Windows Analysis Report
dmwSettings.ex#.exe

Overview

General Information

Sample name: dmwSettings.ex#.exe
Analysis ID: 1579334
MD5: f8f57f52bb2f0ac60ca0a2d45b1e513e
SHA1: a8e4f14fe26d0d92bd45eabf532a7f51a5b1d848
SHA256: 2ba1325bfe35aa2eb91ef3889e2d978624ad19d61dc2acae0df7f0d85cffd395
Tags: exeuser-500mk500
Infos:

Detection

MicroClip
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected MicroClip
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: dmwSettings.ex#.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: dmwSettings.ex#.exe Virustotal: Detection: 22% Perma Link
Source: dmwSettings.ex#.exe ReversingLabs: Detection: 18%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: dmwSettings.ex#.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: dmwSettings.ex#.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: dmwSettings.ex#.exe, 00000000.00000003.1823902618.0000000005005000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: dmwSettings.ex#.exe, 00000000.00000003.1823902618.0000000005005000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: dmwSettings.ex#.exe, 00000000.00000003.1823902618.0000000005005000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: dmwSettings.ex#.exe, 00000000.00000003.1823902618.0000000005005000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: dmwSettings.ex#.exe, 00000000.00000003.1823902618.0000000005005000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cv.iptc.org/newscodes/digitalsourcetype/compositeWithTrainedAlgorithmicMedia
Source: dmwSettings.ex#.exe, 00000000.00000003.1823902618.0000000005005000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: dmwSettings.ex#.exe, 00000000.00000003.1823902618.0000000005005000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: dmwSettings.ex#.exe, 00000000.00000003.1823902618.0000000005005000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://pki-crl.symauth.com/ca_7a5c3a0c73117406add19312bc1bc23f/LatestCRL.crl07
Source: dmwSettings.ex#.exe, 00000000.00000003.1823902618.0000000005005000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://pki-ocsp.symauth.com0
Source: dmwSettings.ex#.exe, 00000000.00000002.4191768105.0000000004FB1000.00000004.00001000.00020000.00000000.sdmp, dmwSettings.ex#.exe, 00000000.00000003.1821215276.0000000002D00000.00000004.00001000.00020000.00000000.sdmp, dmwSettings.ex#.exe, 00000000.00000002.4185861225.00000000000A1000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.indyproject.org/

System Summary
barindex
PE file contains section with special chars
Source: dmwSettings.ex#.exe Static PE information: section name:
Source: dmwSettings.ex#.exe Static PE information: section name:
Source: dmwSettings.ex#.exe Static PE information: section name:
Source: dmwSettings.ex#.exe Static PE information: section name:
Source: dmwSettings.ex#.exe Static PE information: section name:
Source: dmwSettings.ex#.exe Static PE information: section name:
Source: dmwSettings.ex#.exe Static PE information: section name:
Source: dmwSettings.ex#.exe Static PE information: section name:
Source: dmwSettings.ex#.exe Static PE information: section name:
Source: dmwSettings.ex#.exe Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Process Stats: CPU usage > 49%
PE file contains more sections than normal
Source: dmwSettings.ex#.exe Static PE information: Number of sections : 19 > 10
Sample file is different than original file name gathered from version info
Source: dmwSettings.ex#.exe, 00000000.00000002.4191768105.0000000004F7D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs dmwSettings.ex#.exe
Uses 32bit PE files
Source: dmwSettings.ex#.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: dmwSettings.ex#.exe Static PE information: Section: ZLIB complexity 0.9943033854166666
Source: dmwSettings.ex#.exe Static PE information: Section: ZLIB complexity 0.9984122983870968
Source: dmwSettings.ex#.exe Static PE information: Section: ZLIB complexity 0.9975980007349011
Source: dmwSettings.ex#.exe Static PE information: Section: .reloc ZLIB complexity 1.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe File created: C:\Users\user\Desktop\error.log Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Mutant created: \Sessions\1\BaseNamedObjects\fedd1d1122aa65028c81e16ceb85d9c73790a2fa
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: dmwSettings.ex#.exe Virustotal: Detection: 22%
Source: dmwSettings.ex#.exe ReversingLabs: Detection: 18%
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Section loaded: magnification.dll Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Section loaded: security.dll Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Section loaded: idndl.dll Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Section loaded: iphlpapi.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: dmwSettings.ex#.exe Static file information: File size 14571536 > 1048576
Source: dmwSettings.ex#.exe Static PE information: Raw size of is bigger than: 0x100000 < 0x12e600
Source: dmwSettings.ex#.exe Static PE information: Raw size of is bigger than: 0x100000 < 0x372800
Source: dmwSettings.ex#.exe Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x81fe00
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .boot
PE file contains sections with non-standard names
Source: dmwSettings.ex#.exe Static PE information: section name:
Source: dmwSettings.ex#.exe Static PE information: section name:
Source: dmwSettings.ex#.exe Static PE information: section name:
Source: dmwSettings.ex#.exe Static PE information: section name:
Source: dmwSettings.ex#.exe Static PE information: section name:
Source: dmwSettings.ex#.exe Static PE information: section name:
Source: dmwSettings.ex#.exe Static PE information: section name:
Source: dmwSettings.ex#.exe Static PE information: section name:
Source: dmwSettings.ex#.exe Static PE information: section name:
Source: dmwSettings.ex#.exe Static PE information: section name:
Source: dmwSettings.ex#.exe Static PE information: section name: .themida
Source: dmwSettings.ex#.exe Static PE information: section name: .boot
Source: dmwSettings.ex#.exe Static PE information: section name: entropy: 7.903690006990631

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to delay execution (extensive OutputDebugStringW loop)
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Section loaded: OutputDebugStringW count: 1948
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Window / User API: threadDelayed 5067 Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Window / User API: threadDelayed 4255 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe TID: 1104 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe TID: 1780 Thread sleep time: -57000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe TID: 1104 Thread sleep time: -5067000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe TID: 1104 Thread sleep time: -4255000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: dmwSettings.ex#.exe, 00000000.00000002.4191477872.0000000002D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: dmwSettings.ex#.exe, 00000000.00000003.1827151986.000000000543D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: @Idassignednumbers@IdPORT_vmnet
Source: dmwSettings.ex#.exe, 00000000.00000003.1827151986.000000000543D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: @Idassignednumbers@IdPORT_vmnet$@Idassignednumbers@IdPORT_genrad_mux
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\dmwSettings.ex#.exe Process queried: DebugPort Jump to behavior
Source: dmwSettings.ex#.exe, 00000000.00000002.4191477872.0000000002D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerZxcvb6^
Source: dmwSettings.ex#.exe, 00000000.00000002.4186282253.0000000000B6C000.00000002.00000001.01000000.00000003.sdmp, dmwSettings.ex#.exe, 00000000.00000003.1827151986.000000000543D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: @Winapi@Windows@DOF_PROGMAN
Source: dmwSettings.ex#.exe, 00000000.00000002.4191477872.0000000002D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerALS~1f
Source: dmwSettings.ex#.exe, 00000000.00000002.4191477872.0000000002D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerurce F
Source: dmwSettings.ex#.exe, 00000000.00000002.4191477872.0000000002D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagernHintsx
Source: dmwSettings.ex#.exe, 00000000.00000002.4191768105.000000000501F000.00000004.00001000.00020000.00000000.sdmp, dmwSettings.ex#.exe, 00000000.00000002.4191477872.0000000002D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: dmwSettings.ex#.exe, 00000000.00000002.4191477872.0000000002D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerECH~1
Source: dmwSettings.ex#.exe, 00000000.00000002.4191477872.0000000002D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager"
Source: dmwSettings.ex#.exe, 00000000.00000002.4191768105.0000000004FCE000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: program manager chromelication6654390.zip
Source: dmwSettings.ex#.exe, 00000000.00000002.4191477872.0000000002D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager1pS
Source: dmwSettings.ex#.exe, 00000000.00000002.4191477872.0000000002D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManageronsIPr
Source: dmwSettings.ex#.exe, 00000000.00000002.4191477872.0000000002D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerL
Source: dmwSettings.ex#.exe, 00000000.00000002.4191477872.0000000002D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managervix^
Source: dmwSettings.ex#.exe, 00000000.00000002.4191477872.0000000002D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerevineC$^
Source: dmwSettings.ex#.exe, 00000000.00000002.4191477872.0000000002D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager1AF~1T
Source: dmwSettings.ex#.exe, 00000000.00000002.4191477872.0000000002D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managere Brow
Source: dmwSettings.ex#.exe, 00000000.00000002.4191477872.0000000002D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: dmwSettings.ex#.exe, 00000000.00000002.4191477872.0000000002D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager1tsPrLuY
Source: dmwSettings.ex#.exe, 00000000.00000002.4191477872.0000000002D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerShade
Source: dmwSettings.ex#.exe, 00000000.00000002.4191477872.0000000002D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerationG1^
Source: dmwSettings.ex#.exe, 00000000.00000002.4191477872.0000000002D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager*_7y
Source: dmwSettings.ex#.exe, 00000000.00000002.4191477872.0000000002D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerroved

Stealing of Sensitive Information
barindex
Yara detected MicroClip
Source: Yara match File source: Process Memory Space: dmwSettings.ex#.exe PID: 4460, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: dmwSettings.ex#.exe, 00000000.00000002.4191768105.0000000004FCE000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: /C:\Users\user\AppData\Roaming\Electrum\wallets
Source: dmwSettings.ex#.exe, 00000000.00000002.4191768105.0000000004FFB000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: RC:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb1
Source: dmwSettings.ex#.exe, 00000000.00000002.4191768105.0000000004F9A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: 3C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: dmwSettings.ex#.exe, 00000000.00000002.4191768105.0000000004F9A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: 0C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: dmwSettings.ex#.exe, 00000000.00000002.4191768105.0000000005002000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Exodus
Source: dmwSettings.ex#.exe, 00000000.00000003.1823902618.0000000005005000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: ethereum
Source: dmwSettings.ex#.exe, 00000000.00000002.4191768105.0000000004FB8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: 4C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsp
Source: dmwSettings.ex#.exe, 00000000.00000002.4191768105.0000000004F9A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: 0C:\Users\user\AppData\Roaming\Ethereum\keystore
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: dmwSettings.ex#.exe PID: 4460, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected MicroClip
Source: Yara match File source: Process Memory Space: dmwSettings.ex#.exe PID: 4460, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579334 Sample: dmwSettings.ex#.exe Startdate: 21/12/2024 Architecture: WINDOWS Score: 100 8 Antivirus / Scanner detection for submitted sample 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected MicroClip 2->12 14 3 other signatures 2->14 5 dmwSettings.ex#.exe 1 2->5         started        process3 signatures4 16 Query firmware table information (likely to detect VMs) 5->16 18 Tries to detect sandboxes and other dynamic analysis tools (window names) 5->18 20 Found many strings related to Crypto-Wallets (likely being stolen) 5->20 22 4 other signatures 5->22
No contacted IP infos