× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
File name: cmd.exe
Detection ratio: 0 / 68
Analysis date: 2018-08-16 01:47:56 UTC ( 12 hours, 9 minutes ago )
Trusted source! This file belongs to the Microsoft Corporation software catalogue.
Antivirus Result Update
ALYac 20180816
AVG 20180815
AVware 20180816
Ad-Aware 20180816
AegisLab 20180816
AhnLab-V3 20180815
Antiy-AVL 20180816
Arcabit 20180816
Avast 20180815
Avast-Mobile 20180815
Avira (no cloud) 20180815
Babable 20180725
Baidu 20180815
BitDefender 20180816
Bkav 20180815
CAT-QuickHeal 20180814
CMC 20180812
ClamAV 20180815
Comodo 20180815
CrowdStrike Falcon (ML) 20180723
Cybereason 20180225
Cylance 20180816
Cyren 20180815
DrWeb 20180816
ESET-NOD32 20180816
Emsisoft 20180815
Endgame 20180730
F-Prot 20180815
F-Secure 20180815
Fortinet 20180815
GData 20180815
Ikarus 20180815
Sophos ML 20180717
Jiangmin 20180815
K7AntiVirus 20180815
K7GW 20180815
Kaspersky 20180816
Kingsoft 20180816
MAX 20180816
Malwarebytes 20180815
McAfee 20180815
McAfee-GW-Edition 20180815
eScan 20180815
Microsoft 20180815
NANO-Antivirus 20180816
Palo Alto Networks (Known Signatures) 20180816
Panda 20180815
Qihoo-360 20180816
Rising 20180816
SUPERAntiSpyware 20180815
SentinelOne (Static ML) 20180701
Sophos AV 20180816
Symantec 20180816
TACHYON 20180816
Tencent 20180816
TheHacker 20180815
TotalDefense 20180815
TrendMicro 20180816
TrendMicro-HouseCall 20180816
VBA32 20180815
VIPRE 20180816
ViRobot 20180815
Webroot 20180816
Yandex 20180815
Zillya 20180815
ZoneAlarm by Check Point 20180816
Zoner 20180815
eGambit 20180816
Alibaba 20180713
Symantec Mobile Insight 20180814
Trustlook 20180816
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows command line subsystem that targets 64bit architectures.
Authenticode signature block and FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name Cmd.Exe
Internal name cmd
File version 6.1.7601.17514 (win7sp1_rtm.101119-1850)
Description Windows Command Processor
Signature verification Signed file, verified signature
Signing date 8:37 PM 11/20/2010
Signers
[+] Microsoft Windows
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Windows Verification PCA
Valid from 10:57 PM 12/7/2009
Valid to 10:57 PM 3/7/2011
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 02ECEEA9D5E0A9F3E39B6F4EC3F7131ED4E352C4
Serial number 61 15 23 0F 00 00 00 00 00 0A
[+] Microsoft Windows Verification PCA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Root Certificate Authority
Valid from 10:55 PM 9/15/2005
Valid to 11:05 PM 3/15/2016
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 5DF0D7571B0780783960C68B78571FFD7EDAF021
Serial number 61 07 02 DC 00 00 00 00 00 0B
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm sha1RSA
Thumbprint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
Counter signers
[+] Microsoft Time-Stamp Service
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Time-Stamp PCA
Valid from 8:12 PM 7/25/2008
Valid to 8:22 PM 7/25/2011
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 56E832A33DDC8CF2C916DA7CBB1175CBACABAE2C
Serial number 61 03 DC F6 00 00 00 00 00 0C
[+] Microsoft Time-Stamp PCA
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 1:53 PM 4/3/2007
Valid to 2:03 PM 4/3/2021
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 375FCB825C3DC3752A02E34EB70993B4997191EF
Serial number 61 16 68 34 00 00 00 00 00 1C
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm sha1RSA
Thumbrint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
PE header basic information
Target machine x64
Compilation timestamp 2010-11-20 09:46:13
Entry Point 0x000090B4
Number of sections 6
PE sections
PE imports
SetThreadLocale
GetVolumePathNameW
GetStdHandle
GetDriveTypeW
GetConsoleOutputCP
FileTimeToSystemTime
WaitForSingleObject
FindNextStreamW
GetConsoleTitleW
SetConsoleCursorPosition
ScrollConsoleScreenBufferW
GetFileAttributesW
QueryFullProcessImageNameW
GetLocalTime
GetCurrentProcess
GetConsoleMode
GetThreadGroupAffinity
GetVolumeInformationW
RegOpenKeyExW
SetErrorMode
FreeEnvironmentStringsW
GetLocaleInfoW
GetCPInfo
GetNumaNodeProcessorMaskEx
GetSystemTimeAsFileTime
HeapReAlloc
GetExitCodeProcess
LocalFree
FormatMessageW
ResumeThread
InitializeCriticalSection
FindClose
MoveFileW
SetFileAttributesW
CancelSynchronousIo
GetEnvironmentVariableW
SetLastError
RegCreateKeyExW
GetSystemTime
DeviceIoControl
CopyFileW
RemoveDirectoryW
HeapAlloc
FillConsoleOutputCharacterW
HeapSetInformation
LoadLibraryExA
SetConsoleCtrlHandler
DelayLoadFailureHook
UnhandledExceptionFilter
InitializeProcThreadAttributeList
MultiByteToWideChar
SetFilePointerEx
SetProcessAffinityMask
GetFullPathNameW
SetEnvironmentVariableW
MoveFileExW
SetUnhandledExceptionFilter
RegDeleteValueW
TerminateProcess
RegSetValueExW
SetCurrentDirectoryW
VirtualQuery
RegDeleteKeyExW
GetDiskFreeSpaceExW
GetVDMCurrentDirectories
SetEndOfFile
GetVersion
lstrcmpW
WriteConsoleW
HeapFree
EnterCriticalSection
LoadLibraryW
OpenThread
FreeLibrary
QueryPerformanceCounter
GetTickCount
SetConsoleTextAttribute
FlushFileBuffers
lstrcmpiW
SetEnvironmentStringsW
SetLocalTime
SystemTimeToFileTime
GetWindowsDirectoryW
GetFileSize
RegQueryValueExW
GetDateFormatW
GetStartupInfoW
ReadProcessMemory
CreateDirectoryW
DeleteFileW
GetProcAddress
GetConsoleScreenBufferInfo
FillConsoleOutputAttribute
GetProcessHeap
GetTimeFormatW
GetBinaryTypeW
GetModuleFileNameW
ExpandEnvironmentStringsW
FindNextFileW
NeedCurrentDirectoryForExePathW
CreateHardLinkW
FindFirstFileW
DuplicateHandle
FindFirstFileExW
GetUserDefaultLCID
CmdBatNotification
SearchPathW
CreateFileW
GetConsoleWindow
UpdateProcThreadAttribute
GetNumaHighestNodeNumber
GetFileType
GetCurrentThreadId
LeaveCriticalSection
GetLastError
FlushConsoleInputBuffer
GlobalFree
GetThreadLocale
GetEnvironmentStringsW
GlobalAlloc
CreateProcessW
FileTimeToLocalFileTime
CompareFileTime
GetCurrentProcessId
SetFileTime
GetCommandLineW
FindFirstStreamW
HeapSize
SetConsoleTitleW
ReadConsoleW
SetFilePointer
CreateSymbolicLinkW
ReadFile
CloseHandle
GetACP
GetModuleHandleW
GetFileAttributesExW
DeleteProcThreadAttributeList
RegCloseKey
WideCharToMultiByte
GetCurrentDirectoryW
SetConsoleMode
WriteFile
VirtualFree
Sleep
VirtualAlloc
BrandingFormatString
rand
_ultoa
_wcsupr
setlocale
realloc
wcstoul
memset
wcschr
_local_unwind
_pipe
_open_osfhandle
_wcslwr
_pclose
_wcsicmp
_setmode
printf
fgets
_getch
fflush
_fmode
_vsnwprintf
_amsg_exit
?terminate@@YAXXZ
_wcsnicmp
__C_specific_handler
_errno
feof
qsort
_dup
memcpy
_get_osfhandle
_wtol
exit
_XcptFilter
_commode
iswalpha
__setusermatherr
iswspace
_setjmp
_close
_cexit
srand
_tell
_dup2
ferror
memcmp
free
iswxdigit
wcsncmp
__getmainargs
calloc
_initterm
towupper
_wpopen
wcstol
memmove
wcsspn
towlower
longjmp
swscanf
wcsrchr
iswdigit
time
wcsstr
fprintf
_exit
_iob
__set_app_type
NtOpenThreadToken
NtSetInformationProcess
RtlFindLeastSignificantBit
NtOpenProcessToken
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlFreeHeap
NtFsControlFile
NtQueryInformationToken
RtlNtStatusToDosError
RtlDosPathNameToNtPathName_U
NtQueryInformationProcess
NtClose
Number of PE resources by type
RT_ICON 10
RT_GROUP_ICON 1
MUI 1
RT_VERSION 1
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 14
PE resources
Debug information
ExifTool file metadata
SubsystemVersion
6.1

LinkerVersion
9.0

ImageVersion
6.1

FileSubtype
0

FileVersionNumber
6.1.7601.17514

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

ImageFileCharacteristics
Executable, Large address aware

CharacterSet
Unicode

InitializedDataSize
183808

EntryPoint
0x90b4

OriginalFileName
Cmd.Exe

MIMEType
application/octet-stream

LegalCopyright
Microsoft Corporation. All rights reserved.

FileVersion
6.1.7601.17514 (win7sp1_rtm.101119-1850)

TimeStamp
2010:11:20 10:46:13+01:00

FileType
Win64 EXE

PEType
PE32+

InternalName
cmd

ProductVersion
6.1.7601.17514

FileDescription
Windows Command Processor

OSVersion
6.1

FileOS
Windows NT 32-bit

Subsystem
Windows command line

MachineType
AMD AMD64

CompanyName
Microsoft Corporation

CodeSize
160256

ProductName
Microsoft Windows Operating System

ProductVersionNumber
6.1.7601.17514

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
PE resource-wise parents
Overlay parents
Compressed bundles
File identification
MD5 5746bd7e255dd6a8afa06f7c42c1ba41
SHA1 0f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256 db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
ssdeep
6144:NVl7yDR2iaGcsVXFBM6IT77aVebJWC1jIdDWCoCX9Sm:jdyDRwpmFq6ITSebJWwjIdDbNS

authentihash 5f98965ff2650b89586176b38f007ca13a9e525e877ddccbcdce0a90408672d5
imphash d0058544e4588b1b2290b7f4d830eb0a
File size 337.0 KB ( 345088 bytes )
File type Win32 EXE
Magic literal
PE32+ executable for MS Windows (console) Mono/.Net assembly

TrID Win64 Executable (generic) (82.0%)
OS/2 Executable (generic) (6.0%)
Generic Win/DOS Executable (5.9%)
DOS Executable Generic (5.9%)
Tags
peexe assembly signed attachment via-tor 64bits trusted

Trusted verdicts
This file belongs to the Microsoft Corporation software catalogue. The file is often found with cmd.exe as its name.
VirusTotal metadata
First submission 2011-01-27 08:10:19 UTC ( 7 years, 6 months ago )
Last submission 2018-08-16 01:16:13 UTC ( 12 hours, 41 minutes ago )
File names cmd.exe
135
cmd (2).exe
b7337a39f051e54cabe5065bac28b319.tmp
[21]cmd.exe
Utilman.exe
RLHackers
[12]cmd.exe
cmd.exe
myfile.exe
cmd.exe
4d2ad3c22bf4ec469703a4c094fa2ead.tmp
cmd
f8454fa16fb033e4500e95836049a7e7c8b57ea7.exe
y.exe
pe-Windows-x64-cmd
mmc32.exe
[65]cmd.exe
sethc.exe_
[60]cmd.exe
cmd.exe
[56]cmd.exe
557184
m.exe
explorer.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!