home

taskhost.exe

Java Platform SE

Microsoft Corporation Inc.

The executable taskhost.exe has been detected as malware by 4 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Java(TM) Platform SE’.
Publisher:
Microsoft Corporation Inc.

Product:
Java(TM) Platform SE

Version:
10.1.5044.17544

MD5:
1f25eed453889715ae4662c40ff3fb3f

SHA-1:
f0e01fc4a1a275a6fb3a481c832123b9edbd12cd

SHA-256:
0da79e5c9676bae419e6aadcdf18fe9c9470973ab72e6d6b762cd12428852c42

Scanner detections:
4 / 68

Status:
Malware

Analysis date:
4/19/2024 2:02:58 PM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Trojan.MSIL.Heleboch
4.0.3.14620

ESET NOD32
MSIL/Heleboch (variant)
8.9813

Malwarebytes
Backdoor.Bot
v2014.06.20.09

Qihoo 360 Security
Malware.QVM03.Gen
1.0.0.1015

File size:
719 KB (736,256 bytes)

Product version:
10.1.5044.17544

Copyright:
© Microsoft Corporation. All rights reserved.

Trademarks:
© Microsoft Corporation. All rights reserved.

Original file name:
taskhost.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\roaming\system\taskhost.exe

File PE Metadata
Compilation timestamp:
4/24/2014 8:06:38 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:R1vqoD5QCOwhlTXSyGlj8TGNBIFcj9QjZSAtf43S9cp5W0x:SPTIFipjn

Entry address:
0x5E69E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
370 KB (378,880 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Java(TM) Platform SE

Command:
C:\users\{user}\appdata\roaming\system\taskhost.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wana-182-234-12-196.wanamaroc.com  (196.12.234.182:80)

TCP (HTTP):
Connects to par10s12-in-f4.1e100.net  (173.194.40.196:80)

TCP (HTTP):
Connects to p3nwvpweb090.shr.prod.phx3.secureserver.net  (50.62.160.27:80)

TCP (HTTP):
Connects to 208.43.241.178-static.reverse.softlayer.com  (208.43.241.178:80)

Remove taskhost.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.