cmd.exe

Windows Command Processor

Microsoft Corporation

It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘AntiUsbWorm’. This is the uninstaller utility registered in the Windows Control Panel for the program EAGLE 6.5.0 by CadSoft Computer GmbH. It is installed with Windows 7.
Publisher:
Microsoft Corporation

Product:
Microsoft® Windows® Operating System

Description:
Windows Command Processor

 
Part of the Windows 7 (with Service Pack 1) Operating System

Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)

MD5:
5746bd7e255dd6a8afa06f7c42c1ba41

SHA-1:
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA-256:
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

Scanner detections:
0 / 68

Status:
Clean (as of last analysis)
Whitelisted  (by digital signature)

Analysis date:
12/28/2024 8:36:31 PM UTC  (today)

File size:
337 KB (345,088 bytes)

Product version:
6.1.7601.17514

Copyright:
© Microsoft Corporation. All rights reserved.

Original file name:
Cmd.Exe.MUI

File type:
Executable application (Win64 EXE)

Language:
English (United States)

Common path:
C:\Windows\System32\cmd.exe

File PE Metadata
Compilation timestamp:
11/20/2010 4:46:13 AM

OS version:
6.1

OS bitness:
Win64

Subsystem:
Windows Console

Linker version:
9.0

CTPH (ssdeep):
6144:NVl7yDR2iaGcsVXFBM6IT77aVebJWC1jIdDWCoCX9Sm:jdyDRwpmFq6ITSebJWwjIdDbNS

Entry address:
0x90B4

Entry point:
48, 83, EC, 28, E8, 0F, 00, 00, 00, 48, 83, C4, 28, E9, A6, 07, 00, 00, 90, 90, 90, 90, 90, 90, 48, 89, 5C, 24, 18, 57, 48, 83, EC, 20, 48, 8B, 05, EB, 50, 02, 00, 48, 83, 64, 24, 30, 00, 48, BF, 32, A2, DF, 2D, 99, 2B, 00, 00, 48, 3B, C7, 0F, 85, F8, 6F, 01, 00, 48, 8D, 4C, 24, 30, FF, 15, FF, 03, 02, 00, 48, 8B, 5C, 24, 30, FF, 15, 1C, 06, 02, 00, 44, 8B, D8, 49, 33, DB, FF, 15, F8, 02, 02, 00, 44, 8B, D8, 49, 33, DB, FF, 15, 84, 01, 02, 00, 48, 8D, 4C, 24, 38, 44, 8B, D8, 49, 33, DB, FF, 15, 7B, 01, 02...
 
[+]

Entropy:
4.6111

Code size:
156.5 KB (160,256 bytes)

7 Program Uninstaller
Program name:
EAGLE 6.5.0

Display publisher:
CadSoft Computer GmbH

Display version:
6.5.0

Uninstall string:
cmd.exe /c start "EAGLE Uninstaller" /min "C:\Program Files (x86)\EAGLE-6.5.0\bin\uninstall.bat" C:\Program Files (x86)\EAGLE-6.5.0\bin

Program name:
EAGLE 6.4.0

Display publisher:
CadSoft Computer GmbH

Display version:
6.4.0

Uninstall string:
cmd.exe /c start "EAGLE Uninstaller" /min "C:\Program Files (x86)\EAGLE-6.4.0\bin\uninstall.bat" C:\Program Files (x86)\EAGLE-6.4.0\bin

Program name:
Banking 4W

Display publisher:
Subsembly GmbH

Uninstall string:
cmd.exe /q /c ""C:\Program Files (x86)\TopBanking\AppRemove.bat" "C:\Program Files (x86)\TopBanking" TopBanking"

Program name:
EAGLE 7.1.0

Display publisher:
CadSoft Computer GmbH

Display version:
7.1.0

Uninstall string:
cmd.exe /c start "EAGLE Uninstaller" /min "C:\EAGLE-7.1.0\bin\uninstall.bat" C:\EAGLE-7.1.0\bin

Program name:
EAGLE 7.2.0

Display publisher:
CadSoft Computer GmbH

Display version:
7.2.0

Uninstall string:
cmd.exe /c start "EAGLE Uninstaller" /min "C:\EAGLE-7.2.0\bin\uninstall.bat" C:\EAGLE-7.2.0\bin

Program name:
> Chrome Search

Uninstall string:
cmd.exe /c move/y %WinDir%\system32\GroupPolicy\Machine\Registry.pol %WinDir%\system32\GroupPolicy\Machine\Registry.pol.old & move/y %WinDir%\system32\GroupPolicy\Machine\Registry.pol.bak %WinDir%\sys


Safe Boot Alternate Shell
Name:
cmd.exe


40 Scheduled Tasks
Task name:
BrowserSafeguard

Trigger:
Logon (Runs on logon)

Action:
cmd.exe \c start "" "C:\Program Files\browsersafegua

Description:
Runs your BrowserSafeguard software.

Task name:
RocketTab

Trigger:
Logon (Runs on logon)

Action:
cmd.exe \c start "" "C:\Program Files\rockettab\clie

Description:
Runs your RocketTab software.

Task name:
GeniusBox

Trigger:
Time (Next runs on 8/22/2015 at 4:20 AM)

Action:
cmd.exe \c start "" "C:\users\{user}\appdata\local\browse

Task name:
iolo DelOnReboot

Trigger:
Boot (Runs on boot)

Action:
cmd.exe \c del \f C:\ProgramData\iolo\ops\smrr.dll

Task name:
Ninite - Air

Trigger:
Weekly (Runs weekly on Tuesdays at 9:59 AM)

Task name:
Ninite - Audacity

Trigger:
Weekly (Runs weekly on Tuesdays at 9:28 AM)


7 Startup Files (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
AntiUsbWorm

Command:
C:\Windows\System32\cmd.exe \c start C:\google\autoit3.exe \autoit3executescript C:\google\googleupdate.a3x & exit

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Bomgar_Cleanup_ZD191346117911

Command:
cmd.exe \c rd \s \q "C:\ProgramData\bomgar-scc-0x55d39f65" & reg.exe delete hkcu\software\microsoft\windows\currentversion\run \v bomgar_cleanup_zd191346117911 \f

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Bomgar_Cleanup_ZD2020364355

Command:
cmd.exe \c rd \s \q "C:\ProgramData\bomgar-scc-0x55d34feb" & reg.exe delete hkcu\software\microsoft\windows\currentversion\run \v bomgar_cleanup_zd2020364355 \f

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Bomgar_Cleanup_ZD12780386943

Command:
cmd.exe \c rd \s \q "C:\ProgramData\bomgar-scc-0x55d3691e" & reg.exe delete hkcu\software\microsoft\windows\currentversion\run \v bomgar_cleanup_zd12780386943 \f

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Bomgar_Cleanup_ZD1438650512438

Command:
cmd.exe \c rd \s \q "C:\ProgramData\bomgar-scc-0x55b80606" & reg delete hkcu\software\microsoft\windows\currentversion\run \v bomgar_cleanup_zd1438650512438 \f

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Bomgar_Cleanup_ZD136273262900

Command:
cmd.exe \c rd \s \q "C:\ProgramData\bomgar-scc-0x55db452f" & reg delete hkcu\software\microsoft\windows\currentversion\run \v bomgar_cleanup_zd136273262900 \f


124 Startup Files (User Run Once)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
uninstall C:\users\{user}\appdata\local\microsoft\skydrive\16.4.3347.0416\amd64

Command:
C:\Windows\System32\cmd.exe \q \c rmdir \s \q "C:\users\{user}\appdata\local\microsoft\skydrive\16.4.3347.0416\amd64"

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
uninstall C:\users\{user}\appdata\local\microsoft\skydrive\16.4.4111.0525\amd64

Command:
C:\Windows\System32\cmd.exe \q \c rmdir \s \q "C:\users\{user}\appdata\local\microsoft\skydrive\16.4.4111.0525\amd64"

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
uninstall C:\users\{user}\appdata\local\microsoft\skydrive\16.4.6003.0710\amd64

Command:
C:\Windows\System32\cmd.exe \q \c rmdir \s \q "C:\users\{user}\appdata\local\microsoft\skydrive\16.4.6003.0710\amd64"

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
uninstall C:\users\{user}\appdata\local\microsoft\skydrive\16.4.6006.0718\amd64

Command:
C:\Windows\System32\cmd.exe \q \c rmdir \s \q "C:\users\{user}\appdata\local\microsoft\skydrive\16.4.6006.0718\amd64"

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
uninstall C:\users\{user}\appdata\local\microsoft\skydrive\16.4.6010.0727\amd64

Command:
C:\Windows\System32\cmd.exe \q \c rmdir \s \q "C:\users\{user}\appdata\local\microsoft\skydrive\16.4.6010.0727\amd64"

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
uninstall C:\users\{user}\appdata\local\microsoft\skydrive\16.4.6013.0910\amd64

Command:
C:\Windows\System32\cmd.exe \q \c rmdir \s \q "C:\users\{user}\appdata\local\microsoft\skydrive\16.4.6013.0910\amd64"


4 Startup Files (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
AMD AVT

Command:
cmd.exe \c start "amd accelerated video transcoding device initialization" \min "C:\Program Files\amd avt\bin\kdbsync.exe" aml

Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Adobe Flash Player SU

Command:
C:\Windows\System32\cmd.exe \k if %datC:~6,4%%datC:~3,2%%datC:~0,2% leq 20130606 (exit) else (start httC:\lyll.net && exit)

Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
AntiUsbWorm

Command:
C:\Windows\System32\cmd.exe \c start C:\google\autoit3.exe \autoit3executescript C:\google\googleupdate.a3x & exit

Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
CMD

Command:
cmd.exe \k if %datC:~6,4%%datC:~3,2%%datC:~0,2% leq 20130909 (exit) else (start httC:\alt-rutor.org && exit)


67 Startup Files (All Users Run Once)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
Del88825362

Command:
cmd.exe \q \d \c del "C:\users\{user}\appdata\local\temp\0.del"

Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
AvgUninstallURL

Command:
cmd.exe \c start httC:\www.avg.com\ww.special-uninstallation-feedback-app?lic=oabnaeuasaatafiawabzaeyaraataeoavqbwadcamgatadgaoqayadiaugataeyavabeae8aoaatafearqbnaeiauga"&"inst=nwa2ac0angawadiamwa2ad

Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
SpybotDeletingC1952

Command:
cmd.exe \c del "C:\ProgramData\microsoft\windows\start menu\programs\pricegong\pricegong contact us.lnk"

Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
SpybotDeletingC837

Command:
cmd.exe \c del "C:\ProgramData\microsoft\windows\start menu\programs\pricegong\pricegong help.lnk"

Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
SpybotDeletingC468

Command:
cmd.exe \c del "C:\ProgramData\microsoft\windows\start menu\programs\pricegong\pricegong homepage.lnk"

Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
SpybotDeletingC989

Command:
cmd.exe \c del "C:\ProgramData\microsoft\windows\start menu\programs\pricegong\uninstall pricegong.lnk"


User Start Menu Item
Name:
cmd.exe


The file cmd.exe has been seen being distributed by the following 21 URLs.

ftp://10.10.10.10/Softwares/DriverPack Solution15.12 Drayver-Paki 15.12.1/DriverPack Solution15.12 Drayver-Paki 15.12.1/.../cmd64.exe

https://onedrive.live.com/.../LSh8Zhf2CcmeMn mfFDVoqA rndo=9&ithint=.exe

http://www.ipa-kenya.org:81/sysworkflow/en/classic/.../cases_ShowDocument?a=5875809345806353f6a9910081362144&v=1

https://doc-08-as-docs.googleusercontent.com/docs/securesc/clhcpde4lpi20jmmtnu6qgbg9q66jp19/hf8pq5rcgd4tj95o92lil376lc1m3hcl/1483120800000/.../15973464953000057264/0B4gbmaQyWx91V0xBdkNvUDJrY2M?e=download

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-GsiPcMkmZnCnJMmJydI9102Uwx_a8Ad4_qNVrqr2iV2LlZCDOdil-4jx5Q4Yc8iwYT-BFeO9hNkNnfv0lDPMIQ/messages/@.id==AM5K2kIAATy4WECoBA65iD1UAWo/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBaYcR0LrtFF72VVeUTXOzXkr0zXwYkjWcYgC8_4Eh3FgL9K40yMHp7wboFmpjMJNKx8-I3Kaj_sMFLMnDdUIcOa&error=https://mg.mail.yahoo.com/.../iframemsg?id=4cc7c52a-1719-c6ef-b969-ee150845e2c0&ymreqid=c9981377-2623-3743-0161-4400ca010000

http://download777.mediafire.com/6nsrhxpe393g/.../cmd(4).exe

http://82.194.61.184/exchange/abeesh/Drafts/dsr ghuloom jan- july 15.EML/cmd.exe/.../cmd.exe

https://login.nexus.uanl.mx/App/Curso/.../wfDownload.aspx?Unidad=F:-Contenedor_935-&RecursoNombre=cmd&ArchivoAnterior=282427_15-11-2016_12-09-14_3.exe

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-F9tY-8CLMBZ-D2PZ8627lP7boBplNCcsKrtiateAtxfqnpSAelqJian3wLCwm3tY/messages/@.id==AJZUimIAABsVV9KrbgiTUNIQWxI/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBajA9LIdJSoJ_Dod779M0Ptp9IiAbTcpoM32x8uuWXodENEBfZTJ6vBFr0f3NmL3wX45m1mvDatQsFdD6xwgldl&error=https://mg.mail.yahoo.com/.../iframemsg?id=32ba0293-2bc7-86dc-6213-bf7db9aa2b41&ymreqid=7783ad79-c4b7-e759-0163-a6001d010000

https://senaintro.blackboard.com/webapps/.../download?course_id=_1783228_1&attempt_id=_43009652_1&file_id=_97563111_1&fileName=cmd.exe

http://micurso.org/web/file.php/32/moddata/assignment/843/.../cmd.exe

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-PQDF_1OlyVBr90dkUXkMLehmX3uitvaqec9c9KuemGFSpOaPCwFYAtbqQHidzMg5pXSQPIt7834jXjyRXCwNNg/messages/@.id==ABOvCmoAAAMCVngZEQYDELSOvS0/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBbsMY29NV356pa-fZuu-6ulPWwR6MTimE3_wEQ2e-liUzBGEPPq3otFBUoExIRaP9r-2ZtlT9A_pt3lDMkvO-73&error=https://mg.mail.yahoo.com/.../iframemsg?id=fcff0118-74c0-be6a-9f8e-70583f021b23&ymreqid=f1912f65-db02-3dab-016f-0e0012010000

https://onedrive.live.com/.../Sr XsPyV0ceSGsH08aZkOkA=4&ithint=.exe

https://mail.uthm.edu.my/service/home/.../?auth=co&loc=en_GB&id=100075&part=2

https://onedrive.live.com/download.aspx?cid=54BDE063C672C48C&resid=54BDE063C672C48C!107&canary=Ze1r7tQXfOXlQwDnTegXo0LcCffs19szYyluw0qjN2M=2&ithint=.exe

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-CoxqSJeu-8APZwAq-tFqPpzEtBQnoKJ1KYy6RqPpJwelafivxhMMxm6U9I_nNs51Gl2LEeEb8L4Fd0GBJs5fOA/messages/@.id==AIi_imIAFBu0V99bmQ65iPB-Qb8/content/parts/@.id==3/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBZejOhc_UhASsciYyf1IEQeDvFnxBNlEhoSglUnGFsTXfnsELRABC31MTlpOFVBlvbhBLnz2bZQufgc5_eQwIX-&error=https://mg.mail.yahoo.com/.../iframemsg?id=9e25eec8-5e39-0a2c-ce69-b11bc239420c&ymreqid=d1f5b831-b2fe-6bc7-01bf-ed0032010000