Q&A Found a PUP: C:\Windows\n.exe

SeriousHoax

Level 36
Verified
Mar 16, 2019
2,577
This morning all on a sudden I was notified by WD with this detection for a file in the Windows folder.
C:\Windows\n.exe
n exe.PNG
This is the sample: VirusTotal

Thankfully it's not a malware, it's a PUP/Riskware which probably hide file attributes.
The relation chart on VT shows relation to uTorrent, KMS and some other unknown setup files. I'm not using any of those program on my system nor any cracked program. Have no idea how it came to be.
After deleting this is what WD shows as affected items.
n exe 2.PNG
Ignore the second one in K: directory because I manually copied it there to keep a copy of the sample.
So the affected items are:

"C:\Windows\n.exe"
"file: \\localhost\C$\Windows\n.exe"

I don't know what the last one means. Anyone knows anything about this PUP?
 

SeriousHoax

Level 36
Verified
Mar 16, 2019
2,577
It seems just the NirSoft tool:

Looks like some application use this tool do somethings in the background. Since even @venustus has it, I'm guessing we use or have used that particular application :unsure:
 

Freud2004

Level 9
Jun 26, 2020
410
Looks like some application use this tool do somethings in the background. Since even @venustus has it, I'm guessing we use or have used that particular application :unsure:

Maybe this one (COMODO RSA):

Vendor and version information [?]​

The following is the available information on n.exe:
Product version1.0.0.465
File version1.0.0.465
Here's a screenshot of the file properties when displayed by Windows Explorer:

Product version1.0.0.465
File version1.0.0.465

Digital signatures [?]​

n.exe has a valid digital signature.
Signer nameOOO "SOLVO.LOG"
Certificate issuer nameCOMODO RSA Code Signing CA
Certificate serial number00bf908b9311068039d904cb4a73b8ba
 

SeriousHoax

Level 36
Verified
Mar 16, 2019
2,577
Maybe this one (COMODO RSA):

Vendor and version information [?]​

The following is the available information on n.exe:
Product version1.0.0.465
File version1.0.0.465
Here's a screenshot of the file properties when displayed by Windows Explorer:

Product version1.0.0.465
File version1.0.0.465

Digital signatures [?]​

n.exe has a valid digital signature.
Signer nameOOO "SOLVO.LOG"
Certificate issuer nameCOMODO RSA Code Signing CA
Certificate serial number00bf908b9311068039d904cb4a73b8ba
I checked again. It's not this one. It's the one @harlan4096 shared.
1.PNG
 

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
407
This is the full code of the application.
nircmd.png

It starts a process, which has to be given as argument, without showing a window. It's not malware. It's just something that might be abused to run a program silently, e.g., a setup

This file has not much in common with the official NirCmd. I downloaded the official one here NirCmd - Windows command line tool
So, well notet by @TairikuOkami

There is a debug path inside this file:
C:\Users\Alpha\source\repos\nircmdc\nircmdc\obj\Release\nircmdc.pdb
If you search for this string you will find a hybrid-analysis run of uTorrent and one any.run analysis on the file itself.

This indicates that it hasn't been seen in malware yet.
I wouldn't be too worried about it.
 

Coldblackice

New Member
Feb 14, 2015
2
This is the full code of the application.
View attachment 250329
It starts a process, which has to be given as argument, without showing a window. It's not malware. It's just something that might be abused to run a program silently, e.g., a setup

This file has not much in common with the official NirCmd. I downloaded the official one here NirCmd - Windows command line tool
So, well notet by @TairikuOkami

There is a debug path inside this file:
C:\Users\Alpha\source\repos\nircmdc\nircmdc\obj\Release\nircmdc.pdb
If you search for this string you will find a hybrid-analysis run of uTorrent and one any.run analysis on the file itself.

This indicates that it hasn't been seen in malware yet.
I wouldn't be too worried about it.
Thanks. How did you get it broken down like that? Is that from IDA?
 
Top