File verdict·Decided by the MT AI Engine

Our call

Safe

Item: hwmonitor_1.63.exe
Rating: 4.5
Author: MalwareTips File Scanner

Legitimate HWMonitor 1.63 installer from trusted publisher CPUID with perfect clean scan across 70 engines and expected installation behavior.

Verified · CPUID

Trust score92High trust

MT AI confidence · 95%

hwmonitor_1.63.exe

2.9 MB

6c8faba4768754c336…11a09cb064

Antivirus engines

0 of 74 flagged

Code signing

Signed by CPUID

Age

First seen 2mo ago

MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

95%Confidence

Very high

Reasoning

No engines flagged this file malicious, with 17 tier-1 engines explicitly reporting clean. The CPUID signature is verified and matches our trusted publisher list. Runtime behavior shows standard installer actions like dropping HWMonitor.exe to Program Files\CPUID\HWMonitor and creating a Start Menu shortcut. The process injection heuristic fired due to interaction with Explorer.EXE, but this aligns with monitoring software needs and is not corroborated by any detections or malicious outcomes. Medium prevalence and positive reputation further support legitimacy.

Key signals · 4

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

signing.trustedPublisher.matched=true ('CPUID')
engines.tier1Malicious=0, tier1ReportedClean=17 (Avast, BitDefender, ESET-NOD32, Kaspersky)
behaviour.filesWritten includes 'C:\Program Files\CPUID\HWMonitor\HWMonitor.exe' and 'HWMonitor.lnk'
file.reputation=5, prevalence.uniqueSources=3457

Points in its favour

Trusted CPUID publisher signature
0/70 engine detections
17 tier-1 clean reports
Expected HWMonitor install path
Medium prevalence (5956 submissions)

What to do

This file is safe and appears to be the genuine HWMonitor installer. Run it confidently, but always prefer downloads from cpuid.com to avoid tampered copies.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK

Adversary techniques mapped to the MITRE ATT&CK framework.

T1012T1027T1027.002T1033T1036T1055T1059T1070T1071T1082T1083T1129T1134T1485T1497T1529T1539T1548T1614T1614.001

Spawned processes

$(unnamed)

"C:\Users\<USER>\Desktop\hwmonitor_1.63.exe"

$(unnamed)

"C:\Users\<USER>\AppData\Local\Temp\is-5NPS0.tmp\hwmonitor_1.63.tmp" /SL5="$200EA,2198701,776192,C:\Users\<USER>\Desktop\hwmonitor_1.63.exe"

$(unnamed)

C:\Windows\Explorer.EXE

$(unnamed)

"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\CPUID\HWMonitor\hwm_readme.txt

$(unnamed)

C:\Users\<USER>\AppData\Local\Temp\is-T1SU5.tmp\hwmonitor_1.63.tmp /SL5=$2019E,2198701,776192,C:\Users\<USER>\Downloads\hwmonitor_1.63.exe

$(unnamed)

"C:\Users\user\Desktop\hwmonitor_1.63.exe"

$(unnamed)

"C:\Users\user\AppData\Local\Temp\is-HD8SA.tmp\hwmonitor_1.63.tmp" /SL5="$402BA,2198701,776192,C:\Users\user\Desktop\hwmonitor_1.63.exe"

Filesystem & mutexes

Files written15

C:\Users\<USER>\AppData\Local\Temp\is-5NPS0.tmp\hwmonitor_1.63.tmp
C:\Users\<USER>\AppData\Local\Temp\is-28NB3.tmp\_isetup\_setup64.tmp
C:\Program Files\CPUID\HWMonitor\HWMonitor.exe
C:\Program Files\CPUID\HWMonitor\unins000.dat
C:\Program Files\CPUID\HWMonitor\is-USUVC.tmp

+10 more

Files deleted14

C:\Program Files\CPUID\HWMonitor\is-USUVC.tmp
C:\Program Files\CPUID\HWMonitor\is-FFID1.tmp
C:\Program Files\CPUID\HWMonitor\is-2VTQI.tmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPUID\HWMonitor\HWMonitor.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPUID\HWMonitor\HWMonitor.pif

+9 more

Mutexes created3

cversions.3.m
\Sessions\1\BaseNamedObjects\Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
\Sessions\1\BaseNamedObjects\Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000

Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen

ac3706ebbb78cfba74e5…0aba8fNever scanned
never seen before
6d4710fc7501868f85c1…5bbbebNever scanned
never seen before
388a796580234efc95f3…136f95Never scanned
never seen before
8a0887b83b26fb3d2e1a…c28058Never scanned
never seen before
c05ef5541be5ef7ecb87…af70d1Never scanned
never seen before
980c0ef56e8fa669b17a…c73038Never scanned
never seen before
d595b569a4fa1558a433…9be23eNever scanned
never seen before
02db6764d1f13b837b0a…4a2d5bNever scanned
never seen before
6270005159ce90cc83e3…9b3b29Never scanned
never seen before
f9a3aa9335c68f5ee5fe…5eef3fNever scanned
never seen before

No researcher-database hits

External threat-intel sources were not collected for this scan.

Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

1 synthesis

MITRE ATT&CK profile

Defense evasion× 1

MalwareTips synthesis rules

Our heuristics on VT data + sandbox behaviour

ProcessInjection
T1055
high
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence
C:\Windows\Explorer.EXE

Antivirus engine breakdown

0 detections across 74 engines

0 malicious0 suspicious74 clean

Tier-117 engines

0flag

Top commercial AVs (low FP rate)

Tier-237 engines

0flag

Mainstream engines with mixed FP rates

Low-trust20 engines

0flag

Heuristic / generic-AI engines (high FP rate)

All 74 engines report this file as clean.

Hash 6c8faba47687… cross-referenced against 74 AV engines via our AV network.

PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

ent 8.00Unpacked

Section entropy10 sections

.text

6.38

.itext

6.11

.data

4.96

.bss

0.00

.idata

5.02

.didata

2.73

.edata

1.31

.tls

0.00

.rdata

1.39

.rsrc

3.72

0.0Packed threshold 7.28.0

Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium

Unique uploaders

3,457

Hundreds of people have uploaded this — common.

Total submissions

5,956

Includes repeat uploads by the same source.

First seen by VT

2mo ago

Apr 3, 2026

Prevalence quadrant

Rare · New

Targeted malware lives here

Common · New

Just-released software

Rare · Old

Niche or internal tooling

Common · Old

Trusted legitimate binaries

File identity

Forensic fingerprint

File biography

First seen (VT)

4/3/2026, 5:21:52 AM

First seen (MalwareBazaar)

—

Last analysis (VT)

5/4/2026, 8:25:15 AM

Scanned here

5/4/2026, 11:05:40 AM

File name: hwmonitor_1.63.exe
Size: 2.93 MB
MIME type: (unknown)
Detected type: Win32 EXE
SHA-256: 6c8faba4768754c3364e7c400a9d79ccbece156087be607583619f11a09cb064
MD5: 79248bcce8f639ecb02849d1eafe3844
SHA-1: 8ba3b2abd30447ecdb9623c8434271b54bfbdadf
PE imphash: 40ab50289f7ef5fae60801f88d4541fc
First seen (VT): 4/3/2026, 5:21:52 AM
Last analysis (VT): 5/4/2026, 8:25:15 AM
First scan (MalwareTips): 5/4/2026, 11:05:41 AM
Last scan (MalwareTips): 5/4/2026, 11:05:40 AM
Code signer: CPUIDverified
Community reputation: +5trusted

Behavior tags

overlaypeexesigned

Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…

Loading reports…

Scan another

Check a different file

URL instead?

Check if a link is safe

Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.