» dwm.exe
Overview
Analysis
File Details
Network (2)

dwm.exe

The application dwm.exe has been detected as a potentially unwanted program by 18 anti-malware scanners. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. While running, it connects to the Internet address ip106.ip-79-137-57.eu on port 8080.

File name:

dwm.exe

MD5:

e780fdbb22917d817a27e8d8b175cb56

SHA-1:

284d90ce7aaf93cbb9223fc309cfa4a6abc773d0

SHA-256:

2d7b11124c9ebbda11e3baa3cf72faa9f7a412213e6f02734b7c28c4544d5db9

Scanner detections:

18 / 68

Status:

Potentially unwanted

Explanation:

The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:

4/19/2024 9:58:57 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.Generic.1143925

583

Agnitum Outpost

Riskware.BitCoinMiner

7.1.1

Avira AntiVirus

TR/BitCoinMiner.Gen

3.6.1.96

avast!

Win32:Miner-B [PUP]

2014.9-150327

AVG

Generic36

2016.0.3158

Dr.Web

Tool.BtcMine.390

9.0.1.086

ESET NOD32

Win64/BitCoinMiner.U potentially unsafe (variant)

9.11377

F-Secure

Application.Generic.1143925

11.2015-02-07_5

herdProtect (fuzzy)

variant of ap06aa4f9d.exe

2015.7.2.1

IKARUS anti.virus

not-a-virus:RiskTool.BitCoinMiner

t3scan.1.8.6.0

Kaspersky

not-a-virus:RiskTool.Win64.BitCoinMiner

14.0.0.2283

MicroWorld eScan

Application.Generic.1143925

16.0.0.549

Qihoo 360 Security

Win32/Virus.RiskTool.3a8

1.0.0.1015

Reason Heuristics

Threat.Win.Reputation.IMP

15.3.27.7

Sophos

Troj/Miner-AB

4.98

Trend Micro House Call

TROJ_GEN.R0C1C0RCP15

7.2.86

Trend Micro

TROJ_GEN.R0C1C0RCP15

10.465.27

VIPRE Antivirus

Trojan.Win32.Generic

38780

File size:

892.5 KB (913,920 bytes)

File type:

Executable application (Win64 EXE)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\dwm.exe

File PE Metadata

OS version:

4.0

OS bitness:

Win64

Subsystem:

Windows Console

Linker version:

2.24

CTPH (ssdeep):

12288:jadKrlOKW85aHFD1Q9bGlvTOAvzkturDIUHEx8rLP9yCU55wU0U9YrK:jaYrlFW07kLRHu8rLP9yCU57t9Yr

Entry address:

0x14D0

Entry point:

48, 83, EC, 28, C7, 05, 72, 2C, 0E, 00, 00, 00, 00, 00, E8, ED, FF, 0A, 00, E8, 98, FC, FF, FF, 90, 90, 48, 83, C4, 28, C3, 90, 41, 57, 41, 56, 41, 55, 41, 54, 55, 57, 56, 53, 48, 81, EC, C8, 00, 00, 00, 4C, 8B, 69, 40, BB, 40, 00, 00, 00, 48, 89, 8C, 24, 10, 01, 00, 00, 48, 89, 94, 24, 18, 01, 00, 00, 4C, 89, 84, 24, 20, 01, 00, 00, 4C, 29, EB, 4C, 39, C3, 0F, 87, 60, 8B, 00, 00, 48, 8B, AC, 24, 10, 01, 00, 00, 48, 89, CA, 48, 8B, 49, 48, 4C, 8B, 9C, 24, 10, 01, 00, 00, 4C, 8B, B4, 24, 10, 01, 00, 00, 48... 
[+]

Entropy:

6.6541

Code size:

733.5 KB (751,104 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ip217.ip-178-32-196.eu (178.32.196.217:8080)

TCP (HTTP):

Connects to ip106.ip-79-137-57.eu (79.137.57.106:8080)

Remove dwm.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.