» cmd.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (6)

cmd.exe

Windows Command Processor

Microsoft Corporation

It is included with the Windows 7 OS. The file has been seen being downloaded from dl-mail.ymail.com and multiple other hosts.

File name:

cmd.exe

Publisher:

Microsoft Corporation

Product:

Microsoft® Windows® Operating System

Description:

Windows Command Processor

Part of the Windows 7 Operating System

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

MD5:

6960d29abe74341fab8300db3e6f883d

SHA-1:

4bbbd51de263b20d9553560f57b6eff526fcb55e

SHA-256:

8651e663d5effb9022046ab46452a102d1f31f5edb90ac87d8db023fe54b92f0

Scanner detections:

0 / 68

Status:

Clean (as of last analysis)
Whitelisted (by digital signature)

Analysis date:

11/16/2024 12:29:03 AM UTC (today)

File size:

336.5 KB (344,576 bytes)

Product version:

6.1.7600.16385

Original file name:

Cmd.Exe.MUI

File type:

Executable application (Win64 EXE)

Language:

English (United States)

Common path:

C:\Windows\System32\cmd.exe

File PE Metadata

Compilation timestamp:

7/14/2009 12:34:37 AM

OS version:

6.1

OS bitness:

Win64

Subsystem:

Windows Console

Linker version:

9.0

CTPH (ssdeep):

6144:fz3kYVJGCP4/0MQ9nrhGwDQCMfo6ZVl18rb8+ct+m:b3kYj20MQVrhQCMfo6ZVlFzt+

Entry address:

0x963C

Entry point:

48, 83, EC, 28, E8, E7, FB, FF, FF, 48, 83, C4, 28, EB, 15, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 48, 89, 74, 24, 08, 48, 89, 7C, 24, 10, 4C, 89, 64, 24, 18, 41, 55, 48, 83, EC, 30, 65, 48, 8B, 04, 25, 30, 00, 00, 00, 48, 8B, 78, 08, 45, 33, E4, 33, C0, F0, 48, 0F, B1, 3D, 30, 3A, 02, 00, 0F, 85, C6, 00, 00, 00, BF, 01, 00, 00, 00, 8B, 05, A3, 3A, 02, 00, 3B, C7, 0F, 84, D5, 00, 00, 00, 8B, 05, 95, 3A, 02, 00, 85, C0, 0F, 85, DD, 00, 00, 00, 89, 3D, 87, 3A, 02... 
[+]

Entropy:

4.6104

Code size:

156 KB (159,744 bytes)

Startup File (User Run Once)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

uninstall C:\users\{user}\appdata\local\microsoft\skydrive\17.0.2010.0530\amd64

Command:

C:\Windows\System32\cmd.exe \q \c rmdir \s \q "C:\users\{user}\appdata\local\microsoft\skydrive\17.0.2010.0530\amd64"

The file cmd.exe has been seen being distributed by the following 6 URLs.

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ--p6GUUzh6cCHMvXAg4PHqPK05_d5uKDNRAYzHpOVEnG4p8rPfnPrQcivBtwNL6xV5eSfGuKRlgtuLx5_Bkvvfg/messages/@.id==AEqC8QoAABPuV9zYzQBOICS1nqc/content/parts/@.id==2/raw?appid=YahooMailNeo&ymreqid=00c95a8d-289f-b817-011b-3f0049010000&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBaRYeuju60Pyx2e7K5Az2PHDeSGl0CsjNTBXp_cbiyvA0Fhm2zwXtFvgVad6oDq_D604KeoQuFbR2WhvKq8UTz-&error=https://mg.mail.yahoo.com/.../iframemsg?id=bece7147-820c-73b2-0f4d-17d87269aa55

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-CtJs2n1crchP-l5siQ8TisaAXNp7S_n6cFY3tppJki82DcKiY9k72FYb92z0HsLCDGVGQzbycySR0JrToCvLXg/messages/@.id==AGl4xAoANoPkWD3zFgI6UPHDs0k/content/parts/@.id==2/raw?appid=YahooMailNeo&ymreqid=808cd985-71b1-8c34-0119-28000f010000&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBYvIyzIPkNbH1aJnqf5gEDQ0fRj3RFnFNnc6L-X3ilLFdfR-wdk07RqFPjCzQJCrdtDP91-R1LLOz_POurk7ZIy&error=https://mg.mail.yahoo.com/.../iframemsg?id=d4a74da6-1207-735b-fd23-e329b645930f

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-AqAV5ryx2NEgz6IgbUTZz0dVvHcJqmWi-0qdLVe-rn4KPCh2EObItQ2rZLG9eMAlXtdAGcSqXvMjL5IQAhN2SA/messages/@.id==AKdUfbwAADrMV-WVEg0ECG1Bi-o/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBaoh_IpHSX_8pNuNTTFFiXOgjCxmzIY1EQPwjlNaTzcbCX6w191E6dXcmnIMVCqoUi8n-OiwpzQ1N7mt6pVyDVB&error=https://fr-mg42.mail.yahoo.com/.../iframemsg?id=b3dd7dee-f6bb-0dc2-a3d0-b102c616c2fb&ymreqid=852fe3a5-27de-d29b-0166-840097010000

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-XIVU-ccbwzZ5DHeAG6vl_9nz5TG7dvUe7sZhs1g7iVscTxora8qt8FOQEyESKP7ipXSQPIt7834jXjyRXCwNNg/messages/@.id==AKt2imIAG1iPV-OUCQwpSB1EwFI/content/parts/@.id==3/raw?appid=YahooMailNeo&ymreqid=73937e6a-d4ab-2ac6-01a9-4b0040010000&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBZabuZ0eZN0B8UK7FAiGgZ_V9cclgOvvb5Ym7MYnCubkdM5OWZiQz7JJvsLk7YoUdb-2ZtlT9A_pt3lDMkvO-73&error=https://mg.mail.yahoo.com/.../iframemsg?id=11c997f9-7e1d-6383-1ecc-79cb821521da

http://callfor.info/taskmgr.exe

https://mg.mail.yahoo.com/ya/.../AA&fid=Sent&pid=2&clean=0&appid=YahooMailNeo&ymreqid=9367304a-f275-c0dc-01fb-7d000b010000

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.