Should I block it?

90%
90% of PCs block this file from running.
Possible reason:
Multiple malware detections

VersionsAdditional versions

564ba 14.74%
f4c1b 5.77%
76b79 0.64%
bb4b1 5.77%
e39c3 5.77%
d175c 1.92%
35e91 13.46%
a4ca4 1.92%
f91bb 2.56%
65603 3.85%
4cc98 0.64%
881db 4.49%
bad7b 0.64%
2e1df 10.90%
ec0c1 0.64%
edfe7 4.49%
91939 1.92%
18ee6 0.64%
fa2a2 10.90%
3bba9 0.64%
51cb8 2.56%
67a2b 1.28%
a4493 0.64%
01f17 1.28%
704ee 0.64%
View more
(Note, AnchorFree Inc publishes each variation of this file with the same version, but the hashes are unique.)

Relationships

Parent process
Related files

PE structurePE file structure

Show functions
Import table
advapi32.dll
SetServiceStatus, QueryServiceConfigW, EnumServicesStatusW, RegEnumKeyExA, RegOpenKeyExA, RegQueryValueExW, RegOpenKeyExW, SetSecurityDescriptorDacl, OpenSCManagerW, CreateServiceW, CloseServiceHandle, RegCreateKeyW, RegSetValueExW, RegCloseKey, OpenServiceW, StartServiceW, QueryServiceStatus, ControlService, DeleteService, RegisterServiceCtrlHandlerW, ChangeServiceConfig2W, StartServiceCtrlDispatcherW, CloseEventLog, ReadEventLogW, GetOldestEventLogRecord, InitializeSecurityDescriptor, OpenEventLogW, RegisterServiceCtrlHandlerExW
iphlpapi.dll
GetAdaptersInfo
kernel32.dll
LoadLibraryW, GetProcAddress, OpenEventW, GetVersionExW, GetLastError, FindClose, FindNextFileW, WaitForSingleObject, FindFirstFileW, CreateEventW, CloseHandle, OpenProcess, CopyFileW, SystemTimeToFileTime, GetSystemTime, FileTimeToSystemTime, GetSystemTimeAsFileTime, Sleep, FormatMessageW, InterlockedDecrement, DeleteFileW, GetModuleFileNameW, SetConsoleCtrlHandler, UnhandledExceptionFilter, lstrlenA, SetEnvironmentVariableA, GetProcessHeap, SetEndOfFile, InterlockedExchange, GetStringTypeW, GetStringTypeA, GetLocaleInfoA, FreeLibrary, GetCurrentThreadId, CreateThread, PostQueuedCompletionStatus, SetEvent, CreateIoCompletionPort, GetQueuedCompletionStatus, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, FindCloseChangeNotification, FindNextChangeNotification, FindFirstChangeNotificationW, ResetEvent, GetModuleHandleW, GetSystemInfo, GetVersionExA, GetModuleHandleA, LoadLibraryA, SetCurrentDirectoryW, CreateMutexW, ReleaseMutex, OpenMutexW, GetTempPathW, GetTempFileNameW, GetSystemDirectoryW, OutputDebugStringW, GetSystemWindowsDirectoryW, GetLongPathNameW, GetVolumeInformationW, WideCharToMultiByte, MultiByteToWideChar, CreateFileW, ReadFile, InterlockedIncrement, CreateDirectoryW, HeapFree, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, ExitThread, ResumeThread, FileTimeToLocalFileTime, GetDriveTypeA, FindFirstFileA, HeapAlloc, HeapReAlloc, GetDriveTypeW, RaiseException, RtlUnwind, WriteFile, GetConsoleCP, GetConsoleMode, GetStdHandle, GetModuleFileNameA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapCreate, VirtualFree, VirtualAlloc, HeapSize, ExitProcess, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, LCMapStringA, LCMapStringW, GetFullPathNameA, GetFileInformationByHandle, PeekNamedPipe, CreateFileA, GetCurrentDirectoryA, SetFilePointer, GetFullPathNameW, CompareStringW, CompareStringA, FlushFileBuffers, InitializeCriticalSectionAndSpinCount, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, FindResourceExW, FindResourceW, LoadResource, LockResource, SizeofResource, GetTimeFormatA, FormatMessageA, LocalFree, GetFileSize, GetDateFormatA, HeapDestroy, EncodePointer, DecodePointer, HeapSetInformation, FindFirstFileExW, IsProcessorFeaturePresent, GetStartupInfoW, GetCurrentDirectoryW, InterlockedExchangeAdd, CreateEventA, OpenEventA, CreateWaitableTimerA, QueueUserAPC, TerminateThread, SetWaitableTimer, ReleaseSemaphore, CreateSemaphoreA, InterlockedCompareExchange, UnregisterWaitEx, RegisterWaitForSingleObject, SleepEx, CreateWaitableTimerW, DuplicateHandle, GetLocaleInfoW, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale
ole32.dll
CoCreateInstance, CoInitialize, OleRun
psapi.dll
GetModuleFileNameExW, EnumProcessModules, EnumProcesses
shell32.dll
SHGetFolderPathW, SHGetFolderPathA
shlwapi.dll
PathAppendW, PathCombineW, PathFileExistsW, PathIsDirectoryW, PathIsRootW, PathAddBackslashW
user32.dll
wvsprintfW, GetSystemMetrics
ws2_32.dll
WSACreateEvent, WSAEventSelect, WSAEnumNetworkEvents, WSAIoctl

hsswd.exe

By AnchorFree Inc (Signed)

Remove hsswd.exe
MD5:   bb4b1326f64c3e1c1102258dc453851e
SHA1:   dd976effbb31daf05311f81c88eb886b99a129a4
SHA256:   bcc76665abcc546bc3fb02d16a4c7e7143065d2595c358a51ea2ecf3f8a41dce
Warning 6 antivirus scanners has detected malware.

About hsswd.exe (from AnchorFree Inc)

Hotspot Shield creates a virtual private network (VPN) between your laptop or iPhone and our Internet gateway. This impenetrable tunnel prevents snoopers, hackers, ISP‘s, from viewing your web browsin

Overview

hsswd.exe is malware that runs as a service under the name ExpatWd (ExpatWd) with extensive SYSTEM privileges (full administrator access). This is typically installed with the program Hotspot Shield 3.09 published by AnchorFree Inc and is most likely removed by most users once installed (58% removed). The file is digitally signed by AnchorFree Inc which was issued by the VeriSign certificate authority (CA).

DetailsDetails

File name:hsswd.exe
Typical file path:C:\Program Files\hotspot shield\bin\hsswd.exe
Size:380.36 KB (389,488 bytes)
Certificate
Issued to:AnchorFree Inc
Authority (CA):VeriSign
Effective date:Sunday, March 27, 2011
Expiration date:Sunday, April 13, 2014
Digital DNA
PE subsystem:Windows Console
Entropy:6.591774
File packed:No
.NET CLR:No
More details

ResourcesPrograms

The following program will install this file
AnchorFree Inc
  58% remove
If you are using the free Service, AnchorFree may deliver third-party Advertisements within the content of any web page accessed. Advertisements may be injected into the top of the page, inserted directly into the page content, or even displayed to overlay the page. A “hotspot” is a Wi-Fi connection access point. Usually this type of connection is public; therefore, it is completely insecure. Hotspot Shield allows you to create a VPN, ...

BehaviorsBehaviors

Services
Runs under 'SYSTEM\CurrentControlSet\Services' by the Service Controller (services.exe)
  • ExpatWd
  • 'ExpatWd' (Expat Shield Monitoring Service)
  • 'HssWd' (Hotspot Shield Monitoring Service)

MalwareMalware detections

Based on 40+ industry antivirus scanners, 6 of them detected the following malware.
Antivirus engineEngine versionDetection
Emsisoft Anti-Malware 3.0.0.569 Gen:Variant.Graftor.48415 (B)
NANO AntiVirus 0.22.8.50837 Trojan.Win32.Agent2.bbullt
nProtect 2013-03-11.01 Trojan/W32.Agent.389488
The Hacker None Trojan/Agent2.cspl
Trend Micro 9.740.0.1012 HT_AGENT_BK08412A.TOMC
Trend Micro HouseCall 9.700.0.1001 TROJ_GEN.F47V1018

ResourcesResource utilization

(Note: statistics below are averages based on a minimum sample size of 200 unique participants)
Averages
 
CPU
Total CPU:0.00482138%
0.028634%
Kernel CPU:0.00309366%
0.013761%
User CPU:0.00172772%
0.014873%
Kernel CPU time:7,027 ms/min
100,923,805ms/min
CPU cycles:271,329/sec
17,470,203/sec
Context switches:38/sec
284/sec
Memory
Private memory:2.53 MB
21.59 MB
Private (maximum):3.9 MB
Private (minimum):2.06 MB
Non-paged memory:2.53 MB
21.59 MB
Virtual memory:55.11 MB
140.96 MB
Virtual memory (peak):56.56 MB
169.69 MB
Working set:2.81 MB
18.61 MB
Working set (peak):5.76 MB
37.95 MB
Page faults:5,098/min
2,039/min
I/O
I/O read transfer:2 Bytes/sec
1.02 MB/min
I/O read operations:1/sec
343/min
I/O other transfer:897 Bytes/sec
448.09 KB/min
I/O other operations:24/sec
1,671/min
Resource allocations
Threads:5
12
Handles:111
600
GUI GDI count:4
103
GUI USER count:3
49

BehaviorsProcess properties

Integrety level:System
Platform:32-bit
Command line:"C:\Program Files\hotspot shield\bin\hsswd.exe"
Owner:SYSTEM
Windows Service
Service name:ExpatWd
Display name:ExpatWd
Type:Win32OwnProcess
Parent process:services.exe (Services and Controller app by Microsoft)

ResourcesThreads

Averages
 
hsswd.exe (main module)
Total CPU:0.00532051%
0.272967%
Kernel CPU:0.00399729%
0.107585%
User CPU:0.00132322%
0.165382%
CPU cycles:430,920/sec
5,741,424/sec
Context switches:3/sec
79/sec
Memory:416 KB
1.16 MB
sechost.dll
Total CPU:0.00039624%
Kernel CPU:0.00039624%
User CPU:0.00000000%
CPU cycles:166/sec
Memory:100 KB
ADVAPI32.dll
Total CPU:0.00003238%
Kernel CPU:0.00003238%
User CPU:0.00000000%
CPU cycles:43/sec
Memory:792 KB

Common loaded modules

These are modules that are typiclaly loaded within the context of this process.

Windows OS versionsDistribution by Windows OS

OS versiondistribution
Windows 7 Ultimate 38.31%
Windows 7 Home Premium 21.43%
Microsoft Windows XP 14.29%
Windows 8 Pro 6.49%
Windows Vista Home Premium 4.55%
Windows 7 Professional 3.90%
Windows 7 Home Basic 2.60%
Windows 8 Enterprise 2.60%
Windows 7 Ultimate N 1.95%
Windows 8 Pro with Media Center 1.30%
Windows 8 Single Language 0.65%
Windows 8 Enterprise N 0.65%
Windows XP Professional 0.65%
Windows 8 0.65%

Distribution by countryDistribution by country

United States installs about 20.69% of hsswd.exe.

OEM distributionDistribution by PC manufacturer

PC Manufacturerdistribution
Toshiba 24.19%
Dell 19.35%
ASUS 12.90%
Hewlett-Packard 10.48%
Lenovo 9.68%
Acer 7.26%
Intel 3.23%
Sony 3.23%
MSI 3.23%
GIGABYTE 3.23%
American Megatrends 1.61%
Gateway 1.61%
Should I remove It? Clean your PC of unwanted adware, toolbars and bloatware.

Download it for FREE