» svchost.exe
Overview
Analysis
File Details
Behaviors (1)

svchost.exe

Select'Assistance Pro

The executable svchost.exe has been detected as malware by 7 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Sidebar(x34) Build19b’. Although this file uses the name svchost.exe, this is NOT the Windows SvcHost (Service Host) distributed with the OS.

File name:

svchost.exe

Publisher:

Microsoft® Windows® Operating System (signed by Select'Assistance Pro)

Product:

Microsoft® Windows® Operating System

Description:

svchost.exe

Version:

6.2.9200.16420

MD5:

ed7cc83cddbb070e9e93ea117a1a3e70

SHA-1:

203e92ccadf2e3b02631eb3f1a185bca8f350fad

SHA-256:

b46666cb6974ce371743bd03e12220a5f1d0d14684593d427ba7f499aaa26329

Scanner detections:

7 / 68

Status:

Malware

Analysis date:

4/25/2024 3:18:44 PM UTC (today)

Scan engine

Detection

Engine version

avast!

MSIL:Agent-CHS [Trj]

160209-2

Emsisoft Anti-Malware

Gen:Variant.MSIL.Lynx.14

10.0.0.5366

ESET NOD32

MSIL/Packed.EzirizNetReactor.AD trojan

7.0.302.0

F-Secure

Variant.MSIL.Lynx.14

5.15.21

Kaspersky

Trojan.Win32.Reconyc

15.0.0.562

McAfee

Trojan.Artemis!ED7CC83CDDBB

18.0.204.0

Norman

Gen:Variant.MSIL.Lynx.14

03.02.2016 10:30:35

File size:

306.7 KB (314,040 bytes)

Product version:

6.2.9200.16420

Trademarks:

Microsoft Fonction Basic

Original file name:

S 34Build19.exe

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\programme files(x34)build19b\svchost.exe

Digital Signature

Signed by:

Select'Assistance Pro

Authority:

DigiCert Inc

Valid from:

4/3/2014 3:00:00 AM

Valid to:

4/7/2017 3:00:00 PM

Subject:

CN=Select'Assistance Pro, O=Select'Assistance Pro, L=Strasbourg, C=FR

Issuer:

CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:

06CE209477F1AC19A2049BDC5846A831

File PE Metadata

Compilation timestamp:

5/5/2014 1:48:15 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

6144:NWbt08g1Q6rJdF2G6syGCGPYLL53iR966tZE:0bOTQ634GmGhgLLh6E6XE

Entry address:

0x47CCE

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

5.9353

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

279.5 KB (286,208 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Sidebar(x34) Build19b

Command:

C:\users\{user}\appdata\roaming\programme files(x34)build19b\svchost.exe

Remove svchost.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.