× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 31b3b228382dc359f22ae97b2602eee81dc743fb21196061eacc6619533881f5
File name: nircmd.exe
Detection ratio: 4 / 61
Analysis date: 2017-06-05 09:46:19 UTC ( 1 år, 6 månader ago ) View latest
Antivirus Result Update
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9850 20170601
Sophos ML virus.win32.virut.bn 20170604
Sophos AV NirCmd (PUA) 20170605
TheHacker Posible_Worm32 20170605
Ad-Aware 20170605
AegisLab 20170605
AhnLab-V3 20170605
Alibaba 20170605
ALYac 20170605
Antiy-AVL 20170605
Arcabit 20170605
Avast 20170605
AVG 20170605
Avira (no cloud) 20170605
AVware 20170605
BitDefender 20170605
Bkav 20170602
CAT-QuickHeal 20170605
ClamAV 20170605
CMC 20170605
Comodo 20170605
CrowdStrike Falcon (ML) 20170420
Cyren 20170605
DrWeb 20170605
Emsisoft 20170605
Endgame 20170515
ESET-NOD32 20170605
F-Prot 20170605
F-Secure 20170605
Fortinet 20170605
GData 20170605
Ikarus 20170605
Jiangmin 20170605
K7AntiVirus 20170604
K7GW 20170605
Kaspersky 20170605
Kingsoft 20170605
Malwarebytes 20170605
McAfee 20170605
McAfee-GW-Edition 20170604
Microsoft 20170605
eScan 20170605
NANO-Antivirus 20170605
nProtect 20170605
Palo Alto Networks (Known Signatures) 20170605
Panda 20170604
Qihoo-360 20170605
Rising 20170605
SentinelOne (Static ML) 20170516
SUPERAntiSpyware 20170605
Symantec 20170605
Symantec Mobile Insight 20170605
Tencent 20170605
TrendMicro 20170605
TrendMicro-HouseCall 20170605
Trustlook 20170605
VBA32 20170605
VIPRE 20170605
ViRobot 20170605
Webroot 20170605
WhiteArmor 20170601
Yandex 20170602
Zillya 20170602
ZoneAlarm by Check Point 20170605
Zoner 20170605
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Copyright © 2003 - 2016 Nir Sofer

Product NirCmd
Original name NirCmd.exe
Internal name NirCmd
File version 2.81
Description NirCmd
Packers identified
F-PROT UPX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-05-23 06:44:37
Entry Point 0x00019D40
Number of sections 3
PE sections
PE imports
RegCloseKey
BitBlt
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
ShellExecuteA
mixerOpen
CoInitialize
Number of PE resources by type
RT_DIALOG 2
RT_GROUP_CURSOR 1
RT_MANIFEST 1
RT_CURSOR 1
RT_VERSION 1
Number of PE resources by language
HEBREW DEFAULT 3
ENGLISH US 3
PE resources
ExifTool file metadata
UninitializedDataSize
61440

LinkerVersion
8.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
2.8.1.226

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
NirCmd

ImageFileCharacteristics
No relocs, Executable, 32-bit

CharacterSet
Unicode

InitializedDataSize
4096

EntryPoint
0x19d40

OriginalFileName
NirCmd.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright 2003 - 2016 Nir Sofer

FileVersion
2.81

TimeStamp
2016:05:23 07:44:37+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
NirCmd

ProductVersion
2.81

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
NirSoft

CodeSize
40960

ProductName
NirCmd

ProductVersionNumber
2.8.1.226

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
Execution parents
PE resource-wise parents
Overlay parents
Compressed bundles
File identification
MD5 84d499f558570c32f4cb100a9124890b
SHA1 9adfc7ab66348d84ebdd9c1e8093cad4cc8485ef
SHA256 31b3b228382dc359f22ae97b2602eee81dc743fb21196061eacc6619533881f5
ssdeep
768:e4OBw5XDtS0d0xr6xczY6jU19q2T5D8EZdZzaJqn:+wtDtS0yV6B6A19FTiEZXaJqn

authentihash 4e6d4310b81b957367040af8d7ae4b36573570e9f63457abd2fa1ceace1b5c6c
imphash 2f9a0154d6a293d856bfb68d9a5042ea
File size 43.5 kB ( 44544 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (38.2%)
Win32 EXE Yoda's Crypter (37.5%)
Win32 Dynamic Link Library (generic) (9.2%)
Win32 Executable (generic) (6.3%)
OS/2 Executable (generic) (2.8%)
Tags
peexe upx

VirusTotal metadata
First submission 2016-05-23 12:07:18 UTC ( 2 år, 6 månader ago )
Last submission 2018-11-27 19:30:21 UTC ( 2 veckor, 4 dagar ago )
File names lobaby.pif
uzptz0vumhzittd
kqovtjoa.uts
file_E6F63A5B087A4401BE4E6828D0FABE45
nircmd.dll
info.exe
iygtw20x.4kv
screenshot.exe
zaqx5z1y.r5i
wzuvs0fg.r5s
NirCmd.exe
output.114353459.txt
temp.tmp
E105.TMP.EXE
z00j33u1.f3a
ideografu0.exe
file_A0A3853A6DA440348D574C290AB6AFC2
txnszqtq.k3f
file_E2537A881CA34F228E2907661A207B89
1yd0bi1y.hfg
31b3b228382dc359_l78g4rusv07ffqbcg
31b3b228382dc359_qcbhnd9lrlu7os4
file_0F48DC31ADEE404388EACA8E79D9EBA7
file_070C38F7420540EAAB63DE642631447B
file_140707957E65450BBD15C45E7A2C00BE
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Runtime DLLs
UDP communications