» svchost.exe
Overview
Analysis
File Details
Behaviors (1)

svchost.exe

The application svchost.exe has been detected as a potentially unwanted program by 22 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘svchost’. Although this file uses the name svchost.exe, this is NOT the Windows SvcHost (Service Host) distributed with the OS.

File name:

svchost.exe

MD5:

d93c394f2c15486aaafc3f8eca04ddb4

SHA-1:

89d31eea4cece3c2f9e08567fb3bd1a99a7c432f

SHA-256:

05bed855e04b687db55ab9f093f1853cd7ff12d5324ac4a23d2ee8429583c07d

Scanner detections:

22 / 68

Status:

Potentially unwanted

Analysis date:

4/30/2024 2:25:20 PM UTC (today)

Scan engine

Detection

Engine version

AhnLab V3 Security

Win-Trojan/Sasfis.77824.L

2010.05.02

Avira AntiVirus

TR/Dldr.Delphi.Gen

8.2.1.224

Emsisoft A-Squared

Trojan-Dropper.Win32.Malf!IK

4.5.0.50

avast!

Win32:AutoRun-BHW

2014.9-170308

AVG

Dropper.Generic

2018.0.2446

Bitdefender

Gen:Win32.ExplorerHijack.eGW@a4Zy3If

1.0.20.335

Clam AntiVirus

Trojan.Agent-146452

0.98/170.3

Comodo Security

Heur.Packed.Unknown

4734

Dr.Web

BACKDOOR.Trojan

9.0.1.067

ESET NOD32

Win32/TrojanDropper.Delf.NQD (variant)

11.5077

F-Prot

W32/Heuristic-KPP

v6.4.5.1.85

F-Secure

Gen:Win32.ExplorerHijack.eGW@a4Zy3If

11.2017-08-03_4

G Data

Gen:Win32.ExplorerHijack.eGW@a4Zy3If

17.3.21

IKARUS anti.virus

Trojan-Dropper.Win32.Malf

t3scan.1.1.80.0

McAfee

W32/Autorun.worm.aae

5600.6102

Microsoft Security Essentials

Worm:Win32/SillyShareCopy.gen

1.163.1557.0

nProtect

Trojan/W32.Sasfis.77824.S

10.05.01.01

Panda Antivirus

Adware/NaviPromo

17.03.08.02

Prevx

Medium Risk Malware Dropper

3.0

Quick Heal

Trojan.Sasfis.ahbn

3.17.10.00

Sophos

Mal/Behav-136

4.53

Vba32 AntiVirus

Trojan.Win32.Sasfis.ahfu

3.12.12.4

File size:

76 KB (77,824 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\microsoft\svchost.exe

File PE Metadata

Compilation timestamp:

6/20/1992 12:22:17 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

Entry address:

0x62E4

Entry point:

55, 8B, EC, B9, 0B, 00, 00, 00, 6A, 00, 6A, 00, 49, 75, F9, 51, 53, 56, 57, B8, 84, 62, 40, 00, E8, 37, E4, FF, FF, 33, C0, 55, 68, 90, 67, 40, 00, 64, FF, 30, 64, 89, 20, B9, CC, 86, 40, 00, BA, 0A, 00, 00, 00, B8, A8, 67, 40, 00, E8, F5, E9, FF, FF, 8B, F0, E8, 92, FD, FF, FF, B2, 01, A1, 98, 52, 40, 00, E8, 9E, CA, FF, FF, 8B, D8, 8B, C3, E8, B5, F1, FF, FF, 8D, 45, EC, E8, 61, FE, FF, FF, 8B, 55, EC, B8, C4, 86, 40, 00, E8, 14, D4, FF, FF, B8, 28, 87, 40, 00, 8B, 53, 04, 8B, 52, 08, E8, 04, D4, FF, FF... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

22.5 KB (23,040 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

svchost

Command:

C:\users\{user}\appdata\roaming\microsoft\svchost.exe

Remove svchost.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.