» cmd.exe
Overview
Analysis
File Details
Behaviors (20)
Downloads (7)

cmd.exe

Windows Command Processor

Microsoft Corporation

It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘asodakaossd’. This is the uninstaller utility registered in the Windows Control Panel for the program > Chrome Search. It is installed with the Windows 8 pre-release build (RTM). The file has been seen being downloaded from download.wetransfer.com and multiple other hosts.

File name:

cmd.exe

Publisher:

Microsoft Corporation

Product:

Microsoft® Windows® Operating System

Description:

Windows Command Processor

Part of the Windows 8.1 (Blue) Operating System

Version:

6.3.9600.16384 (winblue_rtm.130821-1623)

MD5:

fc0b4a626881d7c5980d757214db2d25

SHA-1:

0c2e3cf2d2f09792960a73dc772a086e99a96764

SHA-256:

0b9bc863e2807b6886760480083e51ba8a66118659f4ff274e7b73944d2219f5

Scanner detections:

0 / 68

Status:

Clean (as of last analysis)
Whitelisted (by digital signature)

Analysis date:

11/17/2024 5:47:46 PM UTC (today)

File size:

347.5 KB (355,840 bytes)

Product version:

6.3.9600.16384

Copyright:

© Microsoft Corporation. All rights reserved.

Original file name:

Cmd.Exe.MUI

File type:

Executable application (Win64 EXE)

Language:

English (United States)

Common path:

C:\Windows\System32\cmd.exe

File PE Metadata

Compilation timestamp:

8/22/2013 5:03:30 AM

OS version:

6.3

OS bitness:

Win64

Subsystem:

Windows Console

Linker version:

11.0

CTPH (ssdeep):

6144:TXZuE+W5DH7sFujjZxtagS0lBSV+ItFmp:9uEzDH7GIZxtagS0XSIIj

Entry address:

0x65B4

Entry point:

48, 83, EC, 28, E8, 43, FE, FF, FF, 48, 83, C4, 28, EB, 0D, CC, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 48, 89, 5C, 24, 08, 48, 89, 74, 24, 10, 48, 89, 7C, 24, 18, 41, 57, 48, 83, EC, 30, 65, 48, 8B, 04, 25, 30, 00, 00, 00, 48, 8B, 58, 08, 33, F6, 33, C0, F0, 48, 0F, B1, 1D, 89, 6A, 02, 00, 0F, 85, CA, 00, 00, 00, BB, 01, 00, 00, 00, 8B, 05, FC, 6A, 02, 00, 3B, C3, 0F, 84, D9, 00, 00, 00, 8B, 05, EE, 6A, 02, 00, 85, C0, 0F, 85, E2, 00, 00, 00, 89, 1D, E0, 6A, 02, 00, 4C, 8D, 3D, B5, 13, 01, 00, 48... 
[+]

Entropy:

4.6693

Code size:

176 KB (180,224 bytes)

Program Uninstaller

Program name:

> Chrome Search

Uninstall string:

cmd.exe /c move/y %WinDir%\system32\GroupPolicy\Machine\Registry.pol %WinDir%\system32\GroupPolicy\Machine\Registry.pol.old & move/y %WinDir%\system32\GroupPolicy\Machine\Registry.pol.bak %WinDir%\sys

Safe Boot Alternate Shell

Name:

cmd.exe

3 Scheduled Tasks

Task name:

RocketTab

Trigger:

Logon (Runs on logon)

Action:

cmd.exe \c start "" "C:\Program Files\search extensi

Description:

Runs your RocketTab software.

Task name:

GeniusBox

Trigger:

Time (Next runs on 2/9/2015 at 8:40 PM)

Task name:

iolo DelOnReboot

Trigger:

Boot (Runs on boot)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

asodakaossd

Command:

C:\Windows\System32\cmd.exe \c start C:\users\{user}\appdata\roaming\aiasfacoiaksf.vbs exit

11 Startup Files (User Run Once)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

ArcadeParlor62.000000

Command:

cmd.exe \c rmdir "C:\users\{user}\appdata\local\arcadeparlor" \s \q

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

ArcadeParlor397.000000

Command:

cmd.exe \c rmdir "C:\users\{user}\appdata\roaming\microsoft\windows\start menu\programs\arcadeparlor\" \s \q

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

ArcadeParlor83.000000

Command:

cmd.exe \c reg delete hkcu\software\microsoft\windows\currentversion\uninstall\{b74443db-5a88-4583-860a-f0d06ef399e3} \f

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

ArcadeParlor901.000000

Command:

cmd.exe \c reg delete hkcu\software\appdatalow\software\arcadeparlorconfig \f

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

ArcadeParlor347.000000

Command:

cmd.exe \c reg delete "hkcu\software\microsoft\internet explorer\low rights\elevationpolicy\{cab5f8c0-3826-489f-9c2b-8b73d2c9b0da}" \f

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

ArcadeParlor147.000000

Command:

cmd.exe \c rmdir "C:\users\{user}\appdata\roaming\mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{f32e7e42-9afa-47ca-a0c4-d07ee651d404}" \s \q

2 Startup Files (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

AMD AVT

Command:

cmd.exe \c start "amd accelerated video transcoding device initialization" \min "C:\Program Files\amd avt\bin\kdbsync.exe" aml

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

CMD

Command:

cmd.exe \c start httC:\zivlingamer.org && exit

5 Startup Files (All Users Run Once)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

{E012A94C-E1CB-44B5-8D58-3EF4688CAC92}

Command:

cmd.exe \c start \d "C:\users\{user}\appdata\local\temp" \b {e012a94c-e1cb-44b5-8d58-3ef4688cac92}.exe -accepteula -accepteulaksn -activeimages -postboot

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

{FF334EC8-CE42-4765-8B6C-D73F04116080}

Command:

cmd.exe \c start \d "C:\users\{user}\appdata\local\temp" \b {ff334ec8-ce42-4765-8b6c-d73f04116080}.exe -accepteula -accepteulaksn -activeimages -postboot

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

DelTr1803859

Command:

cmd.exe \c rd \s \q "C:\users\{user}\appdata\roaming\wse_taplika"

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

{853BBCDF-FA09-4C0A-99B3-BFDBB64C075F}

Command:

cmd.exe \c start \d "C:\users\{user}\appdata\local\temp" \b {853bbcdf-fa09-4c0a-99b3-bfdbb64c075f}.exe -accepteula -accepteulaksn -postboot

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

DelTr21512687

Command:

cmd.exe \c rd \s \q "C:\users\{user}\appdata\roaming\wse_taplika"

User Start Menu Item

Name:

cmd.exe

The file cmd.exe has been seen being distributed by the following 7 URLs.

https://download.wetransfer.com/eu2/.../cmd.exe

http://bmail.uol.com.br/attachment?msg_id=MzMxMA&ctype=cmd.exe&disposition=attachment&folder=INBOX&attsize=486940&content_id=&accountId=0

http://www.i-escolar.com/mvc/muralweb/alumnos/301/alumnos/VistasParciales/.../3127?Nombre=cmd.exe

https://onedrive.live.com/download.aspx?cid=D749988E57384F50&authKey=!AJBX3S6SpvmSspI&resid=D749988E57384F50!131&ithint=.exe

https://doc-00-90-docs.googleusercontent.com/docs/securesc/vsu21krtbha9vlqh78id03hpt1osbujd/odht0a1ncdc56c02j2vi5p0fnpldfhrb/1462572000000/.../09013228449378003003/0B0tDTDtdDx_AMVVwdWwydDhjakU?e=download

https://e.edim.co/.../cmd.exe

http://bmail.uol.com.br/attachment?msg_id=MTc5Mg&ctype=cmd.exe&disposition=attachment&folder=DRAFT

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.