» cachemgr.exe
Overview
Analysis
File Details
Behaviors (1)
Network (2)

cachemgr.exe

The executable cachemgr.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘StubPath’. While running, it connects to the Internet address windowsmobile.co.kr on port 80 using the HTTP protocol.

File name:

cachemgr.exe

MD5:

27238d20b16e634b98ab502c16da7ddb

SHA-1:

afa2fffe247b622a4532cfdd5eb92954134ece91

SHA-256:

7579b8d0e8a6777ac8e44b18c1f4e509cbc814ba0e3fba90c9c712341c38d6aa

Scanner detections:

1 / 68

Status:

Malware

Analysis date:

12/28/2024 4:59:28 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

Trojan.Installer (M)

17.2.8.17

File size:

223.5 KB (228,864 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\ProgramData\cachemgr.exe

File PE Metadata

Compilation timestamp:

1/4/2005 10:12:41 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

Entry address:

0x12ECC

Entry point:

E8, 72, 27, 00, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, 78, BD, 41, 00, 89, 0D, 74, BD, 41, 00, 89, 15, 70, BD, 41, 00, 89, 1D, 6C, BD, 41, 00, 89, 35, 68, BD, 41, 00, 89, 3D, 64, BD, 41, 00, 66, 8C, 15, 90, BD, 41, 00, 66, 8C, 0D, 84, BD, 41, 00, 66, 8C, 1D, 60, BD, 41, 00, 66, 8C, 05, 5C, BD, 41, 00, 66, 8C, 25, 58, BD, 41, 00, 66, 8C, 2D, 54, BD, 41, 00, 9C, 8F, 05, 88, BD, 41, 00, 8B, 45, 00, A3, 7C, BD, 41, 00, 8B, 45, 04, A3, 80, BD, 41, 00, 8D, 45, 08, A3, 8C, BD, 41... 
[+]

Entropy:

5.3735

Code size:

95 KB (97,280 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

StubPath

Command:

"C:\ProgramData\cachemgr.exe" -as

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to windowsmobile.co.kr (207.46.197.32:80)

TCP (HTTP):

Connects to windowsnt.net.vi (207.46.232.182:80)

Remove cachemgr.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.