dwm.exe

Salung International Corporation

The executable dwm.exe has been detected as malware by 3 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in.
Publisher:
Salung International Corporation  (signed and verified)

MD5:
8ffbcd82749138891e074b3b0e58156d

SHA-1:
81ae4aaae4fd63b40635feb730d72c32622b6a75

SHA-256:
7f2072757b4864a6f6018383309588121a16b7e8c7277be2d5d5db0f63931e26

Scanner detections:
3 / 68

Status:
Malware

Analysis date:
12/29/2024 6:32:54 AM UTC  (today)

Scan engine
Detection
Engine version

Clam AntiVirus
Win.Trojan.Kirts-1
0.98/22877

ESET NOD32
MSIL/Kryptik.GMF trojan
6.3.12010.0

Microsoft Security Essentials
Backdoor:Win32/Kirts.A
1.235.216.0

File size:
729.5 KB (747,048 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\dwm.exe

Digital Signature
Authority:
Salung International Corporation

Valid from:
6/25/2016 6:45:36 AM

Valid to:
6/26/2026 6:45:36 AM

Subject:
E=sales@salung.com, CN=www.salung.com, OU=Sales Department, O=Salung International Corporation, L=Columbus, S=Ohio, C=US

Issuer:
E=sales@salung.com, CN=www.salung.com, OU=Sales Department, O=Salung International Corporation, L=Columbus, S=Ohio, C=US

Serial number:
00866E0A24F3686932

File PE Metadata
Compilation timestamp:
6/27/2016 8:21:37 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

Entry address:
0x5921E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
5.8097

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
352 KB (360,448 bytes)

Scheduled Task
Task name:
dwm.exe

Path:
\Update\dwm.exe

Trigger:
Logon (Runs on logon)


Remove dwm.exe - Powered by Reason Core Security