analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

cpu-z_1.97-en.exe

Full analysis: https://app.any.run/tasks/02c7f322-8d25-4b18-8b57-912e6582654e
Verdict: Malicious activity
Analysis date: December 06, 2022, 06:15:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9E3CE08750B875EAC894F245B0271FDC

SHA1:

C29E78099CDF3A3A8C2E23FE75F38BBABC631D92

SHA256:

825A5E768DF385AD651B16256755A63D91FB710E46296D3B0D05E9DF7EEEDAFF

SSDEEP:

49152:wy+Sh4r+VNPvJ3x19XX3QZcBJwHjniXZsILcKvQ1aB:B+Sh4revJB/XX3QZkqDiXWXKI1a

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • cpu-z_1.97-en.tmp (PID: 3460)
      • cpuz.exe (PID: 3228)
    • Application was dropped or rewritten from another process

      • cpuz.exe (PID: 2800)
      • cpuz.exe (PID: 3228)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • cpu-z_1.97-en.tmp (PID: 3460)
      • cpuz.exe (PID: 3228)
    • Drops a file with too old compile date

      • cpu-z_1.97-en.tmp (PID: 3460)
  • INFO

    • Application was dropped or rewritten from another process

      • cpu-z_1.97-en.tmp (PID: 2284)
      • cpu-z_1.97-en.tmp (PID: 3460)
    • Drops a file that was compiled in debug mode

      • cpuz.exe (PID: 3228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (77.7)
.exe | Win32 Executable Delphi generic (10)
.dll | Win32 Dynamic Link Library (generic) (4.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Win16/32 Executable Delphi generic (1.4)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 1992-Jun-19 22:22:17
Detected languages:
  • Dutch - Netherlands
  • English - United States
Comments: This installation was built with Inno Setup.
CompanyName: CPUID, Inc.
FileDescription: CPUID CPU-Z Setup
FileVersion: -
LegalCopyright: -
ProductName: CPUID CPU-Z
ProductVersion: 1.97

DOS Header

e_magic: MZ
e_cblp: 80
e_cp: 2
e_crlc: -
e_cparhdr: 4
e_minalloc: 15
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: 26
e_oemid: -
e_oeminfo: -
e_lfanew: 256

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 8
TimeDateStamp: 1992-Jun-19 22:22:17
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
4096
41480
41984
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.60167
DATA
49152
592
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.77135
BSS
53248
3732
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata
57344
2428
2560
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.48608
.tls
61440
8
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata
65536
24
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
0.190489
.reloc
69632
2336
0
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
.rsrc
73728
11264
11264
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
4.58902

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.25755
296
UNKNOWN
Dutch - Netherlands
RT_ICON
2
3.47151
1384
UNKNOWN
Dutch - Netherlands
RT_ICON
3
3.91708
744
UNKNOWN
Dutch - Netherlands
RT_ICON
4
3.91366
2216
UNKNOWN
Dutch - Netherlands
RT_ICON
4089
3.21823
754
UNKNOWN
UNKNOWN
RT_STRING
4090
3.31515
780
UNKNOWN
UNKNOWN
RT_STRING
4091
3.25024
718
UNKNOWN
UNKNOWN
RT_STRING
4093
2.86149
104
UNKNOWN
UNKNOWN
RT_STRING
4094
3.20731
180
UNKNOWN
UNKNOWN
RT_STRING
4095
3.04592
174
UNKNOWN
UNKNOWN
RT_STRING

Imports

advapi32.dll
advapi32.dll (#2)
comctl32.dll
kernel32.dll
kernel32.dll (#2)
oleaut32.dll
user32.dll
user32.dll (#2)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
6
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start cpu-z_1.97-en.exe no specs cpu-z_1.97-en.tmp no specs cpu-z_1.97-en.exe cpu-z_1.97-en.tmp cpuz.exe no specs cpuz.exe

Process information

PID
CMD
Path
Indicators
Parent process
1328"C:\Users\admin\AppData\Local\Temp\cpu-z_1.97-en.exe" C:\Users\admin\AppData\Local\Temp\cpu-z_1.97-en.exeExplorer.EXE
User:
admin
Company:
CPUID, Inc.
Integrity Level:
MEDIUM
Description:
CPUID CPU-Z Setup
Version:
2284"C:\Users\admin\AppData\Local\Temp\is-O805F.tmp\cpu-z_1.97-en.tmp" /SL5="$50198,1823662,58368,C:\Users\admin\AppData\Local\Temp\cpu-z_1.97-en.exe" C:\Users\admin\AppData\Local\Temp\is-O805F.tmp\cpu-z_1.97-en.tmpcpu-z_1.97-en.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.52.0.0
3304"C:\Users\admin\AppData\Local\Temp\cpu-z_1.97-en.exe" /SPAWNWND=$601B0 /NOTIFYWND=$50198 C:\Users\admin\AppData\Local\Temp\cpu-z_1.97-en.exe
cpu-z_1.97-en.tmp
User:
admin
Company:
CPUID, Inc.
Integrity Level:
HIGH
Description:
CPUID CPU-Z Setup
Version:
3460"C:\Users\admin\AppData\Local\Temp\is-8FTHL.tmp\cpu-z_1.97-en.tmp" /SL5="$601C8,1823662,58368,C:\Users\admin\AppData\Local\Temp\cpu-z_1.97-en.exe" /SPAWNWND=$601B0 /NOTIFYWND=$50198 C:\Users\admin\AppData\Local\Temp\is-8FTHL.tmp\cpu-z_1.97-en.tmp
cpu-z_1.97-en.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.52.0.0
2800"C:\Program Files\CPUID\CPU-Z\cpuz.exe" C:\Program Files\CPUID\CPU-Z\cpuz.exeExplorer.EXE
User:
admin
Company:
CPUID
Integrity Level:
MEDIUM
Description:
CPU-Z Application
Exit code:
3221226540
Version:
1, 9, 7, 0
3228"C:\Program Files\CPUID\CPU-Z\cpuz.exe" C:\Program Files\CPUID\CPU-Z\cpuz.exe
Explorer.EXE
User:
admin
Company:
CPUID
Integrity Level:
HIGH
Description:
CPU-Z Application
Exit code:
0
Version:
1, 9, 7, 0
Total events
7 055
Read events
6 963
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
7
Text files
8
Unknown types
8

Dropped files

PID
Process
Filename
Type
3460cpu-z_1.97-en.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPUID\CPU-Z\Uninstall CPU-Z.lnklnk
MD5:C7160BD723789F8BE7D7084B63068E67
SHA256:1DB7E20991458B6DD4DC07D0EB70E6ADCC3142CBC15B43BA8BBE4A05B673CE7D
3228cpuz.exeC:\Windows\temp\cpuz152\cpuz152_x32.sysexecutable
MD5:7ABF3D484905A6335F79A306FD138A24
SHA256:86C07833EC88C93F01689103390032335B95C52E0E9B4994A63014A72428DBF5
3460cpu-z_1.97-en.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPUID\CPU-Z\CPU-Z.lnklnk
MD5:41B7A17FE67C65AE00C65ECCAFAC3C31
SHA256:DACDFA385C42C4B4C386CD116C2246A7426C1F49034C212733568F2AD91E5071
3460cpu-z_1.97-en.tmpC:\Program Files\CPUID\CPU-Z\unins000.datdat
MD5:9A5C3D63CAA25066B12FABEF42C66863
SHA256:88716F099AA7AD7AC53F4EFA8EBAFBCA086B2C5CD9C05F20E12E12F4C0F6B56C
3460cpu-z_1.97-en.tmpC:\Users\Public\Desktop\CPUID CPU-Z.lnklnk
MD5:E59B3161C111358D89A61B62E2790150
SHA256:FEF3F097B929D8537B176FA113E0F145EF31A76A6A22646728FE347D77804DE2
3460cpu-z_1.97-en.tmpC:\Program Files\CPUID\CPU-Z\is-HMFU8.tmptext
MD5:99694811A33139D2C4B89CF033A01A5F
SHA256:0B15131AF3B8D32450A3774CFC06F9797B9435D921EACBD33D8B1F8BD43EB401
3460cpu-z_1.97-en.tmpC:\Program Files\CPUID\CPU-Z\is-5KN8A.tmpexecutable
MD5:D1C46C8FC337C9C4CBAB797137939D53
SHA256:798EECEBB059F2C27383816BE38A2E8EE9A2F05EABD2028FB8D7BCDA58CAA597
3460cpu-z_1.97-en.tmpC:\Program Files\CPUID\CPU-Z\unins000.exeexecutable
MD5:D1C46C8FC337C9C4CBAB797137939D53
SHA256:798EECEBB059F2C27383816BE38A2E8EE9A2F05EABD2028FB8D7BCDA58CAA597
3460cpu-z_1.97-en.tmpC:\Program Files\CPUID\CPU-Z\cpuz_readme.txttext
MD5:99694811A33139D2C4B89CF033A01A5F
SHA256:0B15131AF3B8D32450A3774CFC06F9797B9435D921EACBD33D8B1F8BD43EB401
3460cpu-z_1.97-en.tmpC:\Program Files\CPUID\CPU-Z\is-9IK3O.tmpexecutable
MD5:FDE5901182C8ACB96CF1F5DB75239E36
SHA256:C266AFF3BB636A13F287DD4E00F81CA4DDDB562C0AE83E849F1C8FEE4C5DAF9F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
5
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3228
cpuz.exe
GET
200
8.238.28.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?941522294cdd5116
US
compressed
61.4 Kb
whitelisted
3228
cpuz.exe
GET
200
2.16.202.121:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgMx09HkWS07es1rXypVKP5qnA%3D%3D
NL
der
503 b
shared
3228
cpuz.exe
GET
200
8.238.28.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?da17bc9153a68836
US
compressed
4.70 Kb
whitelisted
3228
cpuz.exe
GET
200
184.24.9.54:80
http://x1.c.lencr.org/
DE
der
717 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3228
cpuz.exe
195.154.81.43:443
download.cpuid.com
Online S.a.s.
FR
suspicious
3228
cpuz.exe
8.238.28.126:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious
3228
cpuz.exe
184.24.9.54:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown
3228
cpuz.exe
2.16.202.121:80
r3.o.lencr.org
Akamai International B.V.
NL
suspicious

DNS requests

Domain
IP
Reputation
download.cpuid.com
  • 195.154.81.43
whitelisted
ctldl.windowsupdate.com
  • 8.238.28.126
  • 8.238.30.254
  • 8.238.32.126
  • 8.248.147.254
  • 8.241.9.254
whitelisted
x1.c.lencr.org
  • 184.24.9.54
whitelisted
r3.o.lencr.org
  • 2.16.202.121
  • 95.101.54.131
shared

Threats

No threats detected
No debug info