» traymgr.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

traymgr.exe

Windows Update AutoUpdate Client

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The executable traymgr.exe, “Windows Update AutoUpdate Client” has been detected as malware by 35 anti-virus scanners. While running, it connects to the Internet address anubisnetworks.com on port 81.

File name:

traymgr.exe

Publisher:

Microsoft Corporation* (Invalid match)

Product:

Microsoft® Windows® Operating System

Description:

Windows Update AutoUpdate Client

Version:

5.4.3790.3264 (xpsp.071130-0108)

MD5:

90551c3e123f83b8751841c6efa4cb99

SHA-1:

48d1bf35fa5979320f4bdada116712c92ce7e776

Scanner detections:

35 / 68

Status:

Malware

Analysis date:

4/26/2024 8:20:15 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Trojan.Heur.km0@sPNEM0fiM

-3

Agnitum Outpost

Trojan.VBGent.Gen.492

7.1.1

AhnLab V3 Security

Trojan/Win32.IRCBot

2014.06.21

Avira AntiVirus

TR/Dropper.Gen

7.11.155.224

avast!

Win32:IRCBot-DPI [Trj]

2014.9-170207

AVG

Dropper.Generic

2018.0.2475

Bitdefender

Gen:Trojan.Heur.km0@sPNEM0fiM

1.0.20.190

Bkav FE

W32.Clodea7.Trojan

1.3.0.4959

Clam AntiVirus

Win.Trojan.Ircbot-2188

0.98/21411

Comodo Security

TrojWare.Win32.VBInject.IK

18610

Dr.Web

BackDoor.IRC.Sdbot.5323

9.0.1.038

Emsisoft Anti-Malware

Gen:Trojan.Heur.km0@sPNEM0fiM

8.17.02.07.03

ESET NOD32

Win32/Injector.GFM (variant)

11.9975

Fortinet FortiGate

W32/VBInjector.W!tr

2/7/2017

F-Prot

W32/VBTrojan.Dropper.4

v6.4.7.1.166

F-Secure

Gen:Trojan.Heur.km0@sPNEM0fiM

11.2017-07-02_3

G Data

Gen:Trojan.Heur.km0@sPNEM0fiM

17.2.24

IKARUS anti.virus

Trojan.VB

t3scan.1.6.1.0

K7 AntiVirus

Backdoor

13.180.12478

Kaspersky

Backdoor.Win32.IRCBot

14.0.0.-1131

McAfee

W32/Hamweq.worm.aq

5600.6131

Microsoft Security Essentials

VirTool:Win32/VBInject.gen!BF

1.10701

MicroWorld eScan

Gen:Trojan.Heur.km0@sPNEM0fiM

18.0.0.114

Norman

VBInject.FRL

11.20170207

Panda Antivirus

Generic Trojan

17.02.07.03

Qihoo 360 Security

Win32/Trojan.Dropper.b73

1.0.0.1015

Quick Heal

(Suspicious) - DNAScan

2.17.14.00

Sophos

Mal/VB-AD

4.98

Total Defense

Win32/Tnega.ZKH

37.0.11011

Trend Micro House Call

WORM_KOLAB.ZFX

7.2.38

Trend Micro

WORM_KOLAB.ZFX

10.465.07

Vba32 AntiVirus

Trojan.VBO.013364

3.12.26.3

VIPRE Antivirus

LooksLike.Win32.Malware!vb

30488

ViRobot

Backdoor.Win32.IRCBot.249856.E

2011.4.7.4223

Zillya! Antivirus

Backdoor.IRCBot.Win32.16384

2.0.0.1832

File size:

172 KB (176,128 bytes)

Product version:

5.4.3790.3264

Original file name:

wuauclt1.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Windows\System32\traymgr.exe

File PE Metadata

Compilation timestamp:

5/26/2009 8:56:51 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

Entry address:

0x1C3C

Entry point:

68, 7C, 1D, 40, 00, E8, EE, FF, FF, FF, 00, 00, 00, 00, 00, 00, 30, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 01, 7B, 8F, FB, 42, 51, E0, 44, A1, B1, 71, 28, 8A, E1, 95, EE, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 75, 64, 69, 6F, 5C, 56, 54, 45, 4A, 74, 49, 63, 50, 41, 00, 4C, 42, 00, 30, 30, 2C, 20, 00, 00, 00, 00, 06, 00, 00, 00, D8, 46, 40, 00, 07, 00, 00, 00, 54, 27, 40, 00, 07, 00, 00, 00, 00, 27, 40, 00, 07, 00, 00, 00, B8, 26, 40, 00, 07, 00, 00, 00, 74, 26, 40, 00, 07, 00, 00, 00, 1C, 26, 40, 00... 
[+]

Entropy:

6.4336

Developed / compiled with:

Microsoft Visual Basic v5.0

Code size:

84 KB (86,016 bytes)

Policies Explorer Run

Name:

MicrosoftCorp

The executing file has been seen to make the following network communication in live environments.

TCP:

Connects to anubisnetworks.com (195.22.26.248:81)

Remove traymgr.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.