» tskmng.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

tskmng.exe

The executable tskmng.exe has been detected as malware by 28 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Keyboard Inf.’. While running, it connects to the Internet address cf-190-93-240-15.cloudflare.com on port 80 using the HTTP protocol.

File name:

tskmng.exe

MD5:

b59610d8c44fb3887d7c10b33549f7e9

SHA-1:

e36af5f69ea7944d2217d3cfc3bc691378f8dae8

SHA-256:

ea15b7a5db946af7e7c7e22828efe223ee810ce17a6b8937c91bf3ccb273cd91

Scanner detections:

28 / 68

Status:

Malware

Analysis date:

11/27/2024 11:50:40 PM UTC (a few moments ago)

Scan engine

Detection

Engine version

Agnitum Outpost

Trojan.FakeWarn

7.1.1

AhnLab V3 Security

Trojan/Win32.FakeAlert

2013.11.19

Avira AntiVirus

TR/Agent.4794368.2

7.11.114.78

avast!

Win32:Malware-gen

2014.9-140625

AVG

Generic33

2015.0.3433

Baidu Antivirus

Trojan.Win32.FakeWarn

4.0.3.14625

Bitdefender

Trojan.Fakealert.53356

1.0.20.880

Comodo Security

UnclassifiedMalware

17294

Emsisoft Anti-Malware

Trojan.Fakealert.53356

8.14.06.25.10

ESET NOD32

Win32/CoinMiner.EE

8.9064

Fortinet FortiGate

W32/FakeWarn.Q!tr

6/25/2014

F-Prot

W32/FakeAlert.FT.gen

v6.4.7.1.166

F-Secure

Trojan.Fakealert.53356

11.2014-25-06_4

G Data

Trojan.Fakealert.53356

14.6.22

IKARUS anti.virus

Trojan.Win32.Fakewarn

t3scan.2.2.29

K7 AntiVirus

Backdoor

13.173.10234

Kaspersky

Trojan.Win32.FakeWarn

14.0.0.3658

Malwarebytes

Trojan.Dropper

v2014.06.25.10

McAfee

Artemis!B59610D8C44F

5600.7089

MicroWorld eScan

Trojan.Fakealert.53356

15.0.0.528

Norman

Suspicious_Gen4.EBWDJ

11.20140625

nProtect

Trojan-Clicker/W32.Fakealert.4794368

13.11.18.01

Panda Antivirus

Trj/Genetic.gen

14.06.25.10

Sophos

Mal/Generic-S

4.94

Trend Micro House Call

TROJ_SPNR.15HU13

7.2.176

Trend Micro

TROJ_SPNR.15HU13

10.465.25

Vba32 AntiVirus

Trojan.FakeWarn

3.12.24.3

VIPRE Antivirus

Trojan.FakeAlert

23502

File size:

4.6 MB (4,794,368 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\downlite\tskmng.exe

File PE Metadata

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.50

CTPH (ssdeep):

98304:V/wOLbnbmj+MzConAp3bpzrty/tV9PThWC2NiQsmPlW5jzkGm3wvYPsWRin8:VfnKjrX0FZy/tV9Pt72NtsmPIj4VW+XP

Entry address:

0x1000

Entry point:

68, 9C, 00, 00, 00, 68, 00, 00, 00, 00, 68, 20, 1C, 41, 00, E8, A6, 70, 00, 00, 83, C4, 0C, 68, 00, 00, 00, 00, E8, 9F, 70, 00, 00, A3, 24, 1C, 41, 00, 68, 00, 00, 00, 00, 68, 00, 10, 00, 00, 68, 00, 00, 00, 00, E8, 8C, 70, 00, 00, A3, 20, 1C, 41, 00, E8, 1C, 95, 00, 00, E8, FA, 93, 00, 00, E8, 32, 89, 00, 00, E8, 24, 82, 00, 00, E8, B8, 7D, 00, 00, E8, 83, 7B, 00, 00, BA, B8, E2, 40, 00, 8D, 0D, A4, 1C, 41, 00, E8, 93, 6F, 00, 00, BA, AA, E2, 40, 00, 8D, 0D, A8, 1C, 41, 00, E8, 83, 6F, 00, 00, C7, 05, 01... 
[+]

Packer / compiler:

PKLITE32, 0x1.1

Code size:

38.5 KB (39,424 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Keyboard Inf.

Command:

C:\users\{user}\appdata\roaming\downlite\tskmng.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to cf-190-93-240-15.cloudflare.com (190.93.240.15:80)

Remove tskmng.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.