home

cmd.exe

Windows Command Processor

Microsoft Corporation

It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘AMD AVT’. This is the uninstaller utility registered in the Windows Control Panel for the program > Chrome Search. It is installed with the Windows 8 pre-release build (RTM). The file has been seen being downloaded from mega.nz and multiple other hosts.
Publisher:
Microsoft Corporation

Product:
Microsoft® Windows® Operating System

Description:
Windows Command Processor

 
Part of the Windows 8.1 (Blue) Operating System

Version:
6.3.9600.16384 (winblue_rtm.130821-1623)

MD5:
f5ae03de0ad60f5b17b82f2cd68402fe

SHA-1:
7c3d7281e1151fe4127923f4b4c3cd36438e1a12

SHA-256:
6f88fb88ffb0f1d5465c2826e5b4f523598b1b8378377c8378ffebc171bad18b

Scanner detections:
0 / 68

Status:
Clean (as of last analysis)
Whitelisted  (by digital signature)

Analysis date:
5/18/2024 6:20:59 PM UTC  (today)

File size:
349 KB (357,376 bytes)

Product version:
6.3.9600.16384

Copyright:
© Microsoft Corporation. All rights reserved.

Original file name:
Cmd.Exe.MUI

File type:
Executable application (Win64 EXE)

Language:
English (United States)

Common path:
C:\Windows\System32\cmd.exe

File PE Metadata
Compilation timestamp:
10/28/2014 8:28:17 PM

OS version:
6.3

OS bitness:
Win64

Subsystem:
Windows Console

Linker version:
11.0

CTPH (ssdeep):
6144:Tuknw6IdOrtDbUngzrlzMA32rOZT+zDwSMm:KaHIArtDbUngzBMA3GOZSzDwL

Entry address:
0x6E20

Entry point:
48, 83, EC, 28, E8, 97, FF, FF, FF, 48, 83, C4, 28, EB, 11, CC, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 48, 8B, C4, 48, 89, 58, 08, 48, 89, 70, 10, 48, 89, 78, 18, 4C, 89, 60, 20, 41, 56, 48, 83, EC, 30, 65, 48, 8B, 04, 25, 30, 00, 00, 00, 48, 8B, 58, 08, 45, 33, F6, 33, C0, F0, 48, 0F, B1, 1D, 94, 71, 02, 00, 0F, 85, D7, 00, 00, 00, BB, 01, 00, 00, 00, 8B, 05, 07, 72, 02, 00, 3B, C3, 0F, 84, E7, 00, 00, 00, 8B, 05, F9, 71, 02, 00, 85, C0, 0F, 85, F0, 00, 00, 00, 89, 1D, EB, 71, 02...
 
[+]

Entropy:
4.6656

Code size:
176.5 KB (180,736 bytes)

Program Uninstaller
Program name:
> Chrome Search

Uninstall string:
cmd.exe /c move/y %WinDir%\system32\GroupPolicy\Machine\Registry.pol %WinDir%\system32\GroupPolicy\Machine\Registry.pol.old & move/y %WinDir%\system32\GroupPolicy\Machine\Registry.pol.bak %WinDir%\sys


Safe Boot Alternate Shell
Name:
cmd.exe


5 Scheduled Tasks
Task name:
Configuration

Path:
\Microsoft\Windows\Software Inventory Logging\Configuration

Trigger:
Boot (Runs on boot)

Task name:
GeniusBox

Trigger:
Time (Next runs on 11/25/2015 at 4:54 PM)

Task name:
iolo DelOnReboot

Trigger:
Logon (Runs on logon)

Task name:
RocketTab

Trigger:
Logon (Runs on logon)

Description:
Runs your RocketTab software.

Task name:
RestoreSearch

Trigger:
Daily (Runs daily at 1:20)

Description:
Browser search setting


10 Startup Files (User Run Once)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
uninstall C:\users\{user}\appdata\local\microsoft\skydrive\17.0.4035.0328\amd64

Command:
C:\Windows\System32\cmd.exe \q \c rmdir \s \q "C:\users\{user}\appdata\local\microsoft\skydrive\17.0.4035.0328\amd64"

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
uninstall C:\users\{user}\appdata\local\microsoft\skydrive\17.0.4023.1211\amd64

Command:
C:\Windows\System32\cmd.exe \q \c rmdir \s \q "C:\users\{user}\appdata\local\microsoft\skydrive\17.0.4023.1211\amd64"

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
uninstall C:\users\{user}\appdata\local\microsoft\skydrive\17.0.4023.1211

Command:
C:\Windows\System32\cmd.exe \q \c rmdir \s \q "C:\users\{user}\appdata\local\microsoft\skydrive\17.0.4023.1211"

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
uninstall C:\users\{user}\appdata\local\microsoft\skydrive\17.0.4035.0328

Command:
C:\Windows\System32\cmd.exe \q \c rmdir \s \q "C:\users\{user}\appdata\local\microsoft\skydrive\17.0.4035.0328"

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
uninstall C:\users\{user}\appdata\local\microsoft\skydrive\16.4.6012.0828

Command:
C:\Windows\System32\cmd.exe \q \c rmdir \s \q "C:\users\{user}\appdata\local\microsoft\skydrive\16.4.6012.0828"

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
uninstall C:\users\{user}\appdata\local\microsoft\onedrive\17.3.4604.0120\amd64

Command:
C:\Windows\System32\cmd.exe \q \c rmdir \s \q "C:\users\{user}\appdata\local\microsoft\onedrive\17.3.4604.0120\amd64"


Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
AMD AVT

Command:
cmd.exe \c start "amd accelerated video transcoding device initialization" \min "C:\Program Files\amd avt\bin\kdbsync.exe" aml


Startup File (All Users Run Once)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
cmdrun

Command:
cmd.exe \c ipconfig \flushdns


The file cmd.exe has been seen being distributed by the following 15 URLs.

https://mega.nz/temporary/.../N0xTgbCB

https://onedrive.live.com/download.aspx?cid=09DA14824423D8D5&resid=9DA14824423D8D5!108&canary=o2aUhJqM3v4HUJwaYQf4 wRg34LGb7IEltscx7OlZcw=7&ithint=.exe

https://onedrive.live.com/.../DFh5u0=1&ithint=.exe

https://email.gwcindia.in/service/home/.../?auth=co&loc=en_US&id=21468&part=2

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-I3On30gXltI7GxKYMd-ucRHy92d1vP5qouvsnBUvIWRlrAoHAnnA0AVtGLhjsqPHUWhjIv2uHVC2R0Wv8Q9VgQ/messages/@.id==ACivCmoAAA9QV_RJsAIumH70aEk/content/parts/@.id==2/raw?appid=YahooMailNeo&ymreqid=fbea3984-ce98-c97c-0116-ed0046010000&token=i2UawfuEqpuY0VM4NqWIQWp_JJ_LVkCorRG76ZZ1OURTjBsqg2afkti5U7aGKCWapL1L6m2_lCPX-boKW4zXiqCThQ0dUuu0oZqKxwOBG2qMUNFqWGqvrXRYJlPloey-&error=https://mg.mail.yahoo.com/.../iframemsg?id=df4d9ba4-a6cb-da46-758d-c7c2092a78ac

temp:cmd.exe

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-mg3Zzom8q1dVTNQ4SB9PHfvR1oJIrzqnK-YQ47KiBa7l4rHP6RJFUIzG2RVn6qLvyqtsdt-jko-uK0ko8KHOrw/messages/@.id==APjkimIAHKWdV-T0uwmoqF5kGJE/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBakcpDgp90OLiJpCKxr1ckPPVTGtkOhTHmNa4xeaD81SQYsZKXLkjNiULJoKSwSGXfoXrvqWXAmKM0cYz1HHvee&error=https://mg.mail.yahoo.com/.../iframemsg?id=905a7ee1-a0b8-737a-b910-ff1e7d758a7c&ymreqid=5805085a-b289-5239-0190-9e0027010000

http://www.avm.edu.br/docente/professores/91/.../cmd.exe

https://mg.mail.yahoo.com/.../download?m=YaDownload&mid=2_0_0_1_31757010_AGRUimIAAALLVpB39wM4OMaQ25Y&fid=Inbox&pid=2&clean=0&appid=YahooMailNeo&ymreqid=9e990877-5a6e-15f7-01b9-930047010000

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-hd5-DRfQVYdBpCfrYrUmzRG2tabZhNkL53uiJOIjezTl1hSpQsrvaJFc51afvTOV/messages/@.id==AGpUimIABrI7V496UQzsmNkS2NI/content/parts/@.id==2/raw?appid=YahooMailNeo&ymreqid=f4f2e08f-9c23-7e1d-019e-f70050010000&token=pvrwGs75m3y8SILdV8dU4j2fW41lCY_H2LdxRQ7wDeb-NSFEcAK1RP8Wl1RTfugSDGVGQzbycySR0JrToCvLXg&error=https://br-mg5.mail.yahoo.com/.../iframemsg?id=8d0e4afc-e3a2-bd79-cce3-aab43611227d

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-cQbOuFKGq6wqAGJ6Jl9Ja_wPbKemTtC_dWqQCzQXfeFqPqvyEdQ1HbQ5HvQ7UHE7/messages/@.id==AJcJDNkAAIoIV2Rafg0H8BCczls/content/parts/@.id==2/raw?appid=YahooMailNeo&ymreqid=41820dca-2c30-d363-01ed-5d0011010000&token=cHzVPcgvEsO1Bat2CT4-48RTGtD4xFnGaNzwW2V3Y_7R58eBZ27cS5GpPiEGGRVXfuSv2dyYKMLOAEoHrmKWWA&error=https://fr-mg42.mail.yahoo.com/.../iframemsg?id=35fb8883-b550-6fd5-97f7-5e71d1c825e9

https://onedrive.live.com/download.aspx?cid=A7FAB6806FED6BD7&authKey=!AGlyLoMU-DHVkOw&resid=A7FAB6806FED6BD7!116

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-y8kgKChplUAulStc3goOmgAXRCRONeguwm3ZedxkpM1Y0w4dHTyfsYSoc9uZusUMNpGjDVDkmtMSEF33GYFulw/messages/@.id==AOrkimIAABCvV1iKiw3-CGVuGvo/content/parts/@.id==2/raw?appid=YahooMailNeo&ymreqid=9d7dbc1a-3854-fc65-012f-430129010000&token=9Pe64Fhw59AJjqKK_A2mCDhuWfEnsoV-ub5h-wbhyglOKgIX0FRzFQ-kxWmzY8t0Tu7sQ9xnAHx438pet-umxQ&error=https://mx-mg5.mail.yahoo.com/.../iframemsg?id=c925e3ef-4498-edef-a659-8b801db3b063

https://elearning.sharjah.ac.ae/bbcswebdav/.../xid-717918_1

https://mail.google.com/mail/.../14df93cf6aeb63f7?projector=1

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.