» cmd.exe
Overview
Analysis
File Details
Behaviors (20)
Downloads (610)

cmd.exe

Windows Command Processor

Microsoft Corporation

It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘AMD AVT’. This is the uninstaller utility registered in the Windows Control Panel for the program EAGLE 5.11.0 by CadSoft Computer GmbH. It is installed with Windows 7. The file has been seen being downloaded from mg.mail.yahoo.com and multiple other hosts.

File name:

cmd.exe

Publisher:

Microsoft Corporation

Product:

Microsoft® Windows® Operating System

Description:

Windows Command Processor

Part of the Windows 7 (with Service Pack 1) Operating System

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

MD5:

ad7b9c14083b52bc532fba5948342b98

SHA-1:

ee8cbf12d87c4d388f09b4f69bed2e91682920b5

SHA-256:

17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae

Scanner detections:

0 / 68

Status:

Clean (as of last analysis)
Whitelisted (by digital signature)

Analysis date:

11/23/2024 2:54:06 AM UTC (today)

File size:

295.5 KB (302,592 bytes)

Product version:

6.1.7601.17514

Copyright:

© Microsoft Corporation. All rights reserved.

Original file name:

Cmd.Exe.MUI

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\windows\syswow64\cmd.exe

File PE Metadata

Compilation timestamp:

11/20/2010 4:00:27 AM

OS version:

6.1

OS bitness:

Win32

Subsystem:

Windows Console

Linker version:

9.0

CTPH (ssdeep):

3072:H/Fkbff/FoeMrx9O1vfjQdLCQMcP7FRCMkLjyGez1c:H9kbtoLtM1nM9xf/CMkLmt+

Entry address:

0x829A

Entry point:

E8, EA, F9, FF, FF, 6A, 10, 68, 88, 83, D0, 4A, E8, 9F, A3, FF, FF, 33, DB, 89, 5D, FC, 64, A1, 18, 00, 00, 00, 8B, 70, 04, 89, 5D, E4, BF, 04, 42, D2, 4A, 53, 56, 57, FF, 15, 74, 11, D0, 4A, 3B, C3, 0F, 85, D2, 00, 00, 00, 33, F6, 46, A1, 00, 42, D2, 4A, 3B, C6, 0F, 84, E1, 00, 00, 00, A1, 00, 42, D2, 4A, 85, C0, 75, 78, 89, 35, 00, 42, D2, 4A, 68, 84, 83, D0, 4A, 68, 78, 83, D0, 4A, E8, 71, FF, FF, FF, 59, 59, 85, C0, 0F, 85, C6, 00, 00, 00, A1, 00, 42, D2, 4A, 3B, C6, 75, 1B, 68, 74, 83, D0, 4A, 68, 6C... 
[+]

Entropy:

4.5939

Code size:

139.5 KB (142,848 bytes)

Program Uninstaller

Program name:

EAGLE 5.11.0

Display publisher:

CadSoft Computer GmbH

Display version:

5.11.0

Uninstall string:

cmd.exe /c start "EAGLE Uninstaller" /min "L:\Program Files\EAGLE-5.11.0\bin\uninstall.bat" L:\Program Files\EAGLE-5.11.0\bin

Safe Boot Alternate Shell

Name:

cmd.exe

11 Scheduled Tasks

Task name:

BrowserSafeguard

Trigger:

Logon (Runs on logon)

Action:

cmd.exe \c start "" "C:\Program Files\browsersafeguard\bro

Description:

Runs your BrowserSafeguard software.

Task name:

WATRemover

Path:

\R@1n-Loader\WATRemover

Trigger:

Logon (Runs on logon)

Task name:

At1

Trigger:

Time

Task name:

At2

Trigger:

Time

Action:

cmd.exe \c del \f \q C:\users\{user}\downloads\programs\ado

Task name:

elevated_cmd_23metsySswodniWC

Task name:

ResetDTL

Path:

\Microsoft\Windows\PMS\ResetDTL

Trigger:

Time (Next runs on 17.03.2014 at 20:12)

Action:

cmd.exe \c del \f \q "C:\Windows\System32\cwlog.dtl"

27 Startup Files (User Run Once)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

uninstall C:\users\{user}\appdata\local\microsoft\skydrive\16.4.3347.0416

Command:

C:\Windows\System32\cmd.exe \q \c rmdir \s \q "C:\users\{user}\appdata\local\microsoft\skydrive\16.4.3347.0416"

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

uninstall C:\users\{user}\appdata\local\microsoft\skydrive\16.4.4111.0525

Command:

C:\Windows\System32\cmd.exe \q \c rmdir \s \q "C:\users\{user}\appdata\local\microsoft\skydrive\16.4.4111.0525"

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

uninstall C:\users\{user}\appdata\local\microsoft\skydrive\16.4.6003.0710

Command:

C:\Windows\System32\cmd.exe \q \c rmdir \s \q "C:\users\{user}\appdata\local\microsoft\skydrive\16.4.6003.0710"

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

uninstall C:\users\{user}\appdata\local\microsoft\skydrive\16.4.6006.0718

Command:

C:\Windows\System32\cmd.exe \q \c rmdir \s \q "C:\users\{user}\appdata\local\microsoft\skydrive\16.4.6006.0718"

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

uninstall C:\users\{user}\appdata\local\microsoft\skydrive\16.4.6010.0727

Command:

C:\Windows\System32\cmd.exe \q \c rmdir \s \q "C:\users\{user}\appdata\local\microsoft\skydrive\16.4.6010.0727"

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

uninstall C:\users\{user}\appdata\local\microsoft\skydrive\16.4.6013.0910

Command:

C:\Windows\System32\cmd.exe \q \c rmdir \s \q "C:\users\{user}\appdata\local\microsoft\skydrive\16.4.6013.0910"

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

AMD AVT

Command:

cmd.exe \c start "amd accelerated video transcoding device initialization" \min "C:\Program Files\amd avt\bin\kdbsync.exe" aml

5 Startup Files (All Users Run Once)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

AvgUninstallURL

Command:

cmd.exe \c start httC:\www.avg.com\ww.special-uninstallation-feedback-appf?lic=nfvzovgttlnwvkwttzrcwletuulnq0wtuvreq0gtnelktug"&"inst=nzctnjexndk3mtqxlvfjwdermy1wsvaxmcsxluyxme0xmeqrms1msumrmjitrkwxm

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

removeiLividdatamngr

Command:

cmd.exe \c rd \s \q "C:\Program Files\movies toolbar"

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

Del7869486

Command:

cmd.exe \q \d \c del "C:\users\{user}\appdata\local\temp\0.del"

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

removeSettingsManagerdatamngr

Command:

cmd.exe \c rd \s \q "C:\Program Files\settings manager"

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

cmdrun

Command:

cmd.exe \c ipconfig \flushdns

The file cmd.exe has been seen being distributed by the following 50 URLs.

https://mg.mail.yahoo.com/.../download?m=YaDownload&mid=2_0_0_3_46250_AJ4JDNkAAALKVfGGDQhwKDicHcI&fid=Draft&pid=2&clean=0&appid=YahooMailNeo

https://unadmexico.blackboard.com/webapps/.../download?course_id=_31147_1&attempt_id=_4462833_1&file_id=_3162171_1&fileName=cmd.exe

https://lms.kku.edu.sa/bbcswebdav/.../xid-13903719_2

https://www.edmodo.com/file?id=132ef1853b8a8467cbe8994b07dcc878

http://eadonline.aeduvirtual.com.br/201602/pluginfile.php/5348/assignsubmission_file/submission_files/.../cmd.exe

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-rJeIB-kVA0JaWvXi5MqfCrGFxPAjeWaU5riYQW9zfjPV0Edq9uP5VmrtSkERT7siq2B7MtMVu5YN8JowUs90aw/messages/@.id==AHvsw0MADv_dV9S8WQZwcAwuNeI/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBbAW3zONRosYIljHqlkhvf_9I5bqsxZHWcM0mUdthVSrYb94Axmp1u6cyLq5ukM_SK24ROmVzZmoO_UokIo2GAM&error=https://ar-mg6.mail.yahoo.com/.../iframemsg?id=aa3ebc78-b555-09eb-67b4-93c96506f37f&ymreqid=fefa7d99-c474-71e6-0179-ce0095010000

https://ecourse.qou.edu/pluginfile.php/12289/mod_data/content/.../????? ?????? ????? ????? ??????? 1151.exe

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-QOas7eRJPiyyUqQJIwJf5mIFpu4qaYeKWMht_jGBj7mQAnamKcuPAv_IK85aH3IQ/messages/@.id==AGFVfbwAACXlWAPvYADyMEV3ILE/content/parts/@.id==2/raw?appid=YahooMailNeo&ymreqid=5d05c5ab-0489-50c5-01f1-d80011010000&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBblLyE1b0yXqY_2gQcapdcjpkibr9kvXmdiOLVKcasGDQi6fFb366Yo06R8QGnWJu1e10AZxKpe8yMvkhACE3ZI&error=https://fr-mg42.mail.yahoo.com/.../iframemsg?id=ff7cf06b-ad4b-2fe8-aecc-73b29b14c358

https://mg.mail.yahoo.com/.../download?m=YaDownload&mid=2_0_0_2_1_AJVUimIACh87WEKsxA3mmGQ95kI&fid=Sent&pid=2&clean=0&appid=YahooMailBasic

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-l17cfaLXng5k9BHOBuhk7h7MoNaT5QAr5PHKGvOdp95be3KeyDi9-8qHyxH9Rcr5-OZtZrw2rULBXQ-scIJXZQ/messages/@.id==AGVUimIAA0UUWHcbhwZkuE09VY4/content/parts/@.id==2/raw?appid=YahooMailNeo&ymreqid=cb43dc67-d9fa-90d8-01b4-6a002c010000&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBY32wORy4uByrjB2yT9bPJURbHbv9DWmtEKpHgmK5nQAN4FKffz1guSVnhtBQ4DGpY6y0cZDZK87O4GU8LnZAz6&error=https://mg.mail.yahoo.com/.../iframemsg?id=8d59504b-60d4-92b7-7356-b67e37e62b08

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-eyWosDAECgZhbDtEHmXrdKxyaOkOrWImmY3sM7YWwRlusMYgwkag--2im7QKOEka/messages/@.id==AMLWiGIAAWGyUWqboAt61EclJRA/content/parts/.../raw?appid=YahooMailBasic&ymreqid=2716a4b6-fa65-05de-1387-fb0000010000&token=De5r_ypIeuKRDaGZSXiEycZ5JLbPYWLqYppUq36PisxaHt8_QQPenkQJ7cJhHCg3xzABITRDwb_DhMB7r1IueM9caOFSb0_qJxAeNPndKISldJA8i3vzfiNePJFcLA02

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-QrLaQfY7acyhEQ3p1ndBjyNS6FXS7AnFBHwvFI4bPfMSeTr60V-bBm34LI8QLJZJ8JjduORtDaB3BP2h4xIM7Q/messages/@.id==AIuti2IAABI5VJuogwTSYHo74BY/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBbawb2EdL9gPkn690sz4CHkAevGakxb1BWYaBjkwZjmXMgEG6uewaMuMR4nauBQPZ0MZUZDNvJzJJHQmtOgK8te&error=https://mg.mail.yahoo.com/.../iframemsg?id=ea9ddb64-fcfa-c3e5-b6f7-26084d5c303b&ymreqid=7694832b-cf01-38c8-01ff-ba006b010000

https://mg.mail.yahoo.com/.../download?m=YaDownload&mid=2_0_0_3_13746_AE0JDNkAACPoVUuBIgvDuBztFHk&fid=Draft&pid=2&clean=0&appid=YahooMailNeo

https://webmail.gnet.tn/attach.php?tn=88-0_45e0edaca8702e6e90d1d98cf3647d5f.exe&bsi=2&bse=0&msg_id=88&msg_uid=88&folder_id=301647&folder_fname=Sent&filename=cmd.exe

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-8RvcH-CWo48YZZVRw14wVH6ABToCOHJ98WEWjvrlKSDRyBSBi_jo4EqYXIIzoFX0yqtsdt-jko-uK0ko8KHOrw/messages/@.id==AEhUimIAE2IaV9cqDws3GNXBuuI/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBYRHppgMYcLt65XA25LCPB4N_Sc6YWUJBaHj8yDSobCtVVPY9iW2j5nheXMIgr3K6zoXrvqWXAmKM0cYz1HHvee&error=https://mg.mail.yahoo.com/.../iframemsg?id=99b4581a-739a-de3d-575e-02b0cea40512&ymreqid=8bd7743d-ca1d-a7d0-018a-210042010000

https://doc-0o-c8-docs.googleusercontent.com/docs/securesc/vqjbqfj9mak8o2n2momid0dtb6pc25p8/6tobrrvf9iu16q13e75osqcu52lf3f8c/1484035200000/.../11263784990696020807/0B2saiJs3clddYUQ0TzRPQklUREE?e=download

https://ent95.valdoise.fr/etabs/0951233Z/.../CDTOpenFile.aspx?idScript=PJManager&idFile=09cbbe20-ad90-4e97-a10f-f96bc4485caa

http://plataforma.educaread.com.br/moodle/pluginfile.php/1207/assignsubmission_file/submission_files/.../PROJETO TF13.exe

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-ldE4C74ul3ntkJSlcN5ov0dOhDWl5g2TQJ-CDOwt-TaK0ccax6-6UIFD_IJ7CHuk-OZtZrw2rULBXQ-scIJXZQ/messages/@.id==ACZKyAoAACROV_kKYw7kgMKtFWs/content/parts/@.id==2/raw?appid=YahooMailNeo&ymreqid=aceca561-b65b-0bb5-01fd-ce01b0010000&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBZxnQTp_X-mfOC0xiw4e8ZudZwRO6EyYex3c0tDn9LYpMTWNJYVkdst3Ot6IigrKIg6y0cZDZK87O4GU8LnZAz6&error=https://fr-mg42.mail.yahoo.com/.../iframemsg?id=b8501ad5-ba37-269a-5177-3d9501b7cdd3

https://onedrive.live.com/download.aspx?cid=F938E19D8709E813&resid=F938E19D8709E813!609&canary=fZubfLbifoHyNhfO25k3LIp60C6 XYF5p6CuZBW9V4w=0&ithint=.exe

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-uiLWOZE6TX9AEbUZxvXbJF6BBLRPuedQKIJ858EgXjcvj4Ks1hgEBnIM0jdHxnW8q2B7MtMVu5YN8JowUs90aw/messages/@.id==AM5hUtQAABY8Vz4OWwyK8CuiW84/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBaeDTuLYmtI7F3F2Zq3hkHeIQzoQuBSbGm8vaR0A-KIsA&error=https://fr-mg42.mail.yahoo.com/.../iframemsg?id=e52c6c11-1bbd-8e7f-a275-95ffd4b3f7e7&ymreqid=a5b972a1-831e-ca18-0145-98002e010000

http://webmail.escola.sme.fortaleza.ce.gov.br/service/home/.../?auth=co&loc=pt_BR&id=6970&part=2&disp=a

https://docs.google.com/uc?authuser=0&id=0B3uOqNgClxKcQ1cwRFBvMkY4dDg&export=download

https://mail.google.com/mail/u/.../?ui=2&ik=4e84a89d29&view=att&th=142b695a33b57000&attid=0.1&disp=safe&realattid=f_hoqm1r4y0&zw

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-VP5E2ApKzuTejZuCeoQRxo9mHdLPSVhr8KW-ZIGEA4sEegaZ65ONIw0US3Weqo2s-OZtZrw2rULBXQ-scIJXZQ/messages/@.id==ALvkimIAEF2gWBZJKAFAUMGyW74/content/parts/.../raw?appid=YahooMailNeo&ymreqid=0c12402d-58dd-6e67-014d-7b0001010000&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBZSva4GrMiMVCqagcSIK6DRjIkxjwl7r2YXERXhNVd2cKFQkXyec3JS6g7MspaAMgE6y0cZDZK87O4GU8LnZAz6

https://www.dropbox.com/pri/get/FOTOS/.../cmd.exe

https://mg.mail.yahoo.com/.../download?m=YaDownload&mid=2_0_0_1_9624065_ACPFCmoAAAPyVBju1QAAAEjb1YM&fid=Inbox&pid=2&clean=0&appid=YahooMailNeo

https://secure.upf.br/apps/academico/.../aluno.php?id=b4056fced4f9e2b28721648d81e8e328

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-sZ_EdivZCLL3HdfYKQSExB99bEKG-c0HGXLFvRIlIp6eabJ9OqrAKjO5qXVk0_1XLcnHBsCboInoMA37FGtLXw/messages/@.id==ACINiWIAHllxWH4ZsAaAEGNPa6U/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBY3m3AqZtOsCXs_XTgabn7hqOxosTfW4tGh0cv8gJXBbgj3wyXZGuk1WSG-ZH8_qIxicoVAUaLMu2XxE6M3Ct5n&error=https://mg.mail.yahoo.com/.../iframemsg?id=0d64fe85-7278-069b-ba23-a96bcce1c4be&ymreqid=d5b99204-4aec-ce79-01e1-ec001e010000

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-t3I5qYhmmh4SBwfjdnQv0L5Kt45RDkXYsEzxdUxXAbG1585kldvKFfG-wnJpCfjp/messages/@.id==ADAIDNkAACsLWI5NXQj8yCUubV8/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBZ_tXI2tdp9fzJYfvr2enDAcuSmBxPjtZVR1lUrS4Ya2H1SoIEnGTQQO8rJelj63FMdGCDvkq89BJH6dHy28KtS&error=https://mg.mail.yahoo.com/.../iframemsg?id=a904e953-fde2-9e9f-6a52-2c3832909ee5&ymreqid=9780fdbd-b155-e5fe-01fc-26004c010000

Latest 30 of 610 download URLs

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.