home

tygjlagf.exe

Webroot SecureAnywhere

Webroot Inc.

This is a setup program which is used to install the application. It runs as a separate (within the context of its own process) windows Service named “WRSVC”. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘WRSVC’. The file has been seen being downloaded from anywhere.webrootcloudav.com.
Publisher:
Webroot  (signed by Webroot Inc.)

Product:
Webroot SecureAnywhere

Version:
8.0.4.42

MD5:
532fb657478ba9a18bade9ddf3191ac7

SHA-1:
dad27cc2583850699d2c9db996a38b986452c76d

SHA-256:
ccf570ff9311da38a4f31c1326214031c4a7fb3e3aad06674aa028c41ec44462

Scanner detections:
1 / 68

Status:
Clean  (1 probable false positive detection)

Explanation:
This is mosty likely a false positive detection, the file is probably clean.

Analysis date:
4/23/2024 8:05:25 PM UTC  (today)

Scan engine
Detection
Engine version

Rising Antivirus
PE:Stealer.Zbot!1.6524
23.00.65.131214

File size:
744.1 KB (761,920 bytes)

Product version:
8.0.4.42

Copyright:
(c) Webroot 2006-2013

Original file name:
WRSA.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\fjwvofag\tygjlagf.exe

Digital Signature
Signed by:
Webroot Inc.

Authority:
VeriSign, Inc.

Valid from:
1/9/2012 1:00:00 AM

Valid to:
1/10/2014 12:59:59 PM

Subject:
CN=Webroot Inc., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Webroot Inc., L=Broomfield, S=Colorado, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
1C4712357A8FBAFBB7F5B41ED147571F

File PE Metadata
Compilation timestamp:
12/4/2013 2:49:29 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:9IU/L4SBtKcHSMR9cqrapCxa/FyxK6ZlwHsN4keNV8Z/DgSdC/Ily4A/VC7CrdMa:lptrrHTWxtyxKClcmgVyXdCQA5/VC7e1

Entry address:
0x20E040

Entry point:
60, BE, 00, E0, 15, 01, 8D, BE, 00, 30, EA, FF, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, D7, CB, 20, 00, 57, 83, C3, 04, 53, 68, 3D, 00, 0B, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 02, 00, 90, 90, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9, 49, 89, 4C, 24, 6C, 0F, B6, 4A...
 
[+]

Code size:
708 KB (724,992 bytes)

Service
Display name:
WRSVC

Description:
Webroot SecureAnywhere Complete v8.0.4.42

Type:
Win32OwnProcess


Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
WRSVC

Command:
"C:\Program Files\webroot\wrsa.exe" -ul


The file tygjlagf.exe has been seen being distributed by the following URL.

http://anywhere.webrootcloudav.com/.../wsafbmpav.exe

Scan tygjlagf.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.