home

svchost.exe

{D1CDC79E-9E78-4A5F-9BCD-AB50983E68C7}

The executable svchost.exe has been detected as malware by 27 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Proceso host para los servicios de Windows’. This trojon will perform a number of actions that will compromise a PC including changing protected system registry values, hiding in protected operating system locations and downloading and installing additional malware. Although this file uses the name svchost.exe, this is NOT the Windows SvcHost (Service Host) distributed with the OS.
Publisher:
{D1CDC79E-9E78-4A5F-9BCD-AB50983E68C7}  (signed and verified)

MD5:
904876f0d8d1a2904f31a5d8284e9124

SHA-1:
c0cd6254791acafe2f91c702ad0227d3225283a0

SHA-256:
c1ec0878c84975e988b6698e36511b1a4c6d8152663335389714b8b12464d853

Scanner detections:
27 / 68

Status:
Malware

Analysis date:
4/26/2024 11:44:24 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Heur.Jatif.Gen.1
352

Agnitum Outpost
Trojan.Agent
7.1.1

AhnLab V3 Security
Trojan/Win32.CoinMiner
2015.05.23

Avira AntiVirus
TR/Dropper.MSIL.Gen
8.3.1.6

avast!
Win32:Dropper-gen [Drp]
2014.9-160217

AVG
Inject2
2017.0.2830

Bitdefender
Gen:Heur.Jatif.Gen.1
1.0.20.240

Comodo Security
UnclassifiedMalware
22212

Dr.Web
BackDoor.Comet.884
9.0.1.048

Emsisoft Anti-Malware
Gen:Heur.Jatif.Gen
8.16.02.17.07

ESET NOD32
MSIL/Injector.DVN (variant)
10.11669

Fortinet FortiGate
MSIL/Injector.DVN!tr
2/17/2016

F-Secure
Gen:Heur.Jatif.Gen.1
11.2016-17-02_4

G Data
Gen:Heur.Jatif.Gen
16.2.25

IKARUS anti.virus
Trojan.MSIL.Injector
t3scan.1.8.9.0

K7 AntiVirus
Trojan
13.204.16000

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.646

McAfee
Artemis!904876F0D8D1
5600.6486

Microsoft Security Essentials
Trojan:Win32/Malagent!gmb
1.1.11701.0

MicroWorld eScan
Gen:Heur.Jatif.Gen.1
17.0.0.144

NANO AntiVirus
Trojan.Win32.Comet.ddaqkw
0.30.24.1636

Panda Antivirus
Trj/CI.A
16.02.17.07

Qihoo 360 Security
HEUR/Malware.QVM03.Gen
1.0.0.1015

Quick Heal
Trojan.Generic.r3
2.16.14.00

Sophos
Mal/Cleaman-B
4.98

Total Defense
Win32/Tnega.XASR!suspicious
37.1.62.1

VIPRE Antivirus
Trojan.Win32.Generic
40464

File size:
437.6 KB (448,064 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\svchost.exe

Digital Signature
Signed by:
{D1CDC79E-9E78-4A5F-9BCD-AB50983E68C7}

Authority:
{D1CDC79E-9E78-4A5F-9BCD-AB50983E68C7}

Valid from:
4/29/2014 10:09:56 PM

Valid to:
4/30/2015 4:09:56 AM

Subject:
CN={D1CDC79E-9E78-4A5F-9BCD-AB50983E68C7}

Issuer:
CN={D1CDC79E-9E78-4A5F-9BCD-AB50983E68C7}

Serial number:
1E6CC65BB239DD99402691D1631F5B0C

File PE Metadata
Compilation timestamp:
5/25/2014 12:26:05 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:eQPHzMEji8zd88cshQEtCmuAa5rjLnsDjaDUIgdGGE4EBtPGlY+77up:LYEjda8DmEgmUbnjUPdG+Sp

Entry address:
0x66CCE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
403.5 KB (413,184 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Proceso host para los servicios de Windows

Command:
C:\users\{user}\appdata\roaming\adobe\svchost.exe


Remove svchost.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.