home

cmd.exe

Windows Command Processor

Microsoft Corporation

It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘AMD AVT’. It is included with the Windows 7 OS. The file has been seen being downloaded from dl-mail.ymail.com and multiple other hosts.
Publisher:
Microsoft Corporation

Product:
Microsoft® Windows® Operating System

Description:
Windows Command Processor

 
Part of the Windows 7 Operating System

Version:
6.1.7600.16385 (win7_rtm.090713-1255)

MD5:
8ae6dd9a6d246004da047f704f0cc487

SHA-1:
b1b941420333fd6f4220e98fa18c0471cac8a38b

SHA-256:
8deab32f7297bcbc22caa7baeb2ddb6bf36e73d9a7f68b6737c1e4c75e213cb9

Scanner detections:
0 / 68

Status:
Clean (as of last analysis)
Whitelisted  (by digital signature)

Analysis date:
4/23/2024 9:10:14 PM UTC  (today)

File size:
294.5 KB (301,568 bytes)

Product version:
6.1.7600.16385

Copyright:
© Microsoft Corporation. All rights reserved.

Original file name:
Cmd.Exe.MUI

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Windows\System32\cmd.exe

File PE Metadata
Compilation timestamp:
7/13/2009 7:22:06 PM

OS version:
6.1

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
9.0

CTPH (ssdeep):
3072:LczB8Glk0qZycymch1gvlI1wG7nv9y1BpdavagfLjyGbif:Lcd8GmZ8jhytYv7nv2pdavauLmt

Entry address:
0x60DC

Entry point:
E8, 50, FE, FF, FF, 6A, 10, 68, D0, 61, D0, 4A, E8, 23, C1, FF, FF, 33, DB, 89, 5D, FC, 64, A1, 18, 00, 00, 00, 8B, 70, 04, 89, 5D, E4, BF, FC, 41, D2, 4A, 53, 56, 57, FF, 15, 70, 11, D0, 4A, 3B, C3, 0F, 85, D8, 00, 00, 00, 33, F6, 46, A1, F8, 41, D2, 4A, 3B, C6, 0F, 84, E7, 00, 00, 00, A1, F8, 41, D2, 4A, 85, C0, 75, 78, 89, 35, F8, 41, D2, 4A, 68, C8, 61, D0, 4A, 68, BC, 61, D0, 4A, E8, 71, FF, FF, FF, 59, 59, 85, C0, 0F, 85, CC, 00, 00, 00, A1, F8, 41, D2, 4A, 3B, C6, 75, 1B, 68, B8, 61, D0, 4A, 68, B0...
 
[+]

Entropy:
4.5903

Code size:
138.5 KB (141,824 bytes)

Startup File (User Run Once)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
Del1046173

Command:
cmd.exe \q \d \c del "C:\users\{user}\appdata\local\temp\0.del"


Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
AMD AVT

Command:
cmd.exe \c start "amd accelerated video transcoding device initialization" \min "C:\Program Files\amd avt\bin\kdbsync.exe" aml


2 Startup Files (All Users Run Once)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
Del1046173

Command:
cmd.exe \q \d \c del "C:\users\{user}\appdata\local\temp\0.del"

Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
"C:\Windows\system32\cmd.exe"

Command:
"C:\Windows\System32\cmd.exe" \c "rmdir \s \q "C:\Program Files\decrap my computer""


The file cmd.exe has been seen being distributed by the following 50 URLs.

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-Dr0Kh8NSLWWgnfqMHdEgFDt428wmj29uWBwojDqmN9mf9cWoeKQfbJlcoEFv55p8BEYkNIJOQ01aoEuo-EenvA/messages/@.id==AFevCmoAAC99VxndCACn-PiEuZM/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBba0POuszAo3kIBkFtos-tgojJNsuNhEkIBp5YG5b3EI8z0V2ZCsufMVKw26pD4A1o&error=https://mg.mail.yahoo.com/.../iframemsg?id=4af69150-2b63-b9be-9f05-acfd92fce267&ymreqid=dd7720df-4131-973a-0116-33000a010000

https://doc-08-bc-docs.googleusercontent.com/docs/securesc/9p19390mtdq9mjuj9pr2jrtvhm1m44lu/htm7olf64i3g59t31dk4v948jhem5tmt/1480449600000/.../15259658225114072215/0B_HBfs7BQIItdTVod2VsSDZlOUE?e=download

https://mail.gov.in/iwc/svc/wmap/.../cmd.exe

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-2ZUdbzx3Od5wJjdb8yxCUYvEkBqUyJa88ykgR7GghJZN0mXC7wwyNGno1DPqSzAZq2B7MtMVu5YN8JowUs90aw/messages/@.id==AJd2imIAAhjQWEGdFgzBoIq5smQ/content/parts/@.id==2/raw?appid=YahooMailNeo&ymreqid=11342999-92bb-2769-01c8-9c001e010000&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBbpUOR_hCYq-QSV9cniyLU1GZKwihq3Kgo1EP0WzM-Ve62ocUqHE4y8mzB26BvGhC0tyccGwJugiegwDfsUa0tf&error=https://mg.mail.yahoo.com/.../iframemsg?id=2138363b-0714-1741-7f18-cf0107cabb30

https://ecourse.qou.edu/pluginfile.php/12289/mod_data/content/.../???? ????? ????? ?????.exe

https://mail.google.com/mail/u/.../?ui=2&ik=3b830d5175&view=att&th=1415672a2acc8f4c&attid=0.1&disp=safe&realattid=f_hm0wneny0&zw

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-lYbjcHB5Kenng1_GC1Chmp9g4hlbETBawO-_3f5VmY_s9Qapb4ECt81Bs-BzsFSX/messages/@.id==AJBUimIAALeJWBotQgDDUF7awI8/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBaZ3OBw1bi5Gc6gMSzTM_tYTWhN8fcWt8SiIlBxTXAGPQHTE3dA91nPlqIIK-ExdV-ldJA8i3vzfiNePJFcLA02&error=https://mg.mail.yahoo.com/.../iframemsg?id=d0122bdb-378c-0baf-edd9-143eb98cd6ba&ymreqid=baa6cfcc-364c-323c-0121-39001c010000

https://lms.kau.edu.sa/bbcswebdav/.../xid-5573036_1?globalNavigation=false

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-JsG5s34rr0F2Go5HUA9I7Xrxer30DiD4Sn2kV7L9oQM9UFaFLH1_QiVf96J3Uwi5/messages/@.id==ACx3w0MANBWRWD3cfggOgEr8vBs/content/parts/@.id==2/raw?appid=YahooMailNeo&ymreqid=771d0360-626a-bdc5-0190-710011010000&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBbwCS2hHbuAUiRx0NarfLUHD8mThzSb_bbtXJ35GmEKsI-oM7NNFSg-kobLBVQ9iRYaXYsR4RvwvgV3QYEmzl84&error=https://mg.mail.yahoo.com/.../iframemsg?id=0a61bcec-cc64-90cc-4fd8-b4e4a6094cdd

https://docs.google.com/uc?id=0B0HKqiW4YBF-dGdwVUJGLVRHT0E&export=download

http://zeta.zanella.com.ar/uploads/.../3153_1_1_cmd.exe

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-Z1PIYvaaM5NXX11ZIYAQXHmFeoDs5EHdNCAS65sB3SKXciHFZ24Q5ipZchfWQwzX/messages/@.id==AIAJDNkAABJ3Vv9nKgN6oDiI1UI/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBYeTFdOrUleOWAMZOeqPdHKJHc_Maa26CZ84Qt2EBstBQ&error=https://es-mg42.mail.yahoo.com/.../iframemsg?id=5188f2f4-7e02-930c-66e9-220396f04d87&ymreqid=4486a79e-289e-0ef6-0166-8a0014010000

https://onedrive.live.com/download.aspx?cid=8B5E65F354DFB701&authKey=!AGm6DPGcKowWWIA&resid=8B5E65F354DFB701!156&ithint=.exe

https://mg.mail.yahoo.com/.../download?m=YaDownload&mid=2_0_0_1_4783030_AM9K2kIAAAPHVBDmngAAABJBUZA&fid=Inbox&pid=2&clean=0&appid=YahooMailNeo

https://docs.google.com/uc?authuser=0&id=0Bz1do1jBgsu9Y08ydGxEajBsSGc&export=download

https://onedrive.live.com/download.aspx?cid=5585F3034BCD6100&authKey=!AAJsnPu72UeGIgE&resid=5585F3034BCD6100!256&ithint=.exe

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-EgIkPpJ2GrHnqjCfM7HZSCBPt4oBxnGGvlcku_o8NVObiL5CA0Tjk9rMMhBYLDx6/messages/@.id==AOtJyAoAAB8CWF0U7AteKCt_kBo/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBb_R277Rl_itY6vJcuLxgnnUxBOWGkiD0dcwQLDey6PkcyA5m2wzaV65-c37RNjXfjUHggwyNFXVjVUmGTnLWWV&error=https://mg.mail.yahoo.com/.../iframemsg?id=00683f3b-893f-49d9-bbee-62d06d0863ec&ymreqid=d92d1864-a285-00ac-01ea-53001c010000

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-lUlHny6sdwt0Z3ubjsFR5Trsa2sx-Xl7oKIip_xiphZopRO5Y9vb8S1uq8SBcvgI-OZtZrw2rULBXQ-scIJXZQ/messages/@.id==AGN2w0MAFUerV-FMKwIDoH4LF5Y/content/parts/@.id==3/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBbFn45HWy4oC8Fq1_qXwDvqMB4dkOcgWk-HEcELAhvX2frvZBT4gHi_xaKAlQMouM86y0cZDZK87O4GU8LnZAz6&error=https://us-mg4.mail.yahoo.com/.../iframemsg?id=3d412371-0825-f75a-d8f7-19ac1b6d81ae&ymreqid=d0e51d1d-14c6-95b4-018b-5a001f010000

https://elearning.yu.edu.jo/yulms/draftfile.php/85346/user/draft/.../setting poundaries.exe

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-I57f10EbVQRwIljk62SAHppjQgdLF9lb81Gyj2mS_ddclSgzMzbzQb3d5xRWQ_gQyqtsdt-jko-uK0ko8KHOrw/messages/@.id==ABBMyAoAAenPV5B5hAP3oO5F4Hs/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBb5qHJ9OqqKq7bF_1D6HXeRgJ_Zntfp38pNt8rsRpyN9Q&error=https://xa-mg42.mail.yahoo.com/.../iframemsg?id=4e113e8c-7f87-2dd0-d7b3-3dc3e5c0e65d&ymreqid=54c7e725-d61b-9952-01b4-5e000f010000

https://download.wetransfer.com/us2/.../cmd.exe

https://doc-0g-ag-docs.googleusercontent.com/docs/securesc/n0q8ksnkplglk7kuliu16lbonn09odu2/kktg1a1qimddoitda32p0m2spo2230tf/1463140800000/.../07578414291640884119/0B31UrK7urB_9dTdySThKTEVBWEU?e=download

https://onedrive.live.com/download.aspx?cid=657A0DDE71FBFD4C&authKey=!AHLhoOapZTdqzz0&resid=657A0DDE71FBFD4C!172&ithint=.exe

https://mg.mail.yahoo.com/.../download?m=YaDownload&mid=2_0_0_1_10116046_ABN3w0MAADOeVjjlfw5AcEH9ank&fid=Inbox&pid=3&clean=0&appid=YahooMailNeo&ymreqid=5667ad86-580f-ba30-0153-9e0044010000

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-zH3oGywCdi-QpWsgBkT0Qf6yduMdVmqpS06hiH5THPvuRn1cD9i0RUfYn9d712fE/messages/@.id==AEqC8QoAAEX3VteWaQwtMOCiYGQ/content/parts/@.id==2/raw?appid=YahooMailNeo&ymreqid=d79fcb79-4a7b-44b1-017e-e5007d010000&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBb8_bOwYEARpsNcLoh6tYlsUWhjIv2uHVC2R0Wv8Q9VgQ&error=https://ph-mg61.mail.yahoo.com/.../iframemsg?id=94b88a4b-fcbb-a5fc-ae34-65994a744030

http://posportugues.uespi.br/moodle/file.php/8/moddata/assignment/266/.../cmd.exe

http://200.156.15.183/lyceump/.../aolDownPub.asp

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-JtOTSq1htzCmV8ICToYWgUlJWFWpcb8hYeeKSf-bcggu5qIAkZlzsTS4eTkGILOC/messages/@.id==AJwJDNkAAD51WAfAAAXviKwX2Sc/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBbaf-8bG-KP2coOyjYHBL1bIdAMTWotqGwOYOQcgyyZgEb1LySaazpPTJwjLSKwaFoGYHG5zZROOYeWZBW-NzAx&error=https://fr-mg42.mail.yahoo.com/.../iframemsg?id=73a42cb2-3e92-9ca0-8367-80d0ad94268f&ymreqid=9535c18e-7baa-8141-019a-0d002c010000

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-M1hVZjkLdkR7KrRQtJntHMdz3K9xHD2FNO0iNxIke_UOXdiIlIequTRJpPYge0vI-OZtZrw2rULBXQ-scIJXZQ/messages/@.id==AHV2w0MAABWAV_aMWQEVWFh-q-0/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBYyCeOa86j_RPLeLWJihI2P3A0RLEJjaeqGRYiAmEnDNQIFdwDKWVUvceA_pV3cWlw6y0cZDZK87O4GU8LnZAz6&error=https://mg.mail.yahoo.com/.../iframemsg?id=dc6bd1b8-d2b7-88e7-1c04-87dda6d2fffd&ymreqid=e0fc119d-7f47-0fc8-0112-1c002b010000

https://mg.mail.yahoo.com/.../download?m=YaDownload&mid=2_0_0_1_7479635_AMe imIAAAN5VrR7yAcYaIwrU6Y&fid=Inbox&pid=2&clean=0&appid=YahooMailNeo&ymreqid=658005ed-9f6a-8a0c-0198-1a001e010000

Latest 30 of 253 download URLs

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.