Edit tour

Windows Analysis Report
dwm.exe

Overview

General Information

Sample name:dwm.exe
Analysis ID:1461421
MD5:54d4b7e69178f0f53b1af2113c476ec0
SHA1:592897b0fb589496d8ed3c86bcd954b55a69af26
SHA256:19c59928654fd8cb64ec6500d4a23a16c8d5c749257c7ca11aad7c5acf2fa161
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

PE file has a writeable .text section
Sigma detected: System File Execution Location Anomaly
Entry point lies outside standard sections
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • dwm.exe (PID: 6340 cmdline: "C:\Users\user\Desktop\dwm.exe" MD5: 54D4B7E69178F0F53B1AF2113C476EC0)
    • conhost.exe (PID: 5028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\Desktop\dwm.exe", CommandLine: "C:\Users\user\Desktop\dwm.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\dwm.exe, NewProcessName: C:\Users\user\Desktop\dwm.exe, OriginalFileName: C:\Users\user\Desktop\dwm.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\Desktop\dwm.exe", ProcessId: 6340, ProcessName: dwm.exe
No Snort rule has matched

Click to jump to signature section

Show All Signature Results
Source: dwm.exe, 00000000.00000002.3297466604.0000000140835000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_acd41883-5
Source: unknownDNS traffic detected: query: 158.157.4.0.in-addr.arpa replaycode: Name error (3)
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknownTCP traffic detected without corresponding DNS query: 88.119.167.239
Source: dwm.exeString found in binary or memory: 04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06www.google.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56*.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-Hardware41MD5 Collisions Inc. (http://www.phreedom.org/md5)08:27*.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)
Source: global trafficDNS traffic detected: DNS query: 158.157.4.0.in-addr.arpa
Source: dwm.exeString found in binary or memory: http://bugreports.qt.io/
Source: dwm.exeString found in binary or memory: http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.Netsca
Source: dwm.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: dwm.exeString found in binary or memory: http://www.phreedom.org/md5)
Source: dwm.exeString found in binary or memory: http://www.phreedom.org/md5)08:27
Source: dwm.exe, 00000000.00000002.3296735047.00000000005E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://88.119.167.239/
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705

System Summary

barindex
Source: dwm.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: dwm.exeStatic PE information: Section: .qtmimed ZLIB complexity 0.998816741756135
Source: dwm.exeBinary or memory string: .telemark.nomalatvuopmi.nohamburgreservd.dev.thingdust.iogo.jpotsuchi.iwate.jpnet.slnet.soal.usbounceme.netgo.keporsgrunn.nonet.ss!city.yokohama.jptarnobrzeg.plnet.stdishis-a-chef.coms.bggjerdrum.noshiogama.miyagi.jptara.saga.jpyamada.toyama.jpnet.thnet.synet.tjs
Source: classification engineClassification label: mal48.winEXE@2/1@1/1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5028:120:WilError_03
Source: C:\Users\user\Desktop\dwm.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: dwm.exeString found in binary or memory: <!--StartFragment-->
Source: dwm.exeString found in binary or memory: <!--StartFragment--><!--EndFragment-->
Source: dwm.exeString found in binary or memory: in-addr.arpa
Source: dwm.exeString found in binary or memory: .jpiwamizawa.hokkaido.jpnomi.ishikawa.jptakaoka.toyama.jpcloudns.asiais-a-caterer.comsupabase.cogarden.museumcommunity-pro.defriuli-vegiulia.itin-addr.arpaapp.render.com
Source: dwm.exeString found in binary or memory: Africa/Addis_Ababa
Source: unknownProcess created: C:\Users\user\Desktop\dwm.exe "C:\Users\user\Desktop\dwm.exe"
Source: C:\Users\user\Desktop\dwm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dwm.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\dwm.exeSection loaded: profapi.dllJump to behavior
Source: dwm.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: dwm.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: dwm.exeStatic file information: File size 13854720 > 1048576
Source: dwm.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x7fe800
Source: dwm.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2ae600
Source: dwm.exeStatic PE information: Raw size of .tmc is bigger than: 0x100000 < 0x1aec00
Source: dwm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dwm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dwm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dwm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dwm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dwm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: dwm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dwm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dwm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dwm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dwm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dwm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: initial sampleStatic PE information: section where entry point is pointing to: .tmc
Source: dwm.exeStatic PE information: section name: .qtmetad
Source: dwm.exeStatic PE information: section name: .qtmimed
Source: dwm.exeStatic PE information: section name: _RDATA
Source: dwm.exeStatic PE information: section name: .tmc
Source: C:\Users\user\Desktop\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: dwm.exeBinary or memory string: .?AVQEmulationPaintEngine@@
Source: dwm.exe, 00000000.00000002.3296735047.00000000005CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll==
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
Process Injection
1
Software Packing
OS Credential Dumping1
Security Software Discovery
Remote Services1
Archive Collected Data
2
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory1
System Information Discovery
Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1461421 Sample: dwm.exe Startdate: 24/06/2024 Architecture: WINDOWS Score: 48 12 158.157.4.0.in-addr.arpa 2->12 16 PE file has a writeable .text section 2->16 18 Sigma detected: System File Execution Location Anomaly 2->18 7 dwm.exe 1 2->7         started        signatures3 process4 dnsIp5 14 88.119.167.239, 443, 49705, 49706 IST-ASLT Lithuania 7->14 10 conhost.exe 7->10         started        process6

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
158.157.4.0.in-addr.arpa0%VirustotalBrowse
SourceDetectionScannerLabelLink
http://www.aiim.org/pdfa/ns/id/0%Avira URL Cloudsafe
http://www.phreedom.org/md5)08:270%Avira URL Cloudsafe
http://www.phreedom.org/md5)0%Avira URL Cloudsafe
http://bugreports.qt.io/0%Avira URL Cloudsafe
http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.Netsca0%Avira URL Cloudsafe
https://88.119.167.239/0%Avira URL Cloudsafe
http://www.phreedom.org/md5)08:271%VirustotalBrowse
http://www.phreedom.org/md5)1%VirustotalBrowse
http://www.aiim.org/pdfa/ns/id/0%VirustotalBrowse
http://bugreports.qt.io/0%VirustotalBrowse
http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.Netsca0%VirustotalBrowse
https://88.119.167.239/0%VirustotalBrowse

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
158.157.4.0.in-addr.arpa
unknown
unknownfalseunknown
NameSourceMaliciousAntivirus DetectionReputation
http://www.phreedom.org/md5)dwm.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.phreedom.org/md5)08:27dwm.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.Netscadwm.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.aiim.org/pdfa/ns/id/dwm.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://bugreports.qt.io/dwm.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://88.119.167.239/dwm.exe, 00000000.00000002.3296735047.00000000005E4000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
88.119.167.239
unknownLithuania
61272IST-ASLTfalse
Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1461421
Start date and time:2024-06-24 03:47:48 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 52s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:dwm.exe
Detection:MAL
Classification:mal48.winEXE@2/1@1/1
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
TimeTypeDescription
21:48:41API Interceptor26x Sleep call for process: dwm.exe modified
No context
No context
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
IST-ASLThttp://welcome.visionaryyouth.orgGet hashmaliciousUnknownBrowse
  • 88.119.175.92
https://casestudybuddy.comGet hashmaliciousUnknownBrowse
  • 88.119.175.92
https://scripts.mediavine.comGet hashmaliciousUnknownBrowse
  • 88.119.175.92
http://earnandexcel.comGet hashmaliciousUnknownBrowse
  • 88.119.175.92
https://www.bfjfinancial.comGet hashmaliciousUnknownBrowse
  • 88.119.175.92
http://welcome.visionaryyouth.orgGet hashmaliciousUnknownBrowse
  • 88.119.175.92
https://auraelementary.us/Get hashmaliciousUnknownBrowse
  • 88.119.175.92
https://earnandexcel.com/blog/how-to-expand-columns-in-excel-multiple-tricks-to-resize-columns-rows/Get hashmaliciousUnknownBrowse
  • 88.119.175.92
p1zLMcKDiy.jsGet hashmaliciousSocGholishBrowse
  • 88.119.169.207
http://infotechnology.fhwa.dot.govGet hashmaliciousUnknownBrowse
  • 88.119.175.92
No context
No context
Process:C:\Users\user\Desktop\dwm.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):652
Entropy (8bit):4.8570036420448215
Encrypted:false
SSDEEP:6:38vNR/DLQghpmYTIa4Lew1+c/DLQghpmYTIa4Lew1+c/DLQghpmYTIa4Lew1+c/O:3kRPKP3PKP3PKP3PKPX
MD5:18BDD7C4A4F217A9A2325278270D7099
SHA1:8760A7D12BC2A878A6B134F64558AE7493F7ACB3
SHA-256:128053B4E9A091C79000DBBA0F404F89224C445311E10AF874ED32795608BA21
SHA-512:A98C1A0F60E51217096B7F4AA0588CC0C090C58AB251B0517235BA1438625CDE50321A958AA0849FAE9A2958AF7DABCE9313A75FDBD5AD031E31BAA720F3B09C
Malicious:false
Reputation:low
Preview:Successfully connected..QAbstractSocket::connectToHost() called when already looking up or connecting/connected to "88.119.167.239"..QIODevice::write (QTcpSocket): device not open..QAbstractSocket::connectToHost() called when already looking up or connecting/connected to "88.119.167.239"..QIODevice::write (QTcpSocket): device not open..QAbstractSocket::connectToHost() called when already looking up or connecting/connected to "88.119.167.239"..QIODevice::write (QTcpSocket): device not open..QAbstractSocket::connectToHost() called when already looking up or connecting/connected to "88.119.167.239"..QIODevice::write (QTcpSocket): device not open..
File type:PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):7.396783949194561
TrID:
  • Win64 Executable Console (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:dwm.exe
File size:13'854'720 bytes
MD5:54d4b7e69178f0f53b1af2113c476ec0
SHA1:592897b0fb589496d8ed3c86bcd954b55a69af26
SHA256:19c59928654fd8cb64ec6500d4a23a16c8d5c749257c7ca11aad7c5acf2fa161
SHA512:ba372679d92e84d67c58f049217900be0fb56be1c5efec9108d47ca4f93ebf0ecbbc992ff7f308ad175fe75a6c8799fd8bec81b8e112976046191ce192ff58de
SSDEEP:393216:EcSJixRXcQvs88RBAKFdu9CwJsv6taszAK66j:CJmE84V
TLSH:D5D6E042AB9B24C1C5B75038CDAF5603D3317D548BE253AB325476F0AD626E4BE2F329
File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........f.a...2...2...2...3...2...3...2.{s2...2.{.3...2.{.3...2.{.3...2.{.3!..2...3...2...3...2...3...2...2...2.{.3...2.{.3...2.{q2...
Icon Hash:00928e8e8686b000
Entrypoint:0x140c09af4
Entrypoint Section:.tmc
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows cui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA
Time Stamp:0x65BD1B85 [Fri Feb 2 16:42:45 2024 UTC]
TLS Callbacks:0x407ad948, 0x1
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:52ccbe0bd796df128616fb77adc1cd54
Instruction
dec eax
mov dword ptr [esp+08h], ebx
inc esp
mov dword ptr [esp+20h], ecx
dec esp
mov dword ptr [esp+18h], eax
push ebp
push esi
push edi
inc ecx
push esp
inc ecx
push ebp
inc ecx
push esi
inc ecx
push edi
dec eax
sub esp, 00000670h
dec esp
mov esi, ecx
mov esi, 00002030h
mov ebp, 000BA5E8h
mov ecx, 00000016h
mov ebx, 02BB7EF6h
inc ecx
mov esp, 0005E847h
inc ecx
mov edi, 00033108h
inc ecx
mov ebp, 0038676Ah
mov dword ptr [esp+20h], 7132253Ch
mov dword ptr [esp+24h], 77757451h
mov dword ptr [esp+28h], 41613144h
mov dword ptr [esp+2Ch], 45512424h
mov word ptr [esp+30h], 4C44h
mov byte ptr [esp+32h], 00000000h
dec eax
lea eax, dword ptr [esp+000000C8h]
nop
dec eax
mov dword ptr [eax], FE045D46h
dec eax
mov dword ptr [eax+08h], FE045D46h
dec eax
mov dword ptr [eax+10h], FE045D46h
dec eax
lea eax, dword ptr [eax+40h]
dec eax
mov dword ptr [eax-28h], FE045D46h
dec eax
mov dword ptr [eax-20h], FE045D46h
dec eax
mov dword ptr [eax-18h], FE045D46h
dec eax
mov dword ptr [eax-10h], FE045D46h
dec eax
mov dword ptr [eax-08h], FE045D46h
dec eax
dec ecx
jne 00007F926135666Ah
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xaaa8bc0x1cc.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xb9c0000x2e0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0xae80000x5fd3c.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xb9d0000x99d4.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x9faaf00x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x9fab800x28.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x9fa9b00x140.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x8000000x11d0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x7fe6600x7fe8005a349dd389d8a57b4559f791cb358fbfunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0x8000000x2ae4ae0x2ae600e75598483b310b6c269bbba815d6c241unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xaaf0000x386140x1ec00a10428ac2f1ec19c61ea2991559aa5b8False0.13532933180894308GLS_BINARY_LSB_FIRST4.131759371740861IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0xae80000x5fd3c0x5fe00f6b46ce5dbfc9f2068bfd9962701872fFalse0.4874842120273794data6.543326828847851IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.qtmetad0xb480000x6f40x8008ab9b85d3a02244d6af66f0742f6354fFalse0.24072265625data5.054922840721276IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.qtmimed0xb490000x517ca0x51800dd73cd7a74dd3e1e6a9262f090e3e6deFalse0.998816741756135gzip compressed data, last modified: Thu Jun 1 23:16:40 2023, max compression, from Unix, original size modulo 2^32 07.997560880881912IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
_RDATA0xb9b0000x15c0x200308f1ba156d13745fb4e8f7ce9f7a503False0.41796875data3.3631171724566897IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0xb9c0000x2e00x400d26233b7724a6c89079cb8c636ba516fFalse0.3984375data4.261922928843283IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xb9d0000x99d40x9a0029c838662f5fdd570a38a82ac6a7f984False0.2327516233766234data5.46021927128898IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.tmc0xba70000x1aec000x1aec00b27d164fd6b4252961a95d4461afffa4False0.4118622587782937data6.459964578374451IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_MANIFEST0xb9c0600x27eXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5501567398119123
DLLImport
KERNEL32.dlllstrcpyA, WriteConsoleW, GetLastError, GetModuleHandleW, GetProcAddress, LocalFree, FormatMessageW, WTSGetActiveConsoleSessionId, GlobalAlloc, GlobalSize, GlobalUnlock, GlobalLock, CheckRemoteDebuggerPresent, CloseHandle, OpenProcess, GetCurrentThreadId, ExpandEnvironmentStringsW, CreateProcessW, GetLocaleInfoW, LoadLibraryA, GetCurrentProcessId, CreateFileW, GetFileSizeEx, ReadFile, WriteFile, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, WideCharToMultiByte, LocalAlloc, GetUserDefaultLocaleName, GetConsoleWindow, GetUserDefaultLangID, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, ExitProcess, CreateEventW, WaitForMultipleObjects, GlobalFree, SetHandleInformation, OutputDebugStringW, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, CompareStringEx, GetCommandLineW, GetSystemTime, GetLocalTime, SetEvent, WaitForSingleObjectEx, GetSystemDirectoryW, LoadLibraryW, DuplicateHandle, WaitForSingleObject, Sleep, CreateThread, GetCurrentThread, SetThreadPriority, GetThreadPriority, TerminateThread, ResumeThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemInfo, ResetEvent, GetDateFormatW, GetTimeFormatW, GetCurrencyFormatW, GetUserDefaultLCID, GetUserPreferredUILanguages, GetFileAttributesExW, QueryPerformanceCounter, QueryPerformanceFrequency, GetTickCount64, MultiByteToWideChar, GetModuleFileNameW, FindCloseChangeNotification, FindFirstChangeNotificationW, FindNextChangeNotification, GetDriveTypeW, PeekNamedPipe, GetOverlappedResult, CancelIoEx, CreateThreadpoolWait, SetThreadpoolWait, WaitForThreadpoolWaitCallbacks, CloseThreadpoolWait, FlushFileBuffers, GetFileType, GetLogicalDrives, SetEndOfFile, SetFilePointerEx, SetErrorMode, GetCurrentDirectoryW, CreateDirectoryW, DeleteFileW, FindClose, FindFirstFileW, GetFileAttributesW, GetFileInformationByHandle, GetFullPathNameW, GetLongPathNameW, RemoveDirectoryW, SetFileTime, GetTempPathW, GetVolumePathNamesForVolumeNameW, DeviceIoControl, CopyFileW, MoveFileW, MoveFileExW, TzSpecificLocalTimeToSystemTime, FileTimeToSystemTime, SystemTimeToFileTime, GetFileInformationByHandleEx, FreeLibrary, GetModuleHandleExW, FindFirstFileExW, FindNextFileW, GetTimeZoneInformation, GetGeoInfoW, GetUserGeoID, GetExitCodeProcess, K32GetModuleFileNameExW, ReleaseMutex, CreateMutexW, VirtualAlloc, VirtualFree, InitializeCriticalSectionAndSpinCount, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, InitializeCriticalSectionEx, EncodePointer, DecodePointer, LCMapStringEx, GetStringTypeW, GetCPInfo, RtlPcToFileHeader, RaiseException, RtlUnwindEx, InterlockedPushEntrySList, SetLastError, RtlUnwind, LoadLibraryExW, GetCommandLineA, ExitThread, FreeLibraryAndExitThread, SetStdHandle, SetFileAttributesW, GetConsoleMode, ReadConsoleW, GetConsoleOutputCP, GetStdHandle, HeapFree, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW, IsValidLocale, EnumSystemLocalesW, HeapReAlloc, SetEnvironmentVariableW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, HeapSize
ADVAPI32.dllAllocateAndInitializeSid, RegSetValueExW, GetUserNameA, GetUserNameW, RegQueryInfoKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegCloseKey, RegNotifyChangeKeyValue, RegOpenKeyExW, RegQueryValueExW, SystemFunction036, GetSidSubAuthority, GetSidSubAuthorityCount, GetTokenInformation, OpenProcessToken, AccessCheck, CopySid, DuplicateToken, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, FreeSid, GetLengthSid, MapGenericMask, LookupAccountSidW, GetEffectiveRightsFromAclW, GetNamedSecurityInfoW, BuildTrusteeWithSidW, LookupAccountNameW
dwmapi.dllDwmSetWindowAttribute, DwmGetWindowAttribute, DwmEnableBlurBehindWindow
IMM32.dllImmGetDefaultIMEWnd, ImmGetContext, ImmReleaseContext, ImmAssociateContext, ImmAssociateContextEx, ImmGetCompositionStringW, ImmGetOpenStatus, ImmNotifyIME, ImmSetCompositionWindow, ImmGetVirtualKey, ImmSetCandidateWindow
WTSAPI32.dllWTSFreeMemory, WTSQuerySessionInformationW
CRYPT32.dllCertAddStoreToCollection, CertVerifyTimeValidity, CertFindChainInStore, CertGetCertificateChain, CertDuplicateCertificateContext, CertFreeCertificateChain, CertAddCertificateContextToStore, CertFreeCertificateContext, CertCreateCertificateContext, CertOpenStore, CertOpenSystemStoreW, CertFindCertificateInStore, CertCloseStore, PFXImportCertStore
bcrypt.dllBCryptGenerateSymmetricKey, BCryptOpenAlgorithmProvider, BCryptDestroyKey, BCryptSetProperty, BCryptEncrypt, BCryptDecrypt, BCryptCloseAlgorithmProvider
DWrite.dllDWriteCreateFactory
DNSAPI.dllDnsFree, DnsQuery_W
IPHLPAPI.DLLConvertInterfaceIndexToLuid, ConvertInterfaceLuidToGuid, GetAdaptersAddresses, ConvertInterfaceNameToLuidW, ConvertInterfaceLuidToNameW, ConvertInterfaceLuidToIndex
Secur32.dllFreeCredentialsHandle, InitializeSecurityContextW, AcceptSecurityContext, DeleteSecurityContext, ApplyControlToken, QueryContextAttributesW, FreeContextBuffer, EncryptMessage, DecryptMessage, AcquireCredentialsHandleW, InitSecurityInterfaceW
WINHTTP.dllWinHttpCloseHandle, WinHttpOpen, WinHttpGetDefaultProxyConfiguration, WinHttpGetProxyForUrl, WinHttpGetIEProxyConfigForCurrentUser
USERENV.dllGetUserProfileDirectoryW
NETAPI32.dllNetApiBufferFree, NetShareEnum, NetWkstaGetInfo
VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dlltimeSetEvent, timeKillEvent, PlaySoundW
WS2_32.dllntohl, getaddrinfo, freeaddrinfo, getnameinfo, getsockopt, __WSAFDIsSet, WSAAsyncSelect, htonl, WSACleanup, WSAStartup, gethostname, WSASocketW, WSASendTo, WSASend, WSARecvFrom, WSARecv, WSANtohs, WSANtohl, WSAIoctl, WSAHtonl, WSAConnect, bind, closesocket, getpeername, getsockname, htons, listen, select, setsockopt, WSAGetLastError, WSAAccept
USER32.dllSetClipboardViewer, ChangeClipboardChain, GetWindowThreadProcessId, AttachThreadInput, IsChild, ShowWindow, UpdateLayeredWindow, SetLayeredWindowAttributes, FlashWindowEx, MoveWindow, SetWindowPlacement, IsWindowVisible, IsIconic, SetFocus, RegisterTouchWindow, UnregisterTouchWindow, IsTouchWindow, GetCapture, SetCapture, ReleaseCapture, GetMenu, GetSystemMenu, EnableMenuItem, GetForegroundWindow, SetForegroundWindow, BeginPaint, EndPaint, GetUpdateRect, SetWindowRgn, SetWindowTextW, GetWindowRect, AdjustWindowRectEx, SetCursor, GetWindowLongW, SetWindowLongW, SetWindowLongPtrW, SetParent, GetWindow, DestroyCursor, DestroyIcon, MonitorFromPoint, GetAncestor, SetMenu, DrawMenuBar, CreateMenu, CreatePopupMenu, DestroyMenu, InsertMenuW, AppendMenuW, ModifyMenuW, RemoveMenu, TrackPopupMenu, UnregisterClassW, SetMenuItemInfoW, GetDisplayConfigBufferSizes, QueryDisplayConfig, PostMessageW, MonitorFromWindow, GetMonitorInfoW, EnumDisplayMonitors, GetSysColor, LoadIconW, GetKeyboardLayout, RegisterWindowMessageW, IsWindowEnabled, CreateCaret, DestroyCaret, HideCaret, ShowCaret, SetCaretPos, FindWindowA, PeekMessageW, IsZoomed, GetKeyState, GetKeyboardState, ToAscii, ToUnicode, MapVirtualKeyW, TrackPopupMenuEx, SetCursorPos, GetCursor, LoadCursorW, CreateCursor, CreateIconIndirect, GetIconInfo, GetCursorInfo, TrackMouseEvent, GetMessageExtraInfo, GetAsyncKeyState, GetTouchInputInfo, CloseTouchInputHandle, GetWindowTextW, EnumWindows, RealGetWindowClassW, ChangeWindowMessageFilterEx, DrawIconEx, TranslateMessage, DispatchMessageW, GetQueueStatus, MsgWaitForMultipleObjectsEx, SetTimer, KillTimer, CharNextExA, RegisterDeviceNotificationW, UnregisterDeviceNotification, UnregisterPowerSettingNotification, SendMessageW, RegisterPowerSettingNotification, GetKeyboardLayoutList, UpdateLayeredWindowIndirect, SystemParametersInfoW, GetDesktopWindow, GetCaretBlinkTime, IsHungAppWindow, EnumDisplayDevicesW, RegisterClassW, GetClipboardFormatNameW, RegisterClipboardFormatW, LoadImageW, GetParent, GetWindowLongPtrW, GetSysColorBrush, ChildWindowFromPointEx, WindowFromPoint, ScreenToClient, ClientToScreen, GetCursorPos, GetClientRect, MessageBeep, InvalidateRect, ReleaseDC, GetDC, GetSystemMetrics, GetFocus, GetWindowPlacement, SetWindowPos, DestroyWindow, CreateWindowExW, RegisterClassExW, DisplayConfigGetDeviceInfo, GetClassInfoW, IsWindow, GetDoubleClickTime, DefWindowProcW, GetMenuItemInfoW
GDI32.dllDeleteDC, DescribePixelFormat, GetPixelFormat, SwapBuffers, GetBitmapBits, GetObjectW, CreateFontIndirectW, SelectObject, BitBlt, CreateCompatibleDC, CreateCompatibleBitmap, SetLayout, OffsetRgn, DeleteObject, CreateRectRgn, CombineRgn, SetPixelFormat, ChoosePixelFormat, GetDeviceCaps, CreateDCW, CreateBitmap, EnumFontFamiliesExW, ExtTextOutW, SetWorldTransform, SetTextAlign, SetTextColor, SetGraphicsMode, SetBkMode, GetCharABCWidthsI, GetCharWidthI, GetTextExtentPoint32W, GetOutlineTextMetricsW, GetGlyphOutlineW, GetCharABCWidthsFloatW, GetCharABCWidthsW, GetStockObject, GetDIBits, GdiFlush, CreateDIBSection, GetTextFaceW, GetTextMetricsW, RemoveFontMemResourceEx, AddFontMemResourceEx, RemoveFontResourceExW, AddFontResourceExW, GetFontData
SHELL32.dllSHGetKnownFolderPath, CommandLineToArgvW, Shell_NotifyIconGetRect, Shell_NotifyIconW, SHBrowseForFolderW, SHGetKnownFolderIDList, SHGetPathFromIDListW, SHGetMalloc, SHCreateItemFromParsingName, SHCreateItemFromIDList, SHGetFileInfoW, SHGetStockIconInfo, ShellExecuteW
ole32.dllRevokeDragDrop, CoUninitialize, CoLockObjectExternal, CoInitialize, CoCreateInstance, DoDragDrop, CoGetMalloc, CoCreateGuid, CoInitializeEx, OleIsCurrentClipboard, OleFlushClipboard, OleGetClipboard, OleSetClipboard, ReleaseStgMedium, CoTaskMemFree, OleUninitialize, OleInitialize, RegisterDragDrop
OLEAUT32.dllGetErrorInfo, SysFreeString, SafeArrayPutElement, SafeArrayCreateVector, SysAllocString, VariantInit, VariantClear, SetErrorInfo, SysStringLen
Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Download Network PCAP: filteredfull

  • Total Packets: 80
  • 443 (HTTPS)
  • 53 (DNS)
TimestampSource PortDest PortSource IPDest IP
Jun 24, 2024 03:48:41.587380886 CEST49705443192.168.2.588.119.167.239
Jun 24, 2024 03:48:41.587479115 CEST4434970588.119.167.239192.168.2.5
Jun 24, 2024 03:48:41.587558985 CEST49705443192.168.2.588.119.167.239
Jun 24, 2024 03:48:41.638197899 CEST49705443192.168.2.588.119.167.239
Jun 24, 2024 03:48:41.638225079 CEST4434970588.119.167.239192.168.2.5
Jun 24, 2024 03:48:41.638273001 CEST4434970588.119.167.239192.168.2.5
Jun 24, 2024 03:48:46.632282972 CEST49706443192.168.2.588.119.167.239
Jun 24, 2024 03:48:46.632381916 CEST4434970688.119.167.239192.168.2.5
Jun 24, 2024 03:48:46.632478952 CEST49706443192.168.2.588.119.167.239
Jun 24, 2024 03:48:46.632694960 CEST49706443192.168.2.588.119.167.239
Jun 24, 2024 03:48:46.632735968 CEST4434970688.119.167.239192.168.2.5
Jun 24, 2024 03:48:46.632838964 CEST4434970688.119.167.239192.168.2.5
Jun 24, 2024 03:48:51.632508993 CEST49707443192.168.2.588.119.167.239
Jun 24, 2024 03:48:51.632586002 CEST4434970788.119.167.239192.168.2.5
Jun 24, 2024 03:48:51.632683039 CEST49707443192.168.2.588.119.167.239
Jun 24, 2024 03:48:51.632880926 CEST49707443192.168.2.588.119.167.239
Jun 24, 2024 03:48:51.632915974 CEST4434970788.119.167.239192.168.2.5
Jun 24, 2024 03:48:51.632968903 CEST4434970788.119.167.239192.168.2.5
Jun 24, 2024 03:48:56.632344007 CEST49708443192.168.2.588.119.167.239
Jun 24, 2024 03:48:56.632456064 CEST4434970888.119.167.239192.168.2.5
Jun 24, 2024 03:48:56.632554054 CEST49708443192.168.2.588.119.167.239
Jun 24, 2024 03:48:56.632760048 CEST49708443192.168.2.588.119.167.239
Jun 24, 2024 03:48:56.632793903 CEST4434970888.119.167.239192.168.2.5
Jun 24, 2024 03:48:56.632858992 CEST4434970888.119.167.239192.168.2.5
Jun 24, 2024 03:49:01.632312059 CEST49715443192.168.2.588.119.167.239
Jun 24, 2024 03:49:01.632350922 CEST4434971588.119.167.239192.168.2.5
Jun 24, 2024 03:49:01.632520914 CEST49715443192.168.2.588.119.167.239
Jun 24, 2024 03:49:01.632767916 CEST49715443192.168.2.588.119.167.239
Jun 24, 2024 03:49:01.632783890 CEST4434971588.119.167.239192.168.2.5
Jun 24, 2024 03:49:01.632842064 CEST4434971588.119.167.239192.168.2.5
Jun 24, 2024 03:49:06.632225037 CEST49716443192.168.2.588.119.167.239
Jun 24, 2024 03:49:06.632308006 CEST4434971688.119.167.239192.168.2.5
Jun 24, 2024 03:49:06.632397890 CEST49716443192.168.2.588.119.167.239
Jun 24, 2024 03:49:06.632615089 CEST49716443192.168.2.588.119.167.239
Jun 24, 2024 03:49:06.632648945 CEST4434971688.119.167.239192.168.2.5
Jun 24, 2024 03:49:06.632709980 CEST4434971688.119.167.239192.168.2.5
Jun 24, 2024 03:49:11.635708094 CEST49717443192.168.2.588.119.167.239
Jun 24, 2024 03:49:11.635757923 CEST4434971788.119.167.239192.168.2.5
Jun 24, 2024 03:49:11.635843039 CEST49717443192.168.2.588.119.167.239
Jun 24, 2024 03:49:11.637509108 CEST49717443192.168.2.588.119.167.239
Jun 24, 2024 03:49:11.637567043 CEST4434971788.119.167.239192.168.2.5
Jun 24, 2024 03:49:11.637619972 CEST49717443192.168.2.588.119.167.239
Jun 24, 2024 03:49:16.632325888 CEST49718443192.168.2.588.119.167.239
Jun 24, 2024 03:49:16.632355928 CEST4434971888.119.167.239192.168.2.5
Jun 24, 2024 03:49:16.632422924 CEST49718443192.168.2.588.119.167.239
Jun 24, 2024 03:49:16.632647991 CEST49718443192.168.2.588.119.167.239
Jun 24, 2024 03:49:16.632658005 CEST4434971888.119.167.239192.168.2.5
Jun 24, 2024 03:49:16.632690907 CEST4434971888.119.167.239192.168.2.5
Jun 24, 2024 03:49:21.632272005 CEST49719443192.168.2.588.119.167.239
Jun 24, 2024 03:49:21.632370949 CEST4434971988.119.167.239192.168.2.5
Jun 24, 2024 03:49:21.632605076 CEST49719443192.168.2.588.119.167.239
Jun 24, 2024 03:49:21.632895947 CEST49719443192.168.2.588.119.167.239
Jun 24, 2024 03:49:21.632936001 CEST4434971988.119.167.239192.168.2.5
Jun 24, 2024 03:49:21.632978916 CEST4434971988.119.167.239192.168.2.5
Jun 24, 2024 03:49:26.632276058 CEST49720443192.168.2.588.119.167.239
Jun 24, 2024 03:49:26.632380009 CEST4434972088.119.167.239192.168.2.5
Jun 24, 2024 03:49:26.632464886 CEST49720443192.168.2.588.119.167.239
Jun 24, 2024 03:49:26.632684946 CEST49720443192.168.2.588.119.167.239
Jun 24, 2024 03:49:26.632738113 CEST4434972088.119.167.239192.168.2.5
Jun 24, 2024 03:49:26.632790089 CEST4434972088.119.167.239192.168.2.5
Jun 24, 2024 03:49:31.632215977 CEST49721443192.168.2.588.119.167.239
Jun 24, 2024 03:49:31.632246971 CEST4434972188.119.167.239192.168.2.5
Jun 24, 2024 03:49:31.632316113 CEST49721443192.168.2.588.119.167.239
Jun 24, 2024 03:49:31.632848978 CEST49721443192.168.2.588.119.167.239
Jun 24, 2024 03:49:31.632862091 CEST4434972188.119.167.239192.168.2.5
Jun 24, 2024 03:49:31.632906914 CEST4434972188.119.167.239192.168.2.5
Jun 24, 2024 03:49:36.632400036 CEST49723443192.168.2.588.119.167.239
Jun 24, 2024 03:49:36.632452011 CEST4434972388.119.167.239192.168.2.5
Jun 24, 2024 03:49:36.632642031 CEST49723443192.168.2.588.119.167.239
Jun 24, 2024 03:49:36.632798910 CEST49723443192.168.2.588.119.167.239
Jun 24, 2024 03:49:36.632819891 CEST4434972388.119.167.239192.168.2.5
Jun 24, 2024 03:49:36.632904053 CEST4434972388.119.167.239192.168.2.5
Jun 24, 2024 03:49:41.632230043 CEST49724443192.168.2.588.119.167.239
Jun 24, 2024 03:49:41.632261992 CEST4434972488.119.167.239192.168.2.5
Jun 24, 2024 03:49:41.632451057 CEST49724443192.168.2.588.119.167.239
Jun 24, 2024 03:49:41.632694960 CEST49724443192.168.2.588.119.167.239
Jun 24, 2024 03:49:41.632707119 CEST4434972488.119.167.239192.168.2.5
Jun 24, 2024 03:49:41.632906914 CEST4434972488.119.167.239192.168.2.5
Jun 24, 2024 03:49:46.632639885 CEST49725443192.168.2.588.119.167.239
Jun 24, 2024 03:49:46.632736921 CEST4434972588.119.167.239192.168.2.5
Jun 24, 2024 03:49:46.632827997 CEST49725443192.168.2.588.119.167.239
Jun 24, 2024 03:49:46.633321047 CEST49725443192.168.2.588.119.167.239
Jun 24, 2024 03:49:46.633655071 CEST4434972588.119.167.239192.168.2.5
Jun 24, 2024 03:49:46.633738995 CEST49725443192.168.2.588.119.167.239
Jun 24, 2024 03:49:51.632633924 CEST49726443192.168.2.588.119.167.239
Jun 24, 2024 03:49:51.632739067 CEST4434972688.119.167.239192.168.2.5
Jun 24, 2024 03:49:51.632853031 CEST49726443192.168.2.588.119.167.239
Jun 24, 2024 03:49:51.633089066 CEST49726443192.168.2.588.119.167.239
Jun 24, 2024 03:49:51.633110046 CEST4434972688.119.167.239192.168.2.5
Jun 24, 2024 03:49:51.633483887 CEST4434972688.119.167.239192.168.2.5
Jun 24, 2024 03:49:56.632322073 CEST49727443192.168.2.588.119.167.239
Jun 24, 2024 03:49:56.632364988 CEST4434972788.119.167.239192.168.2.5
Jun 24, 2024 03:49:56.632441998 CEST49727443192.168.2.588.119.167.239
Jun 24, 2024 03:49:56.632724047 CEST49727443192.168.2.588.119.167.239
Jun 24, 2024 03:49:56.632734060 CEST4434972788.119.167.239192.168.2.5
Jun 24, 2024 03:49:56.633008003 CEST4434972788.119.167.239192.168.2.5
Jun 24, 2024 03:50:01.632363081 CEST49728443192.168.2.588.119.167.239
Jun 24, 2024 03:50:01.632509947 CEST4434972888.119.167.239192.168.2.5
Jun 24, 2024 03:50:01.632615089 CEST49728443192.168.2.588.119.167.239
Jun 24, 2024 03:50:01.632857084 CEST49728443192.168.2.588.119.167.239
Jun 24, 2024 03:50:01.632879972 CEST4434972888.119.167.239192.168.2.5
Jun 24, 2024 03:50:01.633032084 CEST4434972888.119.167.239192.168.2.5
Jun 24, 2024 03:50:06.632211924 CEST49729443192.168.2.588.119.167.239
Jun 24, 2024 03:50:06.632268906 CEST4434972988.119.167.239192.168.2.5
Jun 24, 2024 03:50:06.632338047 CEST49729443192.168.2.588.119.167.239
Jun 24, 2024 03:50:06.632664919 CEST49729443192.168.2.588.119.167.239
Jun 24, 2024 03:50:06.632684946 CEST4434972988.119.167.239192.168.2.5
Jun 24, 2024 03:50:06.632797956 CEST4434972988.119.167.239192.168.2.5
Jun 24, 2024 03:50:11.632498026 CEST49730443192.168.2.588.119.167.239
Jun 24, 2024 03:50:11.632544994 CEST4434973088.119.167.239192.168.2.5
Jun 24, 2024 03:50:11.632747889 CEST49730443192.168.2.588.119.167.239
Jun 24, 2024 03:50:11.633013964 CEST49730443192.168.2.588.119.167.239
Jun 24, 2024 03:50:11.633032084 CEST4434973088.119.167.239192.168.2.5
Jun 24, 2024 03:50:11.633282900 CEST4434973088.119.167.239192.168.2.5
Jun 24, 2024 03:50:16.632405043 CEST49731443192.168.2.588.119.167.239
Jun 24, 2024 03:50:16.632525921 CEST4434973188.119.167.239192.168.2.5
Jun 24, 2024 03:50:16.632616043 CEST49731443192.168.2.588.119.167.239
Jun 24, 2024 03:50:16.633006096 CEST49731443192.168.2.588.119.167.239
Jun 24, 2024 03:50:16.633094072 CEST4434973188.119.167.239192.168.2.5
Jun 24, 2024 03:50:16.633157969 CEST4434973188.119.167.239192.168.2.5
Jun 24, 2024 03:50:21.632272005 CEST49732443192.168.2.588.119.167.239
Jun 24, 2024 03:50:21.632388115 CEST4434973288.119.167.239192.168.2.5
Jun 24, 2024 03:50:21.632534981 CEST49732443192.168.2.588.119.167.239
Jun 24, 2024 03:50:21.632864952 CEST49732443192.168.2.588.119.167.239
Jun 24, 2024 03:50:21.632916927 CEST4434973288.119.167.239192.168.2.5
Jun 24, 2024 03:50:21.632980108 CEST49732443192.168.2.588.119.167.239
Jun 24, 2024 03:50:26.632262945 CEST49733443192.168.2.588.119.167.239
Jun 24, 2024 03:50:26.632349014 CEST4434973388.119.167.239192.168.2.5
Jun 24, 2024 03:50:26.632435083 CEST49733443192.168.2.588.119.167.239
Jun 24, 2024 03:50:26.632663012 CEST49733443192.168.2.588.119.167.239
Jun 24, 2024 03:50:26.632700920 CEST4434973388.119.167.239192.168.2.5
Jun 24, 2024 03:50:26.632741928 CEST4434973388.119.167.239192.168.2.5
Jun 24, 2024 03:50:31.632467985 CEST49734443192.168.2.588.119.167.239
Jun 24, 2024 03:50:31.632554054 CEST4434973488.119.167.239192.168.2.5
Jun 24, 2024 03:50:31.632658005 CEST49734443192.168.2.588.119.167.239
Jun 24, 2024 03:50:31.632896900 CEST49734443192.168.2.588.119.167.239
Jun 24, 2024 03:50:31.632915020 CEST4434973488.119.167.239192.168.2.5
Jun 24, 2024 03:50:31.632988930 CEST4434973488.119.167.239192.168.2.5
Jun 24, 2024 03:50:36.632225037 CEST49735443192.168.2.588.119.167.239
Jun 24, 2024 03:50:36.632283926 CEST4434973588.119.167.239192.168.2.5
Jun 24, 2024 03:50:36.632353067 CEST49735443192.168.2.588.119.167.239
Jun 24, 2024 03:50:36.647398949 CEST49735443192.168.2.588.119.167.239
Jun 24, 2024 03:50:36.647430897 CEST4434973588.119.167.239192.168.2.5
Jun 24, 2024 03:50:36.647540092 CEST4434973588.119.167.239192.168.2.5
Jun 24, 2024 03:50:41.647968054 CEST49736443192.168.2.588.119.167.239
Jun 24, 2024 03:50:41.648010969 CEST4434973688.119.167.239192.168.2.5
Jun 24, 2024 03:50:41.648191929 CEST49736443192.168.2.588.119.167.239
Jun 24, 2024 03:50:41.648540020 CEST49736443192.168.2.588.119.167.239
Jun 24, 2024 03:50:41.648633957 CEST4434973688.119.167.239192.168.2.5
Jun 24, 2024 03:50:41.648797035 CEST49736443192.168.2.588.119.167.239
TimestampSource PortDest PortSource IPDest IP
Jun 24, 2024 03:48:41.545923948 CEST5271453192.168.2.51.1.1.1
Jun 24, 2024 03:48:41.553235054 CEST53527141.1.1.1192.168.2.5
TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
Jun 24, 2024 03:48:41.545923948 CEST192.168.2.51.1.1.10xe567Standard query (0)158.157.4.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Jun 24, 2024 03:48:41.553235054 CEST1.1.1.1192.168.2.50xe567Name error (3)158.157.4.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
050100s020406080100

Click to jump to process

050100s0.00510152025MB

Click to jump to process

  • File
  • Registry
  • Network

Click to dive into process behavior distribution

Click to jump to process

Target ID:0
Start time:21:48:40
Start date:23/06/2024
Path:C:\Users\user\Desktop\dwm.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\dwm.exe"
Imagebase:0x140000000
File size:13'854'720 bytes
MD5 hash:54D4B7E69178F0F53B1AF2113C476EC0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

Target ID:1
Start time:21:48:40
Start date:23/06/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6d64d0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

No disassembly