» svchost..exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (5)
Network (6)

svchost..exe

WindowsFormsApplication5

The executable svchost..exe, “Host Process for Windows Services” has been detected as malware by 38 anti-virus scanners.

File name:

svchost..exe

Publisher:

Microsoft* (Invalid match)

Product:

WindowsFormsApplication5

Description:

Host Process for Windows Services

Version:

1.0.0.0

MD5:

b6404da30cc21b244a101b0a23a14709

SHA-1:

2d5ebc54fe027cada7eea7de141349229186df72

SHA-256:

1bfecb5ea2cf955666f415d4c6a514f7c15b07629feb99caff3a09f94c1cbeb2

Scanner detections:

38 / 68

Status:

Malware

Analysis date:

6/24/2025 2:14:40 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.KDV.690486

1063

Agnitum Outpost

Trojan.Agent

7.1.1

Avira AntiVirus

TR/Rogue.kdv.690486

7.11.133.190

avast!

MSIL:Agent-ABU [Trj]

2014.9-140309

AVG

Generic27

2015.0.3541

Baidu Antivirus

Trojan.MSIL.Agent

4.0.3.1439

Bitdefender

Trojan.Generic.KDV.690486

1.0.20.340

Bkav FE

W32.Clodbb4.Trojan

1.3.0.4959

Clam AntiVirus

Win.Worm.Agent-718

0.98/18355

Comodo Security

Worm.MSIL.Agent.AY

17849

Dr.Web

Trojan.Siggen3.38290

9.0.1.05190

Emsisoft Anti-Malware

Trojan.Generic.KDV.690486

11.5.0.6191

ESET NOD32

MSIL/Agent.AY worm

8.0.319.0

Fortinet FortiGate

MSIL/Agent.ANKF!tr

3/9/2014

F-Prot

W32/MSIL_Agent.K.gen

4.6.5.141

F-Secure

Variant.Zusy.86411

5.15.96

G Data

Trojan.Generic.KDV.690486

14.3.24

IKARUS anti.virus

Worm.Win32.Msil

t3scan.2.2.29

K7 AntiVirus

NetWorm

13.176.11278

Kaspersky

Trojan.MSIL.Agent

15.0.0.562

Malwarebytes

Trojan.MSIL

v2014.03.09.08

McAfee

Generic.pi

5600.7197

Microsoft Security Essentials

Worm:MSIL/Mofin.A

1.10302

MicroWorld eScan

Trojan.Generic.KDV.690486

15.0.0.204

NANO AntiVirus

Trojan.Win32.Agent.cqkyab

0.28.0.58101

Norman

Gen:Variant.Zusy.86411

28.05.2016 15:32:18

nProtect

Trojan/W32.Agent.229376.ALD

14.02.26.01

Panda Antivirus

Trj/Agent.IVN

14.03.09.08

Qihoo 360 Security

Win32/Trojan.287

1.0.0.1015

Quick Heal

Worm.Necast.A3

3.14.12.00

Rising Antivirus

PE:Trojan.Win32.Generic.13FD6F96!335376278

23.00.65.14307

Sophos

Mal/MSIL-EY

4.98

SUPERAntiSpyware

Worm.Necast

10738

Total Defense

Win32/Tnega.ASFT

37.0.10786

Trend Micro House Call

WORM_MOFIN.E

7.2.68

Trend Micro

WORM_MOFIN.E

10.465.09

Vba32 AntiVirus

Trojan.MSIL.Agent

3.12.24.3

VIPRE Antivirus

Trojan.Win32.Generic

26868

File size:

224 KB (229,376 bytes)

Product version:

1.0.0.0

Original file name:

WindowsFormsApplication5.exe

File type:

Executable application (Win32 EXE)

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\roaming\microsoft\windows\start menu\programs\startup\svchost..exe

File PE Metadata

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

3072:X3BPXZf7nECworDBqhElSksQ9na/tK88sWR:X3znqksQRa/8vxR

Entry address:

0x5E1E

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

4.1180

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

16 KB (16,384 bytes)

User Start Menu Item

Name:

svchost..exe

The file svchost..exe has been seen being distributed by the following 5 URLs.

temp:.bc1364.exe

temp:bike.exe

temp:1Videoshow.exe

temp:Images.exe

temp:Videos.exe

The executing file has been seen to make the following network communications in live environments.

TCP:

Connects to wb-in-f108.1e100.net (66.102.1.108:587)

TCP:

Connects to wb-in-f109.1e100.net (66.102.1.109:587)

TCP:

Connects to jn-in-f108.1e100.net (209.85.234.108:587)

TCP:

Connects to dh-in-f109.1e100.net (209.85.203.109:587)

TCP:

Connects to qu-in-f109.1e100.net (209.85.201.109:587)

TCP (HTTP):

Connects to fm.interiowo.pl (217.74.66.160:80)

Remove svchost..exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.