» dwm.exe
Overview
Analysis
File Details
Network (1)

dwm.exe

The application dwm.exe has been detected as a potentially unwanted program by 20 anti-malware scanners. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. While running, it connects to the Internet address ip217.ip-178-32-196.eu on port 8080.

File name:

dwm.exe

MD5:

d6354f54b2ec6adb3340922a15e8b8c0

SHA-1:

a7cf9b19a6211d029de2d83306f589908016d949

SHA-256:

c3596ef5fd64b011a58cf9aa972c37b60b22992f77d57399400bca158e1d1779

Scanner detections:

20 / 68

Status:

Potentially unwanted

Explanation:

The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:

4/25/2024 9:26:26 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.Generic.1143925

564

Agnitum Outpost

Riskware.BitCoinMiner

7.1.1

Avira AntiVirus

TR/BitCoinMiner.Gen

3.6.1.96

avast!

Win32:Miner-B [PUP]

2014.9-150419

AVG

Trojan horse Generic36.ADKK

2014.0.4311

Dr.Web

hacktool program Tool.BtcMine.390

9.0.1.05190

ESET NOD32

Win64/BitCoinMiner.U potentially unsafe application

7.0.302.0

F-Secure

Application.Generic.1143925

11.2015-20-07_2

herdProtect (fuzzy)

variant of ap06aa4f9d.exe

2015.7.20.19

IKARUS anti.virus

not-a-virus:RiskTool.BitCoinMiner

t3scan.1.8.9.0

Kaspersky

not-a-virus:RiskTool.Win64.BitCoinMiner

15.0.0.543

MicroWorld eScan

Application.Generic.1143925

16.0.0.603

Panda Antivirus

Generic Suspicious

15.04.19.07

Qihoo 360 Security

Win32/Trojan.Multi.a56

1.0.0.1015

Reason Heuristics

Threat.Win.Reputation.IMP

15.4.19.3

Sophos

Virus 'Troj/Miner-AB'

5.13

Trend Micro House Call

TROJ_GEN.R0C1C0RDI15

7.2.109

Trend Micro

TROJ_GEN.R0C1C0RDI15

10.465.19

VIPRE Antivirus

Threat.4150696

38882

File size:

892.5 KB (913,920 bytes)

File type:

Executable application (Win64 EXE)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\dwm.exe

File PE Metadata

OS version:

4.0

OS bitness:

Win64

Subsystem:

Windows Console

Linker version:

2.24

CTPH (ssdeep):

12288:jadKrlOKW85aHFD1Q9bGlvTOAvzkturDIUHEx8rLP9yCU55wU0U9UrK:jaYrlFW07kLRHu8rLP9yCU57t9Ur

Entry address:

0x14D0

Entry point:

48, 83, EC, 28, C7, 05, 72, 2C, 0E, 00, 00, 00, 00, 00, E8, ED, FF, 0A, 00, E8, 98, FC, FF, FF, 90, 90, 48, 83, C4, 28, C3, 90, 41, 57, 41, 56, 41, 55, 41, 54, 55, 57, 56, 53, 48, 81, EC, C8, 00, 00, 00, 4C, 8B, 69, 40, BB, 40, 00, 00, 00, 48, 89, 8C, 24, 10, 01, 00, 00, 48, 89, 94, 24, 18, 01, 00, 00, 4C, 89, 84, 24, 20, 01, 00, 00, 4C, 29, EB, 4C, 39, C3, 0F, 87, 60, 8B, 00, 00, 48, 8B, AC, 24, 10, 01, 00, 00, 48, 89, CA, 48, 8B, 49, 48, 4C, 8B, 9C, 24, 10, 01, 00, 00, 4C, 8B, B4, 24, 10, 01, 00, 00, 48... 
[+]

Entropy:

6.6541

Code size:

733.5 KB (751,104 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to ip217.ip-178-32-196.eu (178.32.196.217:8080)

Remove dwm.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.