The other answers are basically correct, but are missing the key element:
A weird legacy behavior in
cmd.exe is that when you give it a file as a command (either via the
/c parameter or by just typing the file name into the interactive shell), the first thing it does is call
CreateProcess on that file.
CreateProcess is the Win32 API to launch a program, and it does not care about the file extension; it only cares whether or not the file is executable code and has Execute permission (which all Windows files have, by default). Only if
CreateProcess fails does
cmd fall back to
ShellExecute, which takes an action based on the file extension and registered handler.
As the other answers noted, your “.txt” file is actually a Windows PE executable binary (basically, a renamed “.exe” file). If you ran it on your machine, there’s a pretty good chance your system is now compromised by malware.
You can get the following inferences:
- The file starts with
MZwhich implies this is a PE file (Read more)
- There is a string
This program must be run under Win32.
This is a part of MS DOS-Header. Which confirms inference 1.
It also means that it is a
32 bitexecutable (x86).
- Let’s understand
C:WindowsSystem32cmd.exe cmd /c Credits.txt
C:WindowsSystem32cmd.exe cmdis asking to start a new instance of the Windows XP command interpreter.
/cmeans ‘Carries out the command specified by string and then terminate’
In short, it runs Credits.txt
To actually understand what exactly does it do, you need to disassemble the program and look into the assembly code using some tools like IDA Pro.
As you can see from the screenshot, credits.txt is acutally a windows binary (
this program must be run under Win32)
cmd /c runs the program specified (in your case
credits.txt. The file ending is apparently not relevant in this case.