Cuckoo Sandbox

File hwmonitor_1.63.exe

Summary
Download Resubmit sample

Size	2.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`79248bcce8f639ecb02849d1eafe3844`
SHA1	`8ba3b2abd30447ecdb9623c8434271b54bfbdadf`
SHA256	`6c8faba4768754c3364e7c400a9d79ccbece156087be607583619f11a09cb064`
SHA512	`1a0cb8a815ce38e8a3cb06edc7e4b2f08d326d6f92c10f21c5fa19f887d6df62bbbc7cd05fea9dee2c0796e5504a5b5c10bb4386f3eb986979087fc2cabaa65d`
CRC32	`5452ABA5`
ssdeep	`None`
Yara	disable_dep - Bypass DEP escalate_priv - Escalade priviledges win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile

Score

This file shows some signs of potential malicious behavior.

The score of this file is 1.4 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	April 10, 2026, 2:22 p.m.	April 10, 2026, 2:23 p.m.	59 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2026-04-10 14:22:36,015 [analyzer] DEBUG: Starting analyzer from: C:\tmppw5mq4
2026-04-10 14:22:36,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\AvDICVTubZVYRDqlRAJFQvXfEWsIY
2026-04-10 14:22:36,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\jTDpXHpJNwIrAOxUBiiQNOB
2026-04-10 14:22:36,265 [analyzer] DEBUG: Started auxiliary module Curtain
2026-04-10 14:22:36,265 [analyzer] DEBUG: Started auxiliary module DbgView
2026-04-10 14:22:36,733 [analyzer] DEBUG: Started auxiliary module Disguise
2026-04-10 14:22:36,953 [analyzer] DEBUG: Loaded monitor into process with pid 504
2026-04-10 14:22:36,953 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2026-04-10 14:22:36,953 [analyzer] DEBUG: Started auxiliary module Human
2026-04-10 14:22:36,953 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2026-04-10 14:22:36,953 [analyzer] DEBUG: Started auxiliary module Reboot
2026-04-10 14:22:37,046 [analyzer] DEBUG: Started auxiliary module RecentFiles
2026-04-10 14:22:37,046 [analyzer] DEBUG: Started auxiliary module Screenshots
2026-04-10 14:22:37,046 [analyzer] DEBUG: Started auxiliary module Sysmon
2026-04-10 14:22:37,046 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2026-04-10 14:22:37,233 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\hwmonitor_1.63.exe' with arguments '' and pid 2612
2026-04-10 14:22:37,437 [analyzer] DEBUG: Loaded monitor into process with pid 2612
2026-04-10 14:22:37,717 [analyzer] INFO: Added new file to list with pid 2612 and path C:\Users\Administrator\AppData\Local\Temp\is-1JS51.tmp\hwmonitor_1.63.tmp
2026-04-10 14:22:37,842 [analyzer] INFO: Injected into process with pid 1280 and name u'hwmonitor_1.63.tmp'
2026-04-10 14:22:38,030 [analyzer] DEBUG: Loaded monitor into process with pid 1280
2026-04-10 14:22:38,250 [analyzer] INFO: Added new file to list with pid 1280 and path C:\Users\Administrator\AppData\Local\Temp\is-V79J5.tmp\_isetup\_setup64.tmp
2026-04-10 13:23:25,141 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2026-04-10 13:23:25,375 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 2612.
2026-04-10 13:23:25,486 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 1280.
2026-04-10 13:23:25,829 [analyzer] INFO: Terminating remaining processes before shutdown.
2026-04-10 13:23:25,829 [lib.api.process] INFO: Successfully terminated process with pid 2612.
2026-04-10 13:23:25,829 [lib.api.process] INFO: Successfully terminated process with pid 1280.
2026-04-10 13:23:25,923 [analyzer] INFO: Analysis completed.

Cuckoo Log

2026-04-10 14:22:37,213 [cuckoo.core.scheduler] INFO: Task #7513991: acquired machine win7x646 (label=win7x646)
2026-04-10 14:22:37,214 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.206 for task #7513991
2026-04-10 14:22:37,479 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 5762 (interface=vboxnet0, host=192.168.168.206)
2026-04-10 14:22:38,463 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x646
2026-04-10 14:22:38,920 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x646 to vmcloak
2026-04-10 14:22:47,395 [cuckoo.core.guest] INFO: Starting analysis #7513991 on guest (id=win7x646, ip=192.168.168.206)
2026-04-10 14:22:48,401 [cuckoo.core.guest] DEBUG: win7x646: not ready yet
2026-04-10 14:22:53,425 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x646, ip=192.168.168.206)
2026-04-10 14:22:53,498 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x646, ip=192.168.168.206, monitor=latest, size=6660546)
2026-04-10 14:22:54,891 [cuckoo.core.resultserver] DEBUG: Task #7513991: live log analysis.log initialized.
2026-04-10 14:22:55,800 [cuckoo.core.resultserver] DEBUG: Task #7513991 is sending a BSON stream
2026-04-10 14:22:56,252 [cuckoo.core.resultserver] DEBUG: Task #7513991 is sending a BSON stream
2026-04-10 14:22:56,860 [cuckoo.core.resultserver] DEBUG: Task #7513991 is sending a BSON stream
2026-04-10 14:22:57,120 [cuckoo.core.resultserver] DEBUG: Task #7513991: File upload for 'shots/0001.jpg'
2026-04-10 14:22:57,133 [cuckoo.core.resultserver] DEBUG: Task #7513991 uploaded file length: 133464
2026-04-10 14:22:58,228 [cuckoo.core.resultserver] DEBUG: Task #7513991: File upload for 'shots/0002.jpg'
2026-04-10 14:22:58,252 [cuckoo.core.resultserver] DEBUG: Task #7513991 uploaded file length: 132194
2026-04-10 14:23:09,515 [cuckoo.core.guest] DEBUG: win7x646: analysis #7513991 still processing
2026-04-10 14:23:24,614 [cuckoo.core.guest] DEBUG: win7x646: analysis #7513991 still processing
2026-04-10 14:23:25,706 [cuckoo.core.resultserver] DEBUG: Task #7513991: File upload for 'curtain/1775820205.7.curtain.log'
2026-04-10 14:23:25,720 [cuckoo.core.resultserver] DEBUG: Task #7513991 uploaded file length: 36
2026-04-10 14:23:25,836 [cuckoo.core.resultserver] DEBUG: Task #7513991: File upload for 'sysmon/1775820205.83.sysmon.xml'
2026-04-10 14:23:25,841 [cuckoo.core.resultserver] DEBUG: Task #7513991 uploaded file length: 254010
2026-04-10 14:23:25,853 [cuckoo.core.resultserver] DEBUG: Task #7513991: File upload for 'files/388a796580234efc__setup64.tmp'
2026-04-10 14:23:25,855 [cuckoo.core.resultserver] DEBUG: Task #7513991 uploaded file length: 6144
2026-04-10 14:23:25,888 [cuckoo.core.resultserver] DEBUG: Task #7513991: File upload for 'files/6270005159ce90cc_hwmonitor_1.63.tmp'
2026-04-10 14:23:25,932 [cuckoo.core.resultserver] DEBUG: Task #7513991 uploaded file length: 3130088
2026-04-10 14:23:26,178 [cuckoo.core.resultserver] DEBUG: Task #7513991: File upload for 'shots/0003.jpg'
2026-04-10 14:23:26,193 [cuckoo.core.resultserver] DEBUG: Task #7513991 uploaded file length: 133462
2026-04-10 14:23:26,208 [cuckoo.core.resultserver] DEBUG: Task #7513991 had connection reset for <Context for LOG>
2026-04-10 14:23:27,626 [cuckoo.core.guest] INFO: win7x646: analysis completed successfully
2026-04-10 14:23:27,639 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2026-04-10 14:23:27,676 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2026-04-10 14:23:28,488 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x646 to path /srv/cuckoo/cwd/storage/analyses/7513991/memory.dmp
2026-04-10 14:23:28,490 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x646
2026-04-10 14:23:35,962 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.206 for task #7513991
2026-04-10 14:23:36,281 [cuckoo.core.scheduler] DEBUG: Released database task #7513991
2026-04-10 14:23:36,296 [cuckoo.core.scheduler] INFO: Task #7513991: analysis procedure completed

Signatures

Yara rules detected for file (5 events)

description	Bypass DEP	rule	disable_dep
description	Escalade priviledges	rule	escalate_priv
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_files_operation

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 10, 2026, 3:22 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2026, 3:22 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 688128 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2026, 3:22 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2026, 3:22 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b9000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2026, 3:22 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 10, 2026, 3:22 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 10, 2026, 3:22 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

Queries for potentially installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExW April 10, 2026, 3:22 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\CPUID HWMonitor_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\CPUID HWMonitor_is1		2	0

Detects the presence of Wine emulator (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress April 10, 2026, 3:22 p.m.	ordinal: 0 function_address: 0x0040f7a8 function_name: wine_get_version module: ntdll module_address: 0x774d0000		3221225785	0
LdrGetProcedureAddress April 10, 2026, 3:22 p.m.	ordinal: 0 function_address: 0x004117b0 function_name: wine_get_version module: ntdll module_address: 0x774d0000		3221225785	0

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File hwmonitor_1.63.exe

Summary Download Resubmit sample

Score

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample