cmd.exe

Windows Command Processor

Microsoft Corporation

It is included with the Windows 7 OS. The file has been seen being downloaded from dl-mail.ymail.com and multiple other hosts.
Publisher:
Microsoft Corporation

Product:
Microsoft® Windows® Operating System

Description:
Windows Command Processor

 
Part of the Windows 7 Operating System

Version:
6.1.7600.16385 (win7_rtm.090713-1255)

MD5:
6960d29abe74341fab8300db3e6f883d

SHA-1:
4bbbd51de263b20d9553560f57b6eff526fcb55e

SHA-256:
8651e663d5effb9022046ab46452a102d1f31f5edb90ac87d8db023fe54b92f0

Scanner detections:
0 / 68

Status:
Clean (as of last analysis)
Whitelisted  (by digital signature)

Analysis date:
12/28/2024 1:10:36 PM UTC  (today)

File size:
336.5 KB (344,576 bytes)

Product version:
6.1.7600.16385

Copyright:
© Microsoft Corporation. All rights reserved.

Original file name:
Cmd.Exe.MUI

File type:
Executable application (Win64 EXE)

Language:
English (United States)

Common path:
C:\Windows\System32\cmd.exe

File PE Metadata
Compilation timestamp:
7/14/2009 12:34:37 AM

OS version:
6.1

OS bitness:
Win64

Subsystem:
Windows Console

Linker version:
9.0

CTPH (ssdeep):
6144:fz3kYVJGCP4/0MQ9nrhGwDQCMfo6ZVl18rb8+ct+m:b3kYj20MQVrhQCMfo6ZVlFzt+

Entry address:
0x963C

Entry point:
48, 83, EC, 28, E8, E7, FB, FF, FF, 48, 83, C4, 28, EB, 15, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 48, 89, 74, 24, 08, 48, 89, 7C, 24, 10, 4C, 89, 64, 24, 18, 41, 55, 48, 83, EC, 30, 65, 48, 8B, 04, 25, 30, 00, 00, 00, 48, 8B, 78, 08, 45, 33, E4, 33, C0, F0, 48, 0F, B1, 3D, 30, 3A, 02, 00, 0F, 85, C6, 00, 00, 00, BF, 01, 00, 00, 00, 8B, 05, A3, 3A, 02, 00, 3B, C7, 0F, 84, D5, 00, 00, 00, 8B, 05, 95, 3A, 02, 00, 85, C0, 0F, 85, DD, 00, 00, 00, 89, 3D, 87, 3A, 02...
 
[+]

Entropy:
4.6104

Code size:
156 KB (159,744 bytes)

Startup File (User Run Once)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
uninstall C:\users\{user}\appdata\local\microsoft\skydrive\17.0.2010.0530\amd64

Command:
C:\Windows\System32\cmd.exe \q \c rmdir \s \q "C:\users\{user}\appdata\local\microsoft\skydrive\17.0.2010.0530\amd64"


The file cmd.exe has been seen being distributed by the following 6 URLs.

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ--p6GUUzh6cCHMvXAg4PHqPK05_d5uKDNRAYzHpOVEnG4p8rPfnPrQcivBtwNL6xV5eSfGuKRlgtuLx5_Bkvvfg/messages/@.id==AEqC8QoAABPuV9zYzQBOICS1nqc/content/parts/@.id==2/raw?appid=YahooMailNeo&ymreqid=00c95a8d-289f-b817-011b-3f0049010000&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBaRYeuju60Pyx2e7K5Az2PHDeSGl0CsjNTBXp_cbiyvA0Fhm2zwXtFvgVad6oDq_D604KeoQuFbR2WhvKq8UTz-&error=https://mg.mail.yahoo.com/.../iframemsg?id=bece7147-820c-73b2-0f4d-17d87269aa55

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-CtJs2n1crchP-l5siQ8TisaAXNp7S_n6cFY3tppJki82DcKiY9k72FYb92z0HsLCDGVGQzbycySR0JrToCvLXg/messages/@.id==AGl4xAoANoPkWD3zFgI6UPHDs0k/content/parts/@.id==2/raw?appid=YahooMailNeo&ymreqid=808cd985-71b1-8c34-0119-28000f010000&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBYvIyzIPkNbH1aJnqf5gEDQ0fRj3RFnFNnc6L-X3ilLFdfR-wdk07RqFPjCzQJCrdtDP91-R1LLOz_POurk7ZIy&error=https://mg.mail.yahoo.com/.../iframemsg?id=d4a74da6-1207-735b-fd23-e329b645930f

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-AqAV5ryx2NEgz6IgbUTZz0dVvHcJqmWi-0qdLVe-rn4KPCh2EObItQ2rZLG9eMAlXtdAGcSqXvMjL5IQAhN2SA/messages/@.id==AKdUfbwAADrMV-WVEg0ECG1Bi-o/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBaoh_IpHSX_8pNuNTTFFiXOgjCxmzIY1EQPwjlNaTzcbCX6w191E6dXcmnIMVCqoUi8n-OiwpzQ1N7mt6pVyDVB&error=https://fr-mg42.mail.yahoo.com/.../iframemsg?id=b3dd7dee-f6bb-0dc2-a3d0-b102c616c2fb&ymreqid=852fe3a5-27de-d29b-0166-840097010000

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-XIVU-ccbwzZ5DHeAG6vl_9nz5TG7dvUe7sZhs1g7iVscTxora8qt8FOQEyESKP7ipXSQPIt7834jXjyRXCwNNg/messages/@.id==AKt2imIAG1iPV-OUCQwpSB1EwFI/content/parts/@.id==3/raw?appid=YahooMailNeo&ymreqid=73937e6a-d4ab-2ac6-01a9-4b0040010000&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBZabuZ0eZN0B8UK7FAiGgZ_V9cclgOvvb5Ym7MYnCubkdM5OWZiQz7JJvsLk7YoUdb-2ZtlT9A_pt3lDMkvO-73&error=https://mg.mail.yahoo.com/.../iframemsg?id=11c997f9-7e1d-6383-1ecc-79cb821521da