» svchost.exe
Overview
Analysis
File Details
Behaviors (1)

svchost.exe

Select'Assistance Pro

The executable svchost.exe has been detected as malware by 6 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Sidebar(35.2)’. Although this file uses the name svchost.exe, this is NOT the Windows SvcHost (Service Host) distributed with the OS.

File name:

svchost.exe

Publisher:

Microsoft® Windows® Operating System (signed by Select'Assistance Pro)

Product:

Microsoft® Windows® Operating System

Description:

svchost.exe

Version:

3.3.9200.16420

MD5:

ef8bd103ab8c6a07ebf0850d72b9a3b5

SHA-1:

af2400f0fdd63801c9305fb37a14083c8cb2ad9d

SHA-256:

d0e2257250c1924553dc2dbbef9668ecb734a9029d6d242f26d15f367eb26dfa

Scanner detections:

6 / 68

Status:

Malware

Analysis date:

4/29/2024 6:51:16 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.MSILPerseus.1806

5813571

AVG

Win32/Hedo

2015.0.4489

Emsisoft Anti-Malware

Gen:Variant.MSILPerseus.1806

10.0.0.5366

ESET NOD32

MSIL/Packed.EzirizNetReactor.AD trojan

7.0.302.0

F-Secure

Variant.MSILPerseus.1806

5.15.21

Norman

Gen:Variant.MSILPerseus.1806

11.01.2016 17:30:26

File size:

320.7 KB (328,376 bytes)

Product version:

3.3.9200.16420

Trademarks:

Microsoft Fonction Basic

Original file name:

Project35.2.exe

File type:

Executable application (Win32 EXE)

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\roaming\programme files(35.2)\svchost.exe

Digital Signature

Signed by:

Select'Assistance Pro

Authority:

DigiCert Inc

Valid from:

4/3/2014 7:00:00 AM

Valid to:

4/7/2017 7:00:00 PM

Subject:

CN=Select'Assistance Pro, O=Select'Assistance Pro, L=Strasbourg, C=FR

Issuer:

CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:

055B429F44BDEC64C1AC6E0873322026

File PE Metadata

Compilation timestamp:

3/12/2015 9:28:22 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

3072:0XU9eMX89sI0gE4rs7dpzkw65hRPle7um16e9hOIdKfz6fIMwDLd:0EkG1ItEJnQB57Iqm9wLfz6AMSd

Entry address:

0x4B3FE

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

5.9699

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

293.5 KB (300,544 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Sidebar(35.2)

Command:

C:\users\{user}\appdata\roaming\programme files(35.2)\svchost.exe

Remove svchost.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.