» tzjehehrcg.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

tzjehehrcg.exe

The executable tzjehehrcg.exe has been detected as malware by 2 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Microsoft Windows Manager’. While running, it connects to the Internet address passat.vivawebhost.com on port 80 using the HTTP protocol.

File name:

tzjehehrcg.exe

MD5:

2eaa1f7ae4cac6c7e4ba3a31c4a728c7

SHA-1:

f4cc291030681281378406493660b7ce6f26c036

SHA-256:

7f55719be4afda1d8de49677c93b94a421cf951a44ad31e0f65ff98afe7c617b

Scanner detections:

2 / 68

Status:

Malware

Analysis date:

11/28/2024 5:00:29 AM UTC (today)

Scan engine

Detection

Engine version

Dr.Web

probably DLOADER.IRC.Trojan

9.0.1.05190

ESET NOD32

Win32/Phorpiex.C worm

6.3.12010.0

File size:

29.5 KB (30,208 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\temp\tzjehehrcg.exe

File PE Metadata

Compilation timestamp:

2/28/2017 12:50:09 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

Entry address:

0x5D86

Entry point:

55, 8B, EC, 6A, FF, 68, 38, 6D, 40, 00, 68, 10, 5F, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, F0, 60, 40, 00, 59, 83, 0D, 40, 93, 40, 00, FF, 83, 0D, 44, 93, 40, 00, FF, FF, 15, F4, 60, 40, 00, 8B, 0D, 3C, 93, 40, 00, 89, 08, FF, 15, F8, 60, 40, 00, 8B, 0D, 38, 93, 40, 00, 89, 08, A1, FC, 60, 40, 00, 8B, 00, A3, 48, 93, 40, 00, E8, 10, 01, 00, 00, 39, 1D, 90, 81, 40, 00, 75, 0C, 68, 02, 5F, 40, 00, FF, 15, 00, 61... 
[+]

Entropy:

6.1126

Developed / compiled with:

Microsoft Visual C++ v6.0

Code size:

20 KB (20,480 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Microsoft Windows Manager

Command:

C:\users\boss ian 13\m-50501030258495509282109240\winmgr.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to passat.vivawebhost.com (78.142.63.63:80)

Remove tzjehehrcg.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.