» daocaoren.exe
Overview
Analysis
File Details
Behaviors (1)

daocaoren.exe

稻草人便民工具

Yantai ZhengHao Network Technology Co.,Ltd.

It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘DaoCaoRen’.

File name:

daocaoren.exe

Publisher:

稻草人 (signed by Yantai ZhengHao Network Technology Co.,Ltd.)

Product:

稻草人便民工具

Version:

2.0.0.368

MD5:

791041a6489d5e3b7b3cb1935772f6a2

SHA-1:

8ab09b3d5516b2518ac4a6041577ee8a833c87c3

SHA-256:

5f9aa53990ddef1c5c78c8b6a40f61bb2ee25fac6d7bb7d52ca8eb6782117222

Scanner detections:

0 / 68

Status:

Clean (as of last analysis)

Analysis date:

11/24/2024 12:29:15 PM UTC (today)

File size:

583.2 KB (597,152 bytes)

Product version:

2.0.0.368

稻草人www.daocaoren.cn

Original file name:

Utility.exe

File type:

Executable application (Win32 EXE)

Common path:

C:\Program Files\daocaoren\daocaoren.exe

Digital Signature

Signed by:

Yantai ZhengHao Network Technology Co.,Ltd.

Authority:

VeriSign, Inc.

Valid from:

6/14/2012 8:00:00 AM

Valid to:

6/15/2013 7:59:59 AM

Subject:

CN="Yantai ZhengHao Network Technology Co.,Ltd.", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Yantai ZhengHao Network Technology Co.,Ltd.", L=Yantai, S=Shandong, C=CN

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

0F3D33D10E94C4017C0417C354E3620E

File PE Metadata

Compilation timestamp:

11/14/2012 2:03:55 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

7.10

CTPH (ssdeep):

12288:JiW2nSEhHAhF/XQ2zm7NU6X9mXwFg1bJql:JqSEhHiFvQKwU6NxFUO

Entry address:

0x35CD6

Entry point:

6A, 60, 68, 28, 33, 46, 00, E8, 66, 09, 00, 00, BF, 94, 00, 00, 00, 8B, C7, E8, 22, DE, FF, FF, 89, 65, E8, 8B, F4, 89, 3E, 56, FF, 15, 38, 93, 45, 00, 8B, 4E, 10, 89, 0D, 2C, 48, 47, 00, 8B, 46, 04, A3, 38, 48, 47, 00, 8B, 56, 08, 89, 15, 3C, 48, 47, 00, 8B, 76, 0C, 81, E6, FF, 7F, 00, 00, 89, 35, 30, 48, 47, 00, 83, F9, 02, 74, 0C, 81, CE, 00, 80, 00, 00, 89, 35, 30, 48, 47, 00, C1, E0, 08, 03, C2, A3, 34, 48, 47, 00, 33, F6, 56, 8B, 3D, 00, 93, 45, 00, FF, D7, 66, 81, 38, 4D, 5A, 75, 1F, 8B, 48, 3C, 03... 
[+]

Entropy:

6.5042

Developed / compiled with:

Microsoft Visual C++ v7.0

Code size:

352 KB (360,448 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

DaoCaoRen

Command:

"C:\Program Files\daocaoren\daocaoren.exe" \s

Scan daocaoren.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.