» svchost.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (1)

svchost.exe

The executable svchost.exe has been detected as malware by 7 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘34d91dfb34a7283483d0aaba9d10147d’. Although this file uses the name svchost.exe, this is NOT the Windows SvcHost (Service Host) distributed with the OS. The file has been seen being downloaded from reggiemenacherry.in.

File name:

svchost.exe

Version:

1.0.0.1

MD5:

ce7f8a17a8bc5a132001698f26d0d918

SHA-1:

b4d86446cc05ee941e9a6661287ae9179e13e043

SHA-256:

125930df8e37d0d5696c9edc4c3105dfa59c9ece020a1e30f8d464e4d0d12c06

Scanner detections:

7 / 68

Status:

Malware

Analysis date:

11/27/2024 12:52:27 PM UTC (today)

Scan engine

Detection

Engine version

avast!

Win32:Malware-gen

160215-2

Dr.Web

Trojan.DownLoader16.34257

9.0.1.05190

Emsisoft Anti-Malware

Trojan.GenericKDZ.30364

11.5.0.6191

ESET NOD32

MSIL/Injector.MAG trojan

8.0.319.0

F-Secure

Trojan.GenericKDZ.30364

5.15.21

Microsoft Security Essentials

Threat.Undefined

1.215.312.0

Norman

Trojan.GenericKDZ.30364

29.02.2016 03:11:57

File size:

235 KB (240,640 bytes)

Product version:

1.0.0.1

Original file name:

NvBackend.exe

File type:

Executable application (Win32 EXE)

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\svchost.exe

File PE Metadata

Compilation timestamp:

11/1/2015 8:56:31 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

3072:pEEyom8TguMCgqcmoyhQK8mIies64WEyQO8AKBOV4KiAmUq8gnReoLbQ9x9Z0IqE:hDx0g4oLbq9r/D02VMs/HNDN42lLSK

Entry address:

0x397FE

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

4.6376

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

222.5 KB (227,840 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

34d91dfb34a7283483d0aaba9d10147d

Command:

C:\users\{user}\appdata\local\temp\{random}.tmp\svchost.exe

The file svchost.exe has been seen being distributed by the following URL.

http://reggiemenacherry.in/.../98.exe

Remove svchost.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.