!EXM Free Tweaking Utility V9.2.1.cmd
- Filename:
- !EXM Free Tweaking Utility V9.2.1.cmd
- md5:
- 05113913151c69115141a5c00705ecca
- sha1:
- ff8561ed77e233d194a29968efb8704ded492470
- sha256:
- f74f11bcafe7d2d12c879cc4bd0295cbe99768c7acc54449e9e0fcfe244d2095
- Filetype:
- DOS batch file, Unicode text, UTF-8 (with BOM) tex ...
- Size (Bytes):
- 691098
- Classification:
- malicious
- Indexed:
- Fri Jul 18 2025 10:23:34 GMT+0000 (a month ago)
- Last modified:
- Sat Jul 26 2025 14:30:20 GMT+0000 (a month ago)
Sample information
0
Antivirus detections0
IDS alerts24
Processes0
Http events0
Contacted hosts0
DNS Requests8
Score
Current activity of this Sample
Blacklist timeline
First seen: Fri Jul 18 2025 10:30:04 GMT+0000
Last seen: Sat Jul 26 2025 14:30:19 GMT+0000
Period: 8 days
Last seen: Sat Jul 26 2025 14:30:19 GMT+0000
Period: 8 days
Hashes
In depth details
Dates
Tags
Developers can check API Specification here:
Request:
curl -H "Authorization: Bearer <API_KEY>" https://api.maltiverse.com/sample/f74f11bcafe7d2d12c879cc4bd0295cbe99768c7acc54449e9e0fcfe244d2095
Request:
Alternatively you can use Maltiverse Python3 Library:
import requests
import json
url = 'https://api.maltiverse.com/sample/f74f11bcafe7d2d12c879cc4bd0295cbe99768c7acc54449e9e0fcfe244d2095'
response = requests.get(url)
print(json.dumps(response.json(), indent=4, sort_keys=True))
Request:
$url = 'https://api.maltiverse.com/sample/f74f11bcafe7d2d12c879cc4bd0295cbe99768c7acc54449e9e0fcfe244d2095'
$headers = @{Authorization=("Bearer {0}" -f "<API_KEY>")}
$response = Invoke-RestMethod $url -Headers $headers
Write-Output $response
Response:
{
"blacklist": [
{
"count": 25,
"description": "Generic Malware",
"first_seen": "2025-07-18 10:30:04",
"last_seen": "2025-07-26 14:30:19",
"ref": [
21745
],
"source": "Hybrid-Analysis"
}
],
"classification": "malicious",
"creation_time": "2025-07-18 10:23:34",
"filename": [
"!EXM Free Tweaking Utility V9.2.1.cmd"
],
"filetype": "DOS batch file, Unicode text, UTF-8 (with BOM) tex ...",
"is_alive": false,
"is_cdn": false,
"is_cnc": false,
"is_distributing_malware": false,
"is_hosting": false,
"is_iot_threat": false,
"is_known_attacker": false,
"is_known_scanner": false,
"is_mining_pool": false,
"is_open_proxy": false,
"is_phishing": false,
"is_sinkhole": false,
"is_storing_phishing": false,
"is_tor_node": false,
"is_vpn_node": false,
"md5": "05113913151c69115141a5c00705ecca",
"modification_time": "2025-07-26 14:30:20",
"process_list": [
{
"commandline": "/c \"\"C:\\!EXMFreeTweakingUtilityV9.2.1.cmd\" \"",
"name": "cmd.exe",
"normalizedpath": "%WINDIR%\\system32\\cmd.exe",
"sha256": "ec436aeee41857eee5875efdb7166fe043349db5f58f3ee9fc4ff7f50005767f",
"uid": "00000000-00005320"
},
{
"commandline": "cmd /c \"C:\\!EXMFreeTweakingUtilityV9.2.1.cmd\" max",
"name": "cmd.exe",
"normalizedpath": "%WINDIR%\\system32\\cmd.exe",
"sha256": "ec436aeee41857eee5875efdb7166fe043349db5f58f3ee9fc4ff7f50005767f",
"uid": "00000000-00000356"
},
{
"commandline": "reg add \"HKCU\\CONSOLE\" /v \"VirtualTerminalLevel\" /t REG_DWORD /d \"1\" /f",
"name": "reg.exe",
"normalizedpath": "%WINDIR%\\system32\\reg.exe",
"sha256": "6b3ef0286b7f12b6dbd3bfe07f2473de16b30f2496a45985901f035cb509435f",
"uid": "00000000-00001192"
},
{
"commandline": "chcp 437",
"name": "chcp.com",
"normalizedpath": "%WINDIR%\\system32\\chcp.com",
"sha256": "c5d29fd4a61366c3f1dcbf5066254de119ca1cf743e1c637310b001ba86b2a45",
"uid": "00000000-00005280"
},
{
"commandline": "/c powershell -NoProfile -Command \"(New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([System.Security.Principal.SecurityIdentifier]).Value\"",
"name": "cmd.exe",
"normalizedpath": "%WINDIR%\\system32\\cmd.exe",
"sha256": "ec436aeee41857eee5875efdb7166fe043349db5f58f3ee9fc4ff7f50005767f",
"uid": "00000000-00003688"
},
{
"commandline": "powershell -NoProfile -Command \"(New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([System.Security.Principal.SecurityIdentifier]).Value\"",
"name": "powershell.exe",
"normalizedpath": "%WINDIR%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"sha256": "34507738f84b9d4f231dc0c187fee4a03b4ddb84cf63ff56a4a1761a9bd56ea6",
"uid": "00000000-00004840"
},
{
"commandline": "powershell -NoProfile Enable-ComputerRestore -Drive 'C:\\'",
"name": "powershell.exe",
"normalizedpath": "%WINDIR%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"sha256": "34507738f84b9d4f231dc0c187fee4a03b4ddb84cf63ff56a4a1761a9bd56ea6",
"uid": "00000000-00001560"
},
{
"commandline": "reg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v \"RPSessionInterval\" /f",
"name": "reg.exe",
"normalizedpath": "%WINDIR%\\system32\\reg.exe",
"sha256": "6b3ef0286b7f12b6dbd3bfe07f2473de16b30f2496a45985901f035cb509435f",
"uid": "00000000-00007952"
},
{
"commandline": "reg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v \"DisableConfig\" /f",
"name": "reg.exe",
"normalizedpath": "%WINDIR%\\system32\\reg.exe",
"sha256": "6b3ef0286b7f12b6dbd3bfe07f2473de16b30f2496a45985901f035cb509435f",
"uid": "00000000-00003852"
},
{
"commandline": "reg add \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v \"SystemRestorePointCreationFrequency\" /t REG_DWORD /d 0 /f",
"name": "reg.exe",
"normalizedpath": "%WINDIR%\\system32\\reg.exe",
"sha256": "6b3ef0286b7f12b6dbd3bfe07f2473de16b30f2496a45985901f035cb509435f",
"uid": "00000000-00004504"
},
{
"commandline": "chcp 65001",
"name": "chcp.com",
"normalizedpath": "%WINDIR%\\system32\\chcp.com",
"sha256": "c5d29fd4a61366c3f1dcbf5066254de119ca1cf743e1c637310b001ba86b2a45",
"uid": "00000000-00007956"
},
{
"commandline": "timeout /t 3 /nobreak",
"name": "timeout.exe",
"normalizedpath": "%WINDIR%\\system32\\timeout.exe",
"sha256": "b6d49416f9ad736b0de3e8e2f3b9174f7f274751de9cff9f5d0840dd1e03b56a",
"uid": "00000000-00004144"
},
{
"commandline": "/c \"\"C:\\!EXMFreeTweakingUtilityV9.2.1.cmd\" \"",
"name": "cmd.exe",
"normalizedpath": "%WINDIR%\\system32\\cmd.exe",
"sha256": "423e0e810a69aaceba0e5670e58aff898cf0ebffab99ccb46ebb3464c3d2facb",
"uid": "00000000-00009080"
},
{
"commandline": "cmd /c \"C:\\!EXMFreeTweakingUtilityV9.2.1.cmd\" max",
"name": "cmd.exe",
"normalizedpath": "%WINDIR%\\system32\\cmd.exe",
"sha256": "423e0e810a69aaceba0e5670e58aff898cf0ebffab99ccb46ebb3464c3d2facb",
"uid": "00000000-00006332"
},
{
"commandline": "reg add \"HKCU\\CONSOLE\" /v \"VirtualTerminalLevel\" /t REG_DWORD /d \"1\" /f",
"name": "reg.exe",
"normalizedpath": "%WINDIR%\\system32\\reg.exe",
"sha256": "411ae446fe37b30c0727888c7fa5e88994a46dafd41aa5b3b06c9e884549afde",
"uid": "00000000-00000700"
},
{
"commandline": "chcp 437",
"name": "chcp.com",
"normalizedpath": "%WINDIR%\\system32\\chcp.com",
"sha256": "ab5581453ba81f7ef13a7800ce2f94b46f74e36991b6ff61115c353b025ae53b",
"uid": "00000000-00007196"
},
{
"commandline": "/c powershell -NoProfile -Command \"(New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([System.Security.Principal.SecurityIdentifier]).Value\"",
"name": "cmd.exe",
"normalizedpath": "%WINDIR%\\system32\\cmd.exe",
"sha256": "423e0e810a69aaceba0e5670e58aff898cf0ebffab99ccb46ebb3464c3d2facb",
"uid": "00000000-00008096"
},
{
"commandline": "powershell -NoProfile -Command \"(New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([System.Security.Principal.SecurityIdentifier]).Value\"",
"name": "powershell.exe",
"normalizedpath": "%WINDIR%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"sha256": "d436e66c0d092508e4b85290815ab375695fa9013c7423a3a27fed4f1acf90bd",
"uid": "00000000-00004512"
},
{
"commandline": "powershell -NoProfile Enable-ComputerRestore -Drive 'C:\\'",
"name": "powershell.exe",
"normalizedpath": "%WINDIR%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"sha256": "d436e66c0d092508e4b85290815ab375695fa9013c7423a3a27fed4f1acf90bd",
"uid": "00000000-00004164"
},
{
"commandline": "reg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v \"RPSessionInterval\" /f",
"name": "reg.exe",
"normalizedpath": "%WINDIR%\\system32\\reg.exe",
"sha256": "411ae446fe37b30c0727888c7fa5e88994a46dafd41aa5b3b06c9e884549afde",
"uid": "00000000-00004604"
},
{
"commandline": "reg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v \"DisableConfig\" /f",
"name": "reg.exe",
"normalizedpath": "%WINDIR%\\system32\\reg.exe",
"sha256": "411ae446fe37b30c0727888c7fa5e88994a46dafd41aa5b3b06c9e884549afde",
"uid": "00000000-00006784"
},
{
"commandline": "reg add \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v \"SystemRestorePointCreationFrequency\" /t REG_DWORD /d 0 /f",
"name": "reg.exe",
"normalizedpath": "%WINDIR%\\system32\\reg.exe",
"sha256": "411ae446fe37b30c0727888c7fa5e88994a46dafd41aa5b3b06c9e884549afde",
"uid": "00000000-00003292"
},
{
"commandline": "chcp 65001",
"name": "chcp.com",
"normalizedpath": "%WINDIR%\\system32\\chcp.com",
"sha256": "ab5581453ba81f7ef13a7800ce2f94b46f74e36991b6ff61115c353b025ae53b",
"uid": "00000000-00007940"
},
{
"commandline": "timeout /t 3 /nobreak",
"name": "timeout.exe",
"normalizedpath": "%WINDIR%\\system32\\timeout.exe",
"sha256": "4310bfc44b00c09f13c0e82fd9e9f9503643bdac089111ae983326bb250edfc5",
"uid": "00000000-00007180"
}
],
"score": 8,
"scoring_executed_time": "2025-07-18 10:30:05",
"sha1": "ff8561ed77e233d194a29968efb8704ded492470",
"sha256": "f74f11bcafe7d2d12c879cc4bd0295cbe99768c7acc54449e9e0fcfe244d2095",
"size": 691098,
"tag": [
"evasive"
],
"type": "sample"
}
Process list
- uid
- 00000000-00005320
- commandline
- /c ""C:\!EXMFreeTweakingUtilityV9.2.1.cmd" "
- name
- cmd.exe
- normalizedpath
- %WINDIR%\system32\cmd.exe
- sha256
- ec436aeee41857eee5875efdb7166fe043349db5f58f3ee9fc4ff7f50005767f
- uid
- 00000000-00000356
- commandline
- cmd /c "C:\!EXMFreeTweakingUtilityV9.2.1.cmd" max
- name
- cmd.exe
- normalizedpath
- %WINDIR%\system32\cmd.exe
- sha256
- ec436aeee41857eee5875efdb7166fe043349db5f58f3ee9fc4ff7f50005767f
- uid
- 00000000-00001192
- commandline
- reg add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
- name
- reg.exe
- normalizedpath
- %WINDIR%\system32\reg.exe
- sha256
- 6b3ef0286b7f12b6dbd3bfe07f2473de16b30f2496a45985901f035cb509435f
- uid
- 00000000-00005280
- commandline
- chcp 437
- name
- chcp.com
- normalizedpath
- %WINDIR%\system32\chcp.com
- sha256
- c5d29fd4a61366c3f1dcbf5066254de119ca1cf743e1c637310b001ba86b2a45
- uid
- 00000000-00003688
- commandline
- /c powershell -NoProfile -Command "(New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([System.Security.Principal.SecurityIdentifier]).Value"
- name
- cmd.exe
- normalizedpath
- %WINDIR%\system32\cmd.exe
- sha256
- ec436aeee41857eee5875efdb7166fe043349db5f58f3ee9fc4ff7f50005767f
- uid
- 00000000-00004840
- commandline
- powershell -NoProfile -Command "(New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([System.Security.Principal.SecurityIdentifier]).Value"
- name
- powershell.exe
- normalizedpath
- %WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe
- sha256
- 34507738f84b9d4f231dc0c187fee4a03b4ddb84cf63ff56a4a1761a9bd56ea6
- uid
- 00000000-00001560
- commandline
- powershell -NoProfile Enable-ComputerRestore -Drive 'C:\'
- name
- powershell.exe
- normalizedpath
- %WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe
- sha256
- 34507738f84b9d4f231dc0c187fee4a03b4ddb84cf63ff56a4a1761a9bd56ea6
- uid
- 00000000-00007952
- commandline
- reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
- name
- reg.exe
- normalizedpath
- %WINDIR%\system32\reg.exe
- sha256
- 6b3ef0286b7f12b6dbd3bfe07f2473de16b30f2496a45985901f035cb509435f
- uid
- 00000000-00003852
- commandline
- reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
- name
- reg.exe
- normalizedpath
- %WINDIR%\system32\reg.exe
- sha256
- 6b3ef0286b7f12b6dbd3bfe07f2473de16b30f2496a45985901f035cb509435f
- uid
- 00000000-00004504
- commandline
- reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
- name
- reg.exe
- normalizedpath
- %WINDIR%\system32\reg.exe
- sha256
- 6b3ef0286b7f12b6dbd3bfe07f2473de16b30f2496a45985901f035cb509435f
- uid
- 00000000-00007956
- commandline
- chcp 65001
- name
- chcp.com
- normalizedpath
- %WINDIR%\system32\chcp.com
- sha256
- c5d29fd4a61366c3f1dcbf5066254de119ca1cf743e1c637310b001ba86b2a45
- uid
- 00000000-00004144
- commandline
- timeout /t 3 /nobreak
- name
- timeout.exe
- normalizedpath
- %WINDIR%\system32\timeout.exe
- sha256
- b6d49416f9ad736b0de3e8e2f3b9174f7f274751de9cff9f5d0840dd1e03b56a
- uid
- 00000000-00009080
- commandline
- /c ""C:\!EXMFreeTweakingUtilityV9.2.1.cmd" "
- name
- cmd.exe
- normalizedpath
- %WINDIR%\system32\cmd.exe
- sha256
- 423e0e810a69aaceba0e5670e58aff898cf0ebffab99ccb46ebb3464c3d2facb
- uid
- 00000000-00006332
- commandline
- cmd /c "C:\!EXMFreeTweakingUtilityV9.2.1.cmd" max
- name
- cmd.exe
- normalizedpath
- %WINDIR%\system32\cmd.exe
- sha256
- 423e0e810a69aaceba0e5670e58aff898cf0ebffab99ccb46ebb3464c3d2facb
- uid
- 00000000-00000700
- commandline
- reg add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
- name
- reg.exe
- normalizedpath
- %WINDIR%\system32\reg.exe
- sha256
- 411ae446fe37b30c0727888c7fa5e88994a46dafd41aa5b3b06c9e884549afde
- uid
- 00000000-00007196
- commandline
- chcp 437
- name
- chcp.com
- normalizedpath
- %WINDIR%\system32\chcp.com
- sha256
- ab5581453ba81f7ef13a7800ce2f94b46f74e36991b6ff61115c353b025ae53b
- uid
- 00000000-00008096
- commandline
- /c powershell -NoProfile -Command "(New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([System.Security.Principal.SecurityIdentifier]).Value"
- name
- cmd.exe
- normalizedpath
- %WINDIR%\system32\cmd.exe
- sha256
- 423e0e810a69aaceba0e5670e58aff898cf0ebffab99ccb46ebb3464c3d2facb
- uid
- 00000000-00004512
- commandline
- powershell -NoProfile -Command "(New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([System.Security.Principal.SecurityIdentifier]).Value"
- name
- powershell.exe
- normalizedpath
- %WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe
- sha256
- d436e66c0d092508e4b85290815ab375695fa9013c7423a3a27fed4f1acf90bd
- uid
- 00000000-00004164
- commandline
- powershell -NoProfile Enable-ComputerRestore -Drive 'C:\'
- name
- powershell.exe
- normalizedpath
- %WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe
- sha256
- d436e66c0d092508e4b85290815ab375695fa9013c7423a3a27fed4f1acf90bd
- uid
- 00000000-00004604
- commandline
- reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
- name
- reg.exe
- normalizedpath
- %WINDIR%\system32\reg.exe
- sha256
- 411ae446fe37b30c0727888c7fa5e88994a46dafd41aa5b3b06c9e884549afde
- uid
- 00000000-00006784
- commandline
- reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
- name
- reg.exe
- normalizedpath
- %WINDIR%\system32\reg.exe
- sha256
- 411ae446fe37b30c0727888c7fa5e88994a46dafd41aa5b3b06c9e884549afde
- uid
- 00000000-00003292
- commandline
- reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
- name
- reg.exe
- normalizedpath
- %WINDIR%\system32\reg.exe
- sha256
- 411ae446fe37b30c0727888c7fa5e88994a46dafd41aa5b3b06c9e884549afde
- uid
- 00000000-00007940
- commandline
- chcp 65001
- name
- chcp.com
- normalizedpath
- %WINDIR%\system32\chcp.com
- sha256
- ab5581453ba81f7ef13a7800ce2f94b46f74e36991b6ff61115c353b025ae53b
- uid
- 00000000-00007180
- commandline
- timeout /t 3 /nobreak
- name
- timeout.exe
- normalizedpath
- %WINDIR%\system32\timeout.exe
- sha256
- 4310bfc44b00c09f13c0e82fd9e9f9503643bdac089111ae983326bb250edfc5