download:

taskhost.exe

Full analysis: https://app.any.run/tasks/3066d544-77a7-4b99-b106-608c04387b60
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 21, 2020, 20:21:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
covid19
opendir
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

92738A81F090C9BD0183C1888BF83DD6

SHA1:

53A2E68336116D158CE968C4F619B822BF69E6BF

SHA256:

5FAB6F8FC6F683404C5439CB702531EAD1A3A304B395CBBA6DD221D9F47894B2

SSDEEP:

12288:bzeaeIg9XIOA74YemgE12fpbPmKudfyJ3qSNs4f+69/GyVvopz3+gTY:PerIg9X95ZfhmKukJ3tf+69/GyRot+y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • taskhost.exe (PID: 3036)

    • Downloads executable files from IP

      • taskhost.exe (PID: 3036)

    • Application was dropped or rewritten from another process

      • services.exe (PID: 2836)

  • SUSPICIOUS

    • Creates executable files which already exist in Windows

      • taskhost.exe (PID: 3036)

    • Creates files in the user directory

      • taskhost.exe (PID: 3036)

    • Executable content was dropped or overwritten

      • taskhost.exe (PID: 3036)

  • INFO

    • Reads the hosts file

      • taskhost.exe (PID: 3036)
      • services.exe (PID: 2836)

    • Drops Coronavirus (possible) decoy

      • services.exe (PID: 2836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:07:10 05:30:37+02:00
PEType: PE32
LinkerVersion: 14
CodeSize: 539136
InitializedDataSize: 164352
UninitializedDataSize: -
EntryPoint: 0x5ea37
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 6.1.7600.16385
ProductVersionNumber: 6.1.7600.16385
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Unknown (0009)
CharacterSet: Unicode
CompanyName: TODO: <Company name>
FileDescription: Host Process for Windows Services
FileVersion: 6.1.7600.16385
InternalName: 22222222
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: taskhost.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.1.7600.16385

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 10-Jul-2020 03:30:37
Detected languages:
  • Russian - Russia
CompanyName: TODO: <Company name>
FileDescription: Host Process for Windows Services
FileVersion: 6.1.7600.16385
InternalName: 22222222
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFilename: taskhost.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.1.7600.16385

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000118

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 7
Time date stamp: 10-Jul-2020 03:30:37
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0008385C
0x00083A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.59181
.rdata
0x00085000
0x0001E3C6
0x0001E400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.77361
.data
0x000A4000
0x00002D74
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.66549
.gfids
0x000A7000
0x000002A4
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.82751
.tls
0x000A8000
0x00000009
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.0203931
.rsrc
0x000A9000
0x000003E0
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.32123
.reloc
0x000AA000
0x000064C8
0x00006600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.67771

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.53805
892
UNKNOWN
Russian - Russia
RT_VERSION

Imports

ADVAPI32.dll
CRYPT32.dll
DNSAPI.dll
KERNEL32.dll
Normaliz.dll
USER32.dll
WLDAP32.dll
WS2_32.dll
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start taskhost.exe services.exe

Process information

PID
CMD
Path
Indicators
Parent process
2836C:\Users\admin\AppData\Roaming\services.exeC:\Users\admin\AppData\Roaming\services.exe
taskhost.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385
Modules
Images
c:\users\admin\appdata\roaming\services.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3036"C:\Users\admin\AppData\Local\Temp\taskhost.exe" C:\Users\admin\AppData\Local\Temp\taskhost.exe
explorer.exe
User:
admin
Company:
TODO: <Company name>
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385
Modules
Images
c:\users\admin\appdata\local\temp\taskhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
Total events
29
Read events
29
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3036taskhost.exeC:\Users\admin\AppData\Roaming\services.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3 307
TCP/UDP connections
5 094
DNS requests
641
Threats
260

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2836
services.exe
GET
301
81.169.145.95:80
http://bx-immobilien.de/bxgvn'"ezllq/geschaeftsbereiche
DE
malicious
2836
services.exe
GET
301
91.198.174.192:80
http://af.wikipedia.org/wikidbq'"yuslq/SV_Ro%C3%9Fbach/Wied
NL
malicious
2836
services.exe
GET
301
185.104.45.18:80
http://civildiplomat.com/newshmz'"lcuch/direktor-fondu-gromadskoi-diplomatii-anton-najchuk-stav-uchasnikom-vsesvitno-forumu-za-demokratiyu-2019-u-strazburzi
GB
unknown
2836
services.exe
GET
301
37.9.175.11:80
http://www.tatry.sk/elro-2019-1owc'"vwfrg/?_ref=30637
SK
suspicious
2836
services.exe
GET
200
217.8.117.48:80
http://217.8.117.48/test48372/1.php?i=d2b4bc26d56b6e189d24381
unknown
text
589 Kb
suspicious
3036
taskhost.exe
GET
200
217.8.117.48:80
http://217.8.117.48/test48372/services.exe
unknown
executable
2.38 Mb
suspicious
GET
404
77.86.188.217:80
http://www.suomentietokirjailijat.fi/mediallevqg'"wvylc/uutisarkisto/helsingin-kirjamessujen-tietokirjaraadin-voittivat-mari-mannisen-kiinalainen-juttu-ja-julia-thurenin-kaikki-rahasta.html?archieveyear=2018&id=806?archieveyear=2018&id=783
FI
html
92.1 Kb
unknown
3036
taskhost.exe
GET
200
217.8.117.48:80
http://217.8.117.48/test48372/services.exe
unknown
executable
2.38 Mb
suspicious
GET
301
5.9.0.154:80
http://infokop.net/forumvqg'"wvylc/showthread.php?401-Vremenska-prognoza&s=ac5a333da0b0ff79e47fefe0877c721d
DE
html
322 b
unknown
GET
404
184.168.131.241:80
http://www.lakerealty.co/real-estatewyk'"genwq/3566601/000-price-street-clover-sc-29710/
US
html
75.0 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
66.70.228.164:53
OVH SAS
CA
malicious
3036
taskhost.exe
217.8.117.48:80
k6239847.lib
suspicious
2836
services.exe
217.8.117.48:80
k6239847.lib
suspicious
2836
services.exe
5.132.191.104:53
Nessus GmbH
AT
malicious
2836
services.exe
124.146.170.166:80
faq.click-sec.com
NTT PC Communications, Inc.
JP
unknown
2836
services.exe
104.109.94.85:80
es.panjiva.com
Akamai International B.V.
NL
unknown
2836
services.exe
5.9.0.154:80
infokop.net
Hetzner Online GmbH
DE
unknown
2836
services.exe
77.86.188.217:80
www.suomentietokirjailijat.fi
Nebula Oy
FI
unknown
2836
services.exe
104.18.40.94:80
epaper.newagebd.net
Cloudflare Inc
US
shared
2836
services.exe
23.210.250.92:80
www.ebay.fr
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
k6239847.lib
  • 217.8.117.48
suspicious
pressroom.aboutschwab.com
  • 69.172.200.252
unknown
faq.click-sec.com
  • 124.146.170.166
unknown
es.panjiva.com
  • 104.109.94.85
unknown
infokop.net
  • 5.9.0.154
unknown
www.suomentietokirjailijat.fi
  • 77.86.188.217
unknown
epaper.newagebd.net
  • 104.18.40.94
  • 104.18.41.94
  • 172.67.144.50
suspicious
kazercase.com
  • 23.227.38.32
malicious
af.wikipedia.org
  • 91.198.174.192
malicious
www.personalart.pl
  • 167.71.32.204
unknown

Threats

PID
Process
Class
Message
3036
taskhost.exe
A Network Trojan was detected
AV INFO Observed DNS Query to Suspicious Domain *[.]lib
3036
taskhost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query for EmerDNS TLD (.lib)
3036
taskhost.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3036
taskhost.exe
Potentially Bad Traffic
ET INFO Suspicious services.exe in URI
3036
taskhost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3036
taskhost.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3036
taskhost.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3036
taskhost.exe
Potentially Bad Traffic
ET INFO Suspicious services.exe in URI
2836
services.exe
A Network Trojan was detected
AV INFO Observed DNS Query to Suspicious Domain *[.]lib
2836
services.exe
Potentially Bad Traffic
ET INFO Observed DNS Query for EmerDNS TLD (.lib)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
taskhost.exe