File name:

cpu-z_1.97-en.exe

Full analysis: https://app.any.run/tasks/02c7f322-8d25-4b18-8b57-912e6582654e
Verdict: Malicious activity
Analysis date: December 06, 2022, 06:15:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9E3CE08750B875EAC894F245B0271FDC

SHA1:

C29E78099CDF3A3A8C2E23FE75F38BBABC631D92

SHA256:

825A5E768DF385AD651B16256755A63D91FB710E46296D3B0D05E9DF7EEEDAFF

SSDEEP:

49152:wy+Sh4r+VNPvJ3x19XX3QZcBJwHjniXZsILcKvQ1aB:B+Sh4revJB/XX3QZkqDiXWXKI1a

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • cpuz.exe (PID: 2800)
      • cpuz.exe (PID: 3228)

    • Drops the executable file immediately after the start

      • cpu-z_1.97-en.tmp (PID: 3460)
      • cpuz.exe (PID: 3228)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • cpu-z_1.97-en.tmp (PID: 3460)
      • cpuz.exe (PID: 3228)

    • Drops a file with too old compile date

      • cpu-z_1.97-en.tmp (PID: 3460)

  • INFO

    • Application was dropped or rewritten from another process

      • cpu-z_1.97-en.tmp (PID: 3460)
      • cpu-z_1.97-en.tmp (PID: 2284)

    • Drops a file that was compiled in debug mode

      • cpuz.exe (PID: 3228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (77.7)
.exe | Win32 Executable Delphi generic (10)
.dll | Win32 Dynamic Link Library (generic) (4.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Win16/32 Executable Delphi generic (1.4)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 1992-Jun-19 22:22:17
Detected languages:
  • Dutch - Netherlands
  • English - United States
Comments: This installation was built with Inno Setup.
CompanyName: CPUID, Inc.
FileDescription: CPUID CPU-Z Setup
FileVersion:
LegalCopyright:
ProductName: CPUID CPU-Z
ProductVersion: 1.97

DOS Header

e_magic: MZ
e_cblp: 80
e_cp: 2
e_crlc: 0
e_cparhdr: 4
e_minalloc: 15
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 26
e_oemid: 0
e_oeminfo: 0
e_lfanew: 256

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 8
TimeDateStamp: 1992-Jun-19 22:22:17
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
4096
41480
41984
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.60167
DATA
49152
592
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.77135
BSS
53248
3732
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata
57344
2428
2560
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.48608
.tls
61440
8
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata
65536
24
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
0.190489
.reloc
69632
2336
0
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
.rsrc
73728
11264
11264
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
4.58902

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.25755
296
UNKNOWN
Dutch - Netherlands
RT_ICON
2
3.47151
1384
UNKNOWN
Dutch - Netherlands
RT_ICON
3
3.91708
744
UNKNOWN
Dutch - Netherlands
RT_ICON
4
3.91366
2216
UNKNOWN
Dutch - Netherlands
RT_ICON
4089
3.21823
754
UNKNOWN
UNKNOWN
RT_STRING
4090
3.31515
780
UNKNOWN
UNKNOWN
RT_STRING
4091
3.25024
718
UNKNOWN
UNKNOWN
RT_STRING
4093
2.86149
104
UNKNOWN
UNKNOWN
RT_STRING
4094
3.20731
180
UNKNOWN
UNKNOWN
RT_STRING
4095
3.04592
174
UNKNOWN
UNKNOWN
RT_STRING

Imports

advapi32.dll
advapi32.dll (#2)
comctl32.dll
kernel32.dll
kernel32.dll (#2)
oleaut32.dll
user32.dll
user32.dll (#2)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
6
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start cpu-z_1.97-en.exe no specs cpu-z_1.97-en.tmp no specs cpu-z_1.97-en.exe cpu-z_1.97-en.tmp cpuz.exe no specs cpuz.exe

Process information

PID
CMD
Path
Indicators
Parent process
1328"C:\Users\admin\AppData\Local\Temp\cpu-z_1.97-en.exe" C:\Users\admin\AppData\Local\Temp\cpu-z_1.97-en.exeExplorer.EXE
User:
admin
Company:
CPUID, Inc.
Integrity Level:
MEDIUM
Description:
CPUID CPU-Z Setup
Version:
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\users\admin\appdata\local\temp\cpu-z_1.97-en.exe
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
2284"C:\Users\admin\AppData\Local\Temp\is-O805F.tmp\cpu-z_1.97-en.tmp" /SL5="$50198,1823662,58368,C:\Users\admin\AppData\Local\Temp\cpu-z_1.97-en.exe" C:\Users\admin\AppData\Local\Temp\is-O805F.tmp\cpu-z_1.97-en.tmpcpu-z_1.97-en.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-o805f.tmp\cpu-z_1.97-en.tmp
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3304"C:\Users\admin\AppData\Local\Temp\cpu-z_1.97-en.exe" /SPAWNWND=$601B0 /NOTIFYWND=$50198 C:\Users\admin\AppData\Local\Temp\cpu-z_1.97-en.exe
cpu-z_1.97-en.tmp
User:
admin
Company:
CPUID, Inc.
Integrity Level:
HIGH
Description:
CPUID CPU-Z Setup
Version:
Modules
Images
c:\users\admin\appdata\local\temp\cpu-z_1.97-en.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3460"C:\Users\admin\AppData\Local\Temp\is-8FTHL.tmp\cpu-z_1.97-en.tmp" /SL5="$601C8,1823662,58368,C:\Users\admin\AppData\Local\Temp\cpu-z_1.97-en.exe" /SPAWNWND=$601B0 /NOTIFYWND=$50198 C:\Users\admin\AppData\Local\Temp\is-8FTHL.tmp\cpu-z_1.97-en.tmp
cpu-z_1.97-en.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-8fthl.tmp\cpu-z_1.97-en.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
2800"C:\Program Files\CPUID\CPU-Z\cpuz.exe" C:\Program Files\CPUID\CPU-Z\cpuz.exeExplorer.EXE
User:
admin
Company:
CPUID
Integrity Level:
MEDIUM
Description:
CPU-Z Application
Exit code:
3221226540
Version:
1, 9, 7, 0
Modules
Images
c:\program files\cpuid\cpu-z\cpuz.exe
c:\windows\system32\ntdll.dll
3228"C:\Program Files\CPUID\CPU-Z\cpuz.exe" C:\Program Files\CPUID\CPU-Z\cpuz.exe
Explorer.EXE
User:
admin
Company:
CPUID
Integrity Level:
HIGH
Description:
CPU-Z Application
Exit code:
0
Version:
1, 9, 7, 0
Modules
Images
c:\program files\cpuid\cpu-z\cpuz.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\version.dll
Total events
7 055
Read events
6 963
Write events
86
Delete events
6

Modification events

(PID) Process:(3460) cpu-z_1.97-en.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
840D0000C0758A353A09D901
(PID) Process:(3460) cpu-z_1.97-en.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
C8F0F279122FD28834184E6F4F328AADE2ED33CB8EF7BE12E8035A2F35FFC809
(PID) Process:(3460) cpu-z_1.97-en.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(3460) cpu-z_1.97-en.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Program Files\CPUID\CPU-Z\cpuz.exe
(PID) Process:(3460) cpu-z_1.97-en.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
ADABDCACF587EC8F9CFA671D13F200AA30A67735DB241B9CC97715CF9C375422
(PID) Process:(3460) cpu-z_1.97-en.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\CPUID\CPU-Z
Operation:writeName:PATH
Value:
C:\Program Files\CPUID\CPU-Z
(PID) Process:(3460) cpu-z_1.97-en.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\CPUID\CPU-Z
Operation:writeName:PRODUCT_NAME
Value:
CPUID CPU-Z
(PID) Process:(3460) cpu-z_1.97-en.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\CPUID\CPU-Z
Operation:writeName:VERSION
Value:
1.97
(PID) Process:(3460) cpu-z_1.97-en.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CPUID CPU-Z_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.6.1 (a)
(PID) Process:(3460) cpu-z_1.97-en.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CPUID CPU-Z_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\CPUID\CPU-Z
Executable files
7
Suspicious files
7
Text files
8
Unknown types
8

Dropped files

PID
Process
Filename
Type
3460cpu-z_1.97-en.tmpC:\Program Files\CPUID\CPU-Z\cpuz.initext
MD5:15130D155F7DDAFB034A62077B051F16
SHA256:3E0364795D926935AB038CD9197AD10AFFB55983198858C6BF70B4D01F7F5529
3460cpu-z_1.97-en.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPUID\CPU-Z\CPU-Z.lnklnk
MD5:41B7A17FE67C65AE00C65ECCAFAC3C31
SHA256:DACDFA385C42C4B4C386CD116C2246A7426C1F49034C212733568F2AD91E5071
3460cpu-z_1.97-en.tmpC:\Users\Public\Desktop\CPUID CPU-Z.lnklnk
MD5:E59B3161C111358D89A61B62E2790150
SHA256:FEF3F097B929D8537B176FA113E0F145EF31A76A6A22646728FE347D77804DE2
3460cpu-z_1.97-en.tmpC:\Program Files\CPUID\CPU-Z\is-UKDDF.tmptext
MD5:15130D155F7DDAFB034A62077B051F16
SHA256:3E0364795D926935AB038CD9197AD10AFFB55983198858C6BF70B4D01F7F5529
3228cpuz.exeC:\Windows\temp\cpuz_driver_3228.logtext
MD5:4015F76944FFB53111F9B0A41F1DF460
SHA256:7C48C5DCE403EBE99BBE089D3C12973E79E7FEC6BE5EB6478AA371103A9580AA
3460cpu-z_1.97-en.tmpC:\Program Files\CPUID\CPU-Z\unins000.datdat
MD5:9A5C3D63CAA25066B12FABEF42C66863
SHA256:88716F099AA7AD7AC53F4EFA8EBAFBCA086B2C5CD9C05F20E12E12F4C0F6B56C
3228cpuz.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
3228cpuz.exeC:\Windows\temp\cpuz152\cpuz152_x32.sysexecutable
MD5:7ABF3D484905A6335F79A306FD138A24
SHA256:86C07833EC88C93F01689103390032335B95C52E0E9B4994A63014A72428DBF5
3460cpu-z_1.97-en.tmpC:\Program Files\CPUID\CPU-Z\is-HASOT.tmptext
MD5:E44F547A3378E46171D56A8A80CE9A40
SHA256:AB086F912FF00C8C3AB42B8CA6D01395A96ECA253FAE4B186A3CA72C230B66B0
3460cpu-z_1.97-en.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPUID\CPU-Z\Edit CPU-Z Config File.lnklnk
MD5:707450F3D341C492763819A5EE231B86
SHA256:F6ECCE5014D831E0B52C55F3F551B6FA258E8B29E6C96FDB56A403AEEC29F6FA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
5
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3228
cpuz.exe
GET
200
8.238.28.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?da17bc9153a68836
US
compressed
4.70 Kb
whitelisted
3228
cpuz.exe
GET
200
2.16.202.121:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgMx09HkWS07es1rXypVKP5qnA%3D%3D
NL
der
503 b
shared
3228
cpuz.exe
GET
200
184.24.9.54:80
http://x1.c.lencr.org/
DE
der
717 b
whitelisted
3228
cpuz.exe
GET
200
8.238.28.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?941522294cdd5116
US
compressed
61.4 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3228
cpuz.exe
195.154.81.43:443
download.cpuid.com
Online S.a.s.
FR
suspicious
3228
cpuz.exe
8.238.28.126:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious
3228
cpuz.exe
184.24.9.54:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown
3228
cpuz.exe
2.16.202.121:80
r3.o.lencr.org
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
download.cpuid.com
  • 195.154.81.43
whitelisted
ctldl.windowsupdate.com
  • 8.238.28.126
  • 8.238.30.254
  • 8.238.32.126
  • 8.248.147.254
  • 8.241.9.254
whitelisted
x1.c.lencr.org
  • 184.24.9.54
whitelisted
r3.o.lencr.org
  • 2.16.202.121
  • 95.101.54.131
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2023 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
cpu-z_1.97-en.exe