home

kdwin.exe

Executable for Hearts Game

Develop Invest, TOV

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The executable kdwin.exe, “Executable for Hearts Game” has been detected as malware by 1 anti-virus scanner. This is a setup program which is used to install the application. The file has been seen being downloaded from night-paleplane.ru.
Publisher:
Microsoft Corporation  (signed by Develop Invest, TOV)

Product:
Microsoft® Windows® Operating System

Description:
Executable for Hearts Game

Version:
6.1.7600.16385 (win7_rtm.090713-1255)

MD5:
1cf051fc47f13e083be5c162f402be14

SHA-1:
8a889c0aad9c102bf7b47178c41f8584beec79bc

SHA-256:
f2c22409e1792374e318e73285aa04aaeb090f5d0272c723ce2ec5e7f340f2f6

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/24/2024 4:00:59 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
17.2.22.6

File size:
3.2 MB (3,333,640 bytes)

Product version:
6.1.7600.16385

Copyright:
© Microsoft Corporation. All rights reserved.

Original file name:
hearts.exe.mui

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\kdwin.exe

Digital Signature
Signed by:
Develop Invest, TOV

Authority:
COMODO CA Limited

Valid from:
5/10/2016 5:00:00 AM

Valid to:
5/11/2017 4:59:59 AM

Subject:
CN="Develop Invest, TOV", OU=IT, O="Develop Invest, TOV", STREET="vul. Svitlytskogo, 35", L=Kiev, S=Kiev, PostalCode=04080, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00A92AE1C6A35F5607D7A0245CBC2565BF

File PE Metadata
Compilation timestamp:
11/28/2009 9:04:49 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x37786

Entry point:
E8, 69, 11, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, E0, 64, 44, 00, E8, 04, 17, 00, 00, E8, 3A, 13, 00, 00, 0F, B7, F0, 6A, 02, E8, FC, 10, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, BB, 08, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Code size:
258 KB (264,192 bytes)

The file kdwin.exe has been seen being distributed by the following URL.

http://night-paleplane.ru/1464888004235005847/kdwin/.../?load=1

Remove kdwin.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.