home

svchospt.exe

Parents Friend V 8.0

FK2

The executable svchospt.exe has been detected as malware by 5 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘svchospt’. While running, it connects to the Internet address w04.rzone.de on port 80 using the HTTP protocol.
Publisher:
FK2

Product:
Parents Friend V 8.0

Version:
8.00.0030

MD5:
f85c362349f3be1d1f1aa42e0f8405f5

SHA-1:
d977a2f388db0f3e10a66bfbe781dfb444e081a1

SHA-256:
193f8f356a3ed66da1cf390caaeff3964fcca4b75db3146adbfd8ce28aa5bde0

Scanner detections:
5 / 68

Status:
Malware

Analysis date:
4/23/2024 10:58:18 PM UTC  (today)

Scan engine
Detection
Engine version

Comodo Security
UnclassifiedMalware
6699

Dr.Web
BACKDOOR.Trojan
9.0.1.070

McAfee
Artemis!F85C362349F3
5600.6465

Prevx
High Risk Worm
3.0

Vba32 AntiVirus
suspected of Email-Worm.VB.3
3.12.14.2

File size:
932 KB (954,368 bytes)

Product version:
8.00.0030

Copyright:
Lunasoft

Original file name:
svchospt.exe

File type:
Executable application (Win32 EXE)

Language:
German (Germany)

Common path:
C:\windows\syswow64\svchospt.exe

File PE Metadata
Compilation timestamp:
2/1/2009 2:36:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:iuYrBB9rGmqHeC5z7UT14DGQ8aSjRuloRSxeM0iLJdSQnSce3hnXr32O:nlf18aDGQ85IlF06dSQnpe3NX6

Entry address:
0x4FE8

Entry point:
68, EC, 61, 44, 00, E8, F0, FF, FF, FF, 00, 00, 00, 00, 00, 00, 30, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 44, 5F, E0, 52, 47, F8, 78, 40, 91, 18, B3, 7A, 8F, 8A, 9B, DE, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 6F, 6C, 30, 22, 3E, 0A, 50, 61, 72, 65, 6E, 74, 73, 46, 72, 69, 65, 6E, 64, 00, 61, 74, 00, 00, 00, 00, FF, CC, 31, 00, 96, 99, 8B, D3, EE, E3, 01, EB, 47, 82, DB, F1, 34, 70, 23, EB, E6, 01, B5, 41, B4, 4F, 4E, 51, 48, 8B, F8, 88, D9, 2A, 0B, DD, 9F, 3A, 4F, AD, 33, 99, 66, CF, 11, B7, 0C, 00...
 
[+]

Developed / compiled with:
Microsoft Visual Basic v5.0

Code size:
916 KB (937,984 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
svchospt

Command:
C:\windows\syswow64\svchospt.exe


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to w04.rzone.de  (81.169.145.68:80)

Remove svchospt.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.