:\Windows\system32\WBEM\mofcomp.exe" C:\Windows\system32\WBEM\Framework\root\OpenHardwareMonitor\OpenHardwareMonitor_SN__Version_0.9.6.0.mofC:\Windows\System32\wbem\mofcomp.exeOpenHardwareMonitor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
The Managed Object Format (MOF) Compiler
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\wbem\mofcomp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2428C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES2EDC.tmp" "c:\Users\admin\AppData\Local\Temp\gydn0pxk\CSC47F36701327448B28EEE9891433DD4E4.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.10.25028.0 built by: VCTOOLSD15RTM
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
Total events
1 467
Read events
1 457
Write events
10
Delete events
0

Modification events

(PID) Process:(124) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(124) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(124) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(124) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(124) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(124) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(124) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(124) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(124) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1924) mofcomp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
Operation:writeName:Autorecover MOFs timestamp
Value:
133331385132656250
Executable files
7
Suspicious files
3
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
696OpenHardwareMonitor.exeC:\Windows\system32\WBEM\Framework\root\OpenHardwareMonitor\OpenHardwareMonitor_SN__Version_0.9.6.0.moftext
MD5:53081D691AFEDCC6E7812977756AF792
SHA256:C9A8665215AEBF1D61FEC975F5E3F4E89521522F651D1105B8F608211A7A26A5
124WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa124.055\OpenHardwareMonitor\Aga.Controls.dllexecutable
MD5:F17BE368ADE3F7CFBB6AA9DD734CE328
SHA256:830E520CAF3E89DCCAA3C12E3BFC992221C164F2319A2BA57E402499C24290E3
124WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa124.055\OpenHardwareMonitor\OpenHardwareMonitor.exeexecutable
MD5:A261F824AB957A5331AF53C7722FA2DE
SHA256:EC767A74C5659A05BDB7AC10BD42C2EA6D44FA946286029B2866AED476AD83BC
696OpenHardwareMonitor.exeC:\Users\admin\Desktop\OpenHardwareMonitor\OpenHardwareMonitorLib.sysexecutable
MD5:845AF1BA23C8D5E64DEF61BCC441604C
SHA256:206EE7A7C3F4D9496F742CCB84718F556ECB4BA2A95FE7E0CDF3A003FFBE4597
124WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa124.055\OpenHardwareMonitor\OpenHardwareMonitorLib.dllexecutable
MD5:84F1D429196CC4E89D22B2652E65F669
SHA256:EF02B0991AAC678052BB79DFDFD5BFA0B42B1F34B209E35819BA606909655F58
696OpenHardwareMonitor.exeC:\Windows\system32\WBEM\Framework\root\OpenHardwareMonitor\OpenHardwareMonitor_SN__Version_0.9.6.0.cstext
MD5:774F474D03C669154883A2673DFB1227
SHA256:3977289C2F9E9F5BFC1496E0AD443A685D28E5272E8FA9AE1BC6B97F749E320D
696OpenHardwareMonitor.exeC:\Users\admin\AppData\Local\Temp\gydn0pxk\gydn0pxk.0.cstext
MD5:07A1D0AD3304D4589BB083A5E4187D7D
SHA256:FDFE8A3908694C6E084A051C54BE36225C2395B43A860852FB51EBC1095597D4
1924mofcomp.exeC:\Windows\system32\wbem\AutoRecover\00F67A77883EFBAE535B360A10E07FD8.moftext
MD5:40D27E57134BA6CBAA718D1A843B0759
SHA256:30C73FEFD18B8F03641A984C81E67D06C9356A5E99281903B8D6BA0F5C7BABAD
124WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa124.055\OpenHardwareMonitor\License.htmlhtml
MD5:56E35FD2E011977C42260637515E7E6A
SHA256:B14E66270C828C445662328127F68042A1D6B17E7382E150E542A2045B1A9075
124WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa124.055\OpenHardwareMonitor\OxyPlot.WindowsForms.dllexecutable
MD5:689121CA3540A36B3829FD887635756F
SHA256:C92CFE4026EF2319C84AAB392F274EBDEB135DB85123FF0E44EDF4A99B05C7D0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
openhardwaremonitor-v0.9.6.zip