hkcmd.exe

Intel Common User Interface

The executable hkcmd.exe has been detected as malware by 5 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Intel(R) Common User System’. While running, it connects to the Internet address 209-99-40-223.fwd.datafoundry.com on port 80 using the HTTP protocol.
Publisher:
Intel Corporation*  (Invalid match)

Product:
Intel(R) Common User Interface

Description:
hkcmd Module

Version:
8.15.10.3308

MD5:
9602e8e49e6044640a02e0670ec5841a

SHA-1:
2eb92e7664d0fe16970235af7ac9a677a1c0c1b7

SHA-256:
52c40490c47523acfd062698043dd6a256ed300202e4642b28ca56d228f74d0e

Scanner detections:
5 / 68

Status:
Malware

Analysis date:
1/20/2018 10:26:37 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
160216-0

ESET NOD32
MSIL/TrojanClicker.Agent.NLX trojan
8.0.319.0

F-Secure
Variant.Kazy.734765
5.15.21

McAfee
Trojan.Artemis!9602E8E49E60
18.0.204.0

Norman
Gen:Variant.Kazy.734765
29.02.2016 03:11:57

File size:
29 KB (29,696 bytes)

Product version:
8.15.10.3308

Copyright:
Copyright 1996 - 2006. Intel Corporation

Original file name:
hkcmd.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\windows\system\hkcmd.exe

File PE Metadata
Compilation timestamp:
2/24/2016 10:06:36 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
384:YgwGkcquEkoYP5UP0mlLf45P/Rbm9X/c/4c0cdu:YgwGkcqzmWP0m5n9S4cvu

Entry address:
0x578E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, FC, C6, CD, 56, 00, 00, 00, 00, 02, 00...
 
[+]

Entropy:
4.9068

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
14 KB (14,336 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Intel(R) Common User System

Command:
C:\windows\system\hkcmd.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 209-99-40-222.fwd.datafoundry.com  (209.99.40.222:80)

TCP (HTTP):
Connects to 209-99-40-223.fwd.datafoundry.com  (209.99.40.223:80)

TCP (HTTP SSL):
Connects to a-0001.a-msedge.net  (204.79.197.200:443)

Remove hkcmd.exe - Powered by Reason Core Security