File name:

HWiNFO64.exe

Full analysis: https://app.any.run/tasks/125fe9ed-5e77-4ac3-b8e8-47a54f556b7a
Verdict: Malicious activity
Analysis date: June 30, 2024, 07:46:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

579577F08C54877DCEACD7AA5F4AE13C

SHA1:

0488BCA2BD187B991C7F6AA97CA07D1EE6B8D47B

SHA256:

9EC0D8BC09567101F13FF80EB7B80F161024F036D67F0C374339D8F7EA31BD2C

SSDEEP:

98304:B2WrkgbJy8ZRRq2a2P7d48bOdsaQy4otopqLe43uI74YP++txQpdrzv23a6LBIYE:BdJUNpDlSI1vwoRRfs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • HWiNFO64.exe (PID: 524)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • HWiNFO64.exe (PID: 524)

    • Reads the BIOS version

      • HWiNFO64.exe (PID: 524)

    • Executable content was dropped or overwritten

      • HWiNFO64.exe (PID: 524)

    • The process checks if it is being run in the virtual environment

      • HWiNFO64.exe (PID: 524)

    • Reads security settings of Internet Explorer

      • HWiNFO64.exe (PID: 524)

    • Checks Windows Trust Settings

      • HWiNFO64.exe (PID: 524)

  • INFO

    • Create files in a temporary directory

      • HWiNFO64.exe (PID: 524)

    • Checks supported languages

      • HWiNFO64.exe (PID: 524)

    • Reads the computer name

      • HWiNFO64.exe (PID: 524)

    • Reads the machine GUID from the registry

      • HWiNFO64.exe (PID: 524)

    • Checks proxy server information

      • HWiNFO64.exe (PID: 524)

    • Reads the software policy settings

      • HWiNFO64.exe (PID: 524)

    • Reads CPU info

      • HWiNFO64.exe (PID: 524)

    • Reads the time zone

      • HWiNFO64.exe (PID: 524)

    • Creates files or folders in the user directory

      • HWiNFO64.exe (PID: 524)

    • UPX packer has been detected

      • HWiNFO64.exe (PID: 524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (47)
.exe | UPX compressed Win32 Executable (46.1)
.exe | Generic Win/DOS Executable (3.4)
.exe | DOS Executable Generic (3.4)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:06:12 09:02:35+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.29
CodeSize: 9093120
InitializedDataSize: 110592
UninitializedDataSize: 18771968
EntryPoint: 0x1a92a30
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 8.4.5470.0
ProductVersionNumber: 8.4.5470.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: REALiX s.r.o.
FileVersion: 8.04-5470
ProductVersion: 8.04-5470
LegalCopyright: Copyright (c)1999-2024 Martin Malik - REALiX
InternalName: HWiNFO64
FileDescription: HWiNFO64
OriginalFileName: HWiNFO64.EXE
ProductName: Hardware Info Program for x64 (HWiNFO64)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT hwinfo64.exe hwinfo64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
524"C:\Users\admin\Desktop\HWiNFO64.exe" C:\Users\admin\Desktop\HWiNFO64.exe
explorer.exe
User:
admin
Company:
REALiX s.r.o.
Integrity Level:
HIGH
Description:
HWiNFO64
Version:
8.04-5470
Modules
Images
c:\users\admin\desktop\hwinfo64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2820"C:\Users\admin\Desktop\HWiNFO64.exe" C:\Users\admin\Desktop\HWiNFO64.exeexplorer.exe
User:
admin
Company:
REALiX s.r.o.
Integrity Level:
MEDIUM
Description:
HWiNFO64
Exit code:
3221226540
Version:
8.04-5470
Modules
Images
c:\users\admin\desktop\hwinfo64.exe
c:\windows\system32\ntdll.dll
Total events
3 041
Read events
3 021
Write events
20
Delete events
0

Modification events

(PID) Process:(524) HWiNFO64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(524) HWiNFO64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(524) HWiNFO64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(524) HWiNFO64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(524) HWiNFO64.exeKey:HKEY_CURRENT_USER\SOFTWARE\HWiNFO64\Summary\Clocks
Operation:writeName:WndTopX
Value:
1217
(PID) Process:(524) HWiNFO64.exeKey:HKEY_CURRENT_USER\SOFTWARE\HWiNFO64\Summary\Clocks
Operation:writeName:WndTopY
Value:
68
(PID) Process:(524) HWiNFO64.exeKey:HKEY_CURRENT_USER\SOFTWARE\HWiNFO64\Summary\Clocks
Operation:writeName:WndBottomX
Value:
1480
(PID) Process:(524) HWiNFO64.exeKey:HKEY_CURRENT_USER\SOFTWARE\HWiNFO64\Summary\Clocks
Operation:writeName:WndBottomY
Value:
182
(PID) Process:(524) HWiNFO64.exeKey:HKEY_CURRENT_USER\SOFTWARE\HWiNFO64\Summary\Clocks
Operation:writeName:WndStyle
Value:
(PID) Process:(524) HWiNFO64.exeKey:HKEY_CURRENT_USER\SOFTWARE\HWiNFO64\Summary\Clocks
Operation:writeName:Scaling
Value:
100
Executable files
1
Suspicious files
9
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
524HWiNFO64.exeC:\WINDOWS\INF\wvid.PNFbinary
MD5:7D34DC91D48FBF9B00E281E89764F8FD
SHA256:C28F3CBDFEF63D8A1F2F1EFF97064B288A8ADD5BFE21EB59E9FA3F5B9D8EED59
524HWiNFO64.exeC:\WINDOWS\INF\display.PNFbinary
MD5:A6AF4806AE1119C9B93F153EAFFF4C20
SHA256:F8505FFA34BB0781B89DDD620ECD0E73543B982D794AD6316F3A15CDB87E758E
524HWiNFO64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:5F86275AB783DE6171911C9C44EAB98D
SHA256:2852C873F8EDAD0C74C7B51271089D2807B8EFEFB6D7AEB6DC4D380552C8CB21
524HWiNFO64.exeC:\Users\admin\AppData\Local\Temp\HWiNFO_x64_201.sysexecutable
MD5:B7BE0D6A261F01F00B34CB265A29E866
SHA256:E4D7BD2AA979CF7B33DE591C8D3ABEABEB0E978B79237488159A3164F248529E
524HWiNFO64.exeC:\WINDOWS\INF\basicdisplay.PNFbinary
MD5:914DCB989709A0CE3F4B24A4CD147F1A
SHA256:C2FEE0EAD23C7B3B509FDDE94DDD6A549F999F364C5CA9D09AC084F22BC0ECB4
524HWiNFO64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:2365869258DF7A66A2121B802CA4AFD9
SHA256:D6B1932822BBD72A8E78C771717D992142348F67D625A42393719FEFBE59B0ED
524HWiNFO64.exeC:\WINDOWS\INF\machine.PNFbinary
MD5:4C103190BC521FF032845C1B5FDADC4F
SHA256:28C1DEE803488C32BF5229B05FB3F6DA8959A436BB17D331E68AFA61A3BE932F
524HWiNFO64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:743696FAD847DD27A7169F573F79128B
SHA256:13A53ABA8E557C9ABDE083F25E03D8C2232D9EFE9E5FC0B0113276777CC27569
524HWiNFO64.exeC:\WINDOWS\INF\basicrender.PNFbinary
MD5:F2231537B341E79667097B0C33036EAD
SHA256:48EB79DEF2B49DC1F4B5683BF4C776584D00342AD1F30429FB31D077ADA09016
524HWiNFO64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:1BFE0A81DB078EA084FF82FE545176FE
SHA256:5BA8817F13EEE00E75158BAD93076AB474A068C6B52686579E0F728FDA68499F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
47
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1544
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
524
HWiNFO64.exe
GET
200
216.58.212.163:80
http://c.pki.goog/r/gsr1.crl
unknown
unknown
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
524
HWiNFO64.exe
GET
200
216.58.212.163:80
http://c.pki.goog/r/r4.crl
unknown
unknown
5856
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
4280
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
3040
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
4280
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
428
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2524
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4004
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
6004
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4656
SearchApp.exe
2.23.209.187:443
www.bing.com
Akamai International B.V.
GB
unknown
1544
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
1544
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown
1060
svchost.exe
2.18.97.227:443
go.microsoft.com
Akamai International B.V.
FR
unknown
4656
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.23.209.187
  • 2.23.209.161
  • 2.23.209.189
  • 2.23.209.177
  • 2.23.209.185
  • 2.23.209.176
  • 2.23.209.149
  • 2.23.209.150
  • 2.23.209.182
  • 2.19.96.16
  • 2.19.96.27
  • 2.19.96.40
  • 2.19.96.24
  • 2.19.96.41
  • 2.19.96.42
  • 2.19.96.25
  • 2.19.96.32
  • 2.19.96.18
whitelisted
login.live.com
  • 40.126.32.138
  • 20.190.160.14
  • 40.126.32.68
  • 40.126.32.76
  • 20.190.160.17
  • 40.126.32.136
  • 40.126.32.133
  • 40.126.32.140
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 2.18.97.227
whitelisted
www.hwinfo.com
  • 104.21.22.164
  • 172.67.205.235
whitelisted
c.pki.goog
  • 216.58.212.163
unknown
arc.msn.com
  • 20.223.36.55
whitelisted
self.events.data.microsoft.com
  • 20.189.173.12
whitelisted
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HWiNFO64.exe