» conhost.exe
Overview
Analysis
File Details
Behaviors (1)

conhost.exe

The executable conhost.exe has been detected as malware by 14 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Console Protect Service’.

File name:

conhost.exe

MD5:

37d8ea11b9cf11d554fe22217c4272f5

SHA-1:

59abd1f58e66364928bb3682f5aa579d1cc8f065

SHA-256:

729ded3ffe3ef38212ade51a70e7fca32ba60808231103871bba2817a03a935b

Scanner detections:

14 / 68

Status:

Malware

Analysis date:

4/26/2024 8:46:06 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.GenericKD.1836609

856

Avira AntiVirus

TR/Dropper.MSIL.76938

7.11.170.152

avast!

Win32:Dropper-gen [Drp]

2014.9-141002

AVG

Generic36

2015.0.3334

Baidu Antivirus

Trojan.Win32.Ransom

4.0.3.14102

Bitdefender

Trojan.GenericKD.1836609

1.0.20.1375

Bkav FE

HW32.CDB

1.3.0.4959

Emsisoft Anti-Malware

Trojan.GenericKD.1836609

8.14.10.02.04

ESET NOD32

Win32/RpcBrute

8.10356

G Data

Trojan.GenericKD.1836609

14.10.24

Kaspersky

Trojan-Ransom.Win32.Foreign

14.0.0.3164

Malwarebytes

Trojan.Agent.ED

v2014.10.02.04

MicroWorld eScan

Trojan.GenericKD.1836609

15.0.0.825

Sophos

Mal/Generic-S

4.98

File size:

116 KB (118,784 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\microsoft\protect\conhost.exe

File PE Metadata

Compilation timestamp:

9/1/2014 1:24:03 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

3072:wxVNBSVcSWuAoK3Biizl+t3OShr8/Z1+1s:odSWuroVzlfShMb+1

Entry address:

0x1BFBE

Entry point:

FF, 90, 00, 20, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 90, 00, 00, 00, 18, 90, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 01, 00, 00, 00, 30, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Code size:

104 KB (106,496 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Console Protect Service

Command:

C:\users\{user}\appdata\roaming\microsoft\protect\conhost.exe

Remove conhost.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.