wincmd.exe

wincmd

MM Studio

The executable wincmd.exe has been detected as malware by 11 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘wincmd’.
Publisher:
MM Studio  (signed and verified)

Product:
wincmd

Version:
1.24

MD5:
d9fcc69bd83462e04e2518a7aee858f6

SHA-1:
e6064ea571efe43a5d441a84117530f8369c4060

SHA-256:
777df47e52c25a7c000f84c9ba21d93e5e9451e6996be9775d4c2fae3b44ad4a

Scanner detections:
11 / 68

Status:
Malware

Explanation:
The software cotains keystroke monitoring/logging capablities which may or may not be installed without the user's knowledge.

Analysis date:
12/27/2024 5:08:05 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Trojan/Win32.ADH
2012.03.04

avast!
Win32:Malware-gen
2014.9-160519

Bitdefender
Generic.Keylogger.AE20102C
1.0.20.700

Dr.Web
BACKDOOR.Trojan
9.0.1.0140

F-Prot
W32/VB-Backdoor-PEK-based
v6.4.6.5.141

F-Secure
Generic.Keylogger.AE20102C
11.2016-19-05_5

G Data
Generic.Keylogger.AE20102C
16.5.22

IKARUS anti.virus
Win32.SuspectCrc
t3scan.1.1.118.0

K7 AntiVirus
Trojan
13.131.6328

McAfee
Artemis!D9FCC69BD834
5600.6395

VIPRE Antivirus
Trojan.Win32.Generic
11617

File size:
139 KB (142,296 bytes)

Product version:
1.24

Copyright:
MM Studio

Trademarks:
MM Studio

Original file name:
wincmd.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\windows\wincmd\wincmd.exe

Digital Signature
Signed by:

Authority:
Unizeto Technologies S.A.

Valid from:
10/5/2011 12:45:44 PM

Valid to:
8/7/2012 12:45:44 PM

Subject:
C=PL, O=MM Studio, OU=Swidnik, CN=MM Studio Maciej Piwko, E=biuro@mmstudio.pl

Issuer:
CN=Certum Level III CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

Serial number:
4BEC754AF8C012D0095DF2DBF10E930B

File PE Metadata
Compilation timestamp:
11/13/2011 12:26:08 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:BTNAqt20388Yf15cgGxZje8q1gy10XY8Oe4aPA8PozQCZwytUjYt/mW/PpMhI:BTNAqPnacgGxZggq0XtBA0okC+WLMq

Entry address:
0x76220

Entry point:
60, BE, 00, 60, 45, 00, 8D, BE, 00, B0, FA, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 19, 8B, 1E, 83, EE, FC, 11, DB, 72, 10, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 78, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11...
 
[+]

Packer / compiler:
UPX 2.90LZMA

Code size:
132 KB (135,168 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
wincmd

Command:
C:\windows\wincmd\wincmd.exe


Remove wincmd.exe - Powered by Reason Core Security