File name:

HWID Lookup V 2.0_[unknowncheats.me]_.exe

Full analysis: https://app.any.run/tasks/33281ce7-55bf-4981-8ea3-5d41b039da0c
Verdict: Malicious activity
Analysis date: May 02, 2025, 14:25:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

60A4BD9E3584D859E7F0A2A33AD8D8F0

SHA1:

EA478C22C2D4F3E07CBF9EE1C40BEFD1CB47EADE

SHA256:

F1975B74F9EC508DC5EFFC624B627E9AE62A8D02D12B0A6B5FB72D8442F9A6ED

SSDEEP:

3072:t/25jvDSgsqsb5Uh28vAbTV1WW69B9VjMdxPedN9ug0z9TBfFSmsdRe:Atzsb5Uh28+V1WW69B9VjMdxPedN9uge

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executing commands from a ".bat" file

      • HWID Lookup V 2.0_[unknowncheats.me]_.exe (PID: 7364)

    • Starts CMD.EXE for commands execution

      • HWID Lookup V 2.0_[unknowncheats.me]_.exe (PID: 7364)
      • cmd.exe (PID: 7420)

    • Uses WMIC.EXE to obtain system information

      • cmd.exe (PID: 7588)

    • Accesses computer name via WMI (SCRIPT)

      • WMIC.exe (PID: 7604)
      • WMIC.exe (PID: 5968)

    • Uses WMIC.EXE to obtain BIOS management information

      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 7712)
      • cmd.exe (PID: 7776)
      • cmd.exe (PID: 7864)
      • cmd.exe (PID: 7996)

    • Uses WMIC.EXE to obtain physical disk drive information

      • cmd.exe (PID: 7464)
      • cmd.exe (PID: 7420)

    • Application launched itself

      • cmd.exe (PID: 7420)

    • Uses WMIC.EXE to obtain CPU information

      • cmd.exe (PID: 7300)
      • cmd.exe (PID: 8056)
      • cmd.exe (PID: 8128)
      • cmd.exe (PID: 5244)
      • cmd.exe (PID: 2240)
      • cmd.exe (PID: 1040)
      • cmd.exe (PID: 7480)
      • cmd.exe (PID: 7668)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 7420)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 7420)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7420)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 7420)

    • Uses WMIC.EXE to obtain local storage devices information

      • cmd.exe (PID: 7420)

    • Sets XML DOM element text (SCRIPT)

      • WMIC.exe (PID: 5968)

    • Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)

      • cmd.exe (PID: 7420)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 7420)

    • Uses WMIC.EXE to obtain desktop monitor information

      • cmd.exe (PID: 7420)

    • Uses WMIC.EXE to obtain Sound Devices data

      • cmd.exe (PID: 7420)

    • Uses WMIC.EXE to obtain information about the network interface controller

      • cmd.exe (PID: 7420)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 8084)

    • Uses WMIC.EXE

      • cmd.exe (PID: 7420)

  • INFO

    • Checks supported languages

      • HWID Lookup V 2.0_[unknowncheats.me]_.exe (PID: 7364)
      • mode.com (PID: 7440)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 7440)

    • Create files in a temporary directory

      • HWID Lookup V 2.0_[unknowncheats.me]_.exe (PID: 7364)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7480)
      • WMIC.exe (PID: 7664)
      • WMIC.exe (PID: 7604)
      • WMIC.exe (PID: 7792)
      • WMIC.exe (PID: 7728)
      • WMIC.exe (PID: 8012)
      • WMIC.exe (PID: 8072)
      • WMIC.exe (PID: 8144)
      • WMIC.exe (PID: 5968)
      • WMIC.exe (PID: 3008)
      • WMIC.exe (PID: 4464)
      • WMIC.exe (PID: 7624)
      • WMIC.exe (PID: 7880)
      • WMIC.exe (PID: 7284)
      • WMIC.exe (PID: 7904)
      • WMIC.exe (PID: 8008)
      • WMIC.exe (PID: 8084)
      • WMIC.exe (PID: 8056)
      • WMIC.exe (PID: 7652)
      • WMIC.exe (PID: 8180)
      • WMIC.exe (PID: 7284)
      • WMIC.exe (PID: 7864)
      • WMIC.exe (PID: 7248)
      • WMIC.exe (PID: 5968)
      • WMIC.exe (PID: 6080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.2)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2019:07:30 08:52:08+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware
PEType: PE32+
LinkerVersion: 2.5
CodeSize: 92672
InitializedDataSize: 102912
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
180
Monitored processes
50
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start hwid lookup v 2.0_[unknowncheats.me]_.exe no specs conhost.exe no specs cmd.exe no specs mode.com no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs sppextcomobj.exe no specs cmd.exe no specs wmic.exe no specs slui.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs systeminfo.exe no specs findstr.exe no specs tiworker.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1040C:\WINDOWS\system32\cmd.exe /c wmic cpu get processoridC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2240C:\WINDOWS\system32\cmd.exe /c wmic cpu get levelC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3008wmic cpu get levelC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
4464wmic cpu get processoridC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
5244C:\WINDOWS\system32\cmd.exe /c wmic cpu get datawidthC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
5968wmic cpu get datawidthC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
5968wmic path Win32_USBControllerDevice get Dependent C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
6080wmic os get LastBootUpTimeC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
6156systeminfo C:\Windows\System32\systeminfo.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Displays system information
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systeminfo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6476findstr /B /C:"Betriebssystemname" /C:"Betriebssystemversion" /C:"Installiertes Patch" /C:"Systemtyp" /C:"Registrierte Benutzerorganisation"C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
Total events
9 841
Read events
9 839
Write events
2
Delete events
0

Modification events

(PID) Process:(7176) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31177582
(PID) Process:(7176) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
475614093
Executable files
0
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7364HWID Lookup V 2.0_[unknowncheats.me]_.exeC:\Users\admin\AppData\Local\Temp\F389.tmp\F39A.tmp\F39B.battext
MD5:B2E826C35CD955D297BD0CCC47270D16
SHA256:D77E9A07F98D9361A8627449341EE8B47B078D47E6C4D5B9F241CAF6380E7472
7176TiWorker.exeC:\Windows\Logs\CBS\CBS.logtext
MD5:5589B840A2F52690ECC792282E3E1E5B
SHA256:4A757C1DD8B39ED1E1E0B41F2870730C604FCAE3FEAABA00B095A4786DABF892
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
18
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.16.164.43:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4008
SIHClient.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4008
SIHClient.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.164.43:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2568
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
20.190.160.17:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.164.43
  • 2.16.164.106
  • 2.16.164.34
  • 2.16.164.51
  • 2.16.164.32
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 23.59.18.102
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.17
  • 20.190.160.2
  • 20.190.160.132
  • 40.126.32.133
  • 20.190.160.14
  • 20.190.160.67
  • 40.126.32.76
  • 20.190.160.128
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.29
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HWID Lookup V 2.0_[unknowncheats.me]_.exe