File name:

TaskMgr.exe

Full analysis: https://app.any.run/tasks/af72db05-0377-4635-8c5c-41ba27e7777d
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: May 12, 2025, 04:25:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
njrat
rat
bladabindi
auto-reg
auto-startup
remote
backdoor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

DD96C8DC0FFA96A781E5C1CB9C5B32CC

SHA1:

29900E3DFEBAF26A7DDD2B793BFFCAEC5C37FF1A

SHA256:

C1520F75BE97626CF4938F76ED988AF9097A82620245698DBA6A131F1040A05F

SSDEEP:

768:u1TiYxDmeb9rpiEH3pewa0XuiokbS2agD5PvUMXXJdxIEpmgDO:u1u25hp1ZbokkgDpX3xIEpmgDO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • dllhost.exe (PID: 4628)

    • Changes the autorun value in the registry

      • dllhost.exe (PID: 4628)

    • NJRAT has been detected (YARA)

      • dllhost.exe (PID: 4628)

    • NjRAT is detected

      • dllhost.exe (PID: 4628)

    • NJRAT has been detected (SURICATA)

      • dllhost.exe (PID: 4628)

    • Connects to the CnC server

      • dllhost.exe (PID: 4628)

  • SUSPICIOUS

    • Starts itself from another location

      • TaskMgr.exe (PID: 3888)

    • Reads security settings of Internet Explorer

      • TaskMgr.exe (PID: 3888)

    • Executable content was dropped or overwritten

      • TaskMgr.exe (PID: 3888)
      • dllhost.exe (PID: 4628)

    • The process creates files with name similar to system file names

      • TaskMgr.exe (PID: 3888)

    • Uses ATTRIB.EXE to modify file attributes

      • dllhost.exe (PID: 4628)

    • There is functionality for taking screenshot (YARA)

      • dllhost.exe (PID: 4628)

    • Connects to unusual port

      • dllhost.exe (PID: 4628)

    • Contacting a server suspected of hosting an CnC

      • dllhost.exe (PID: 4628)

  • INFO

    • Create files in a temporary directory

      • TaskMgr.exe (PID: 3888)
      • dllhost.exe (PID: 4628)

    • Process checks computer location settings

      • TaskMgr.exe (PID: 3888)

    • Checks supported languages

      • dllhost.exe (PID: 4628)
      • TaskMgr.exe (PID: 3888)

    • Reads the computer name

      • TaskMgr.exe (PID: 3888)
      • dllhost.exe (PID: 4628)

    • Creates files or folders in the user directory

      • dllhost.exe (PID: 4628)

    • Auto-launch of the file from Startup directory

      • dllhost.exe (PID: 4628)

    • Auto-launch of the file from Registry key

      • dllhost.exe (PID: 4628)

    • Reads the machine GUID from the registry

      • dllhost.exe (PID: 4628)

    • Manual execution by a user

      • dllhost.exe (PID: 4268)
      • dllhost.exe (PID: 4944)

    • Checks proxy server information

      • slui.exe (PID: 1096)

    • Reads the software policy settings

      • slui.exe (PID: 1096)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NjRat

(PID) Process(4628) dllhost.exe
C2147.185.221.27
Ports39536
BotnetVictim
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\48d5ba838ff96f257a6ef43143620b5a
SplitterY262SUCZ4UJJ
Version<- NjRAT 0.7d Horror Edition ->
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (45.7)
.exe | Win32 Executable MS Visual C++ (generic) (19.4)
.exe | Win64 Executable (generic) (17.2)
.scr | Windows screen saver (8.1)
.dll | Win32 Dynamic Link Library (generic) (4.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:12 04:05:05+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 53760
InitializedDataSize: 5632
UninitializedDataSize: -
EntryPoint: 0xf03e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start taskmgr.exe #NJRAT dllhost.exe attrib.exe no specs conhost.exe no specs dllhost.exe no specs dllhost.exe no specs slui.exe taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1056\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeattrib.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1096C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3888"C:\Users\admin\Desktop\TaskMgr.exe" C:\Users\admin\Desktop\TaskMgr.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4244attrib +h "C:\Users\admin\AppData\Local\Temp\dllhost.exe"C:\Windows\SysWOW64\attrib.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4268"C:\Users\admin\AppData\Local\Temp\dllhost.exe" ..C:\Users\admin\AppData\Local\Temp\dllhost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4628"C:\Users\admin\AppData\Local\Temp\dllhost.exe" C:\Users\admin\AppData\Local\Temp\dllhost.exe
TaskMgr.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
NjRat
(PID) Process(4628) dllhost.exe
C2147.185.221.27
Ports39536
BotnetVictim
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\48d5ba838ff96f257a6ef43143620b5a
SplitterY262SUCZ4UJJ
Version<- NjRAT 0.7d Horror Edition ->
4944"C:\Users\admin\AppData\Local\Temp\dllhost.exe" ..C:\Users\admin\AppData\Local\Temp\dllhost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7052"C:\Users\admin\Desktop\TaskMgr.exe" C:\Users\admin\Desktop\TaskMgr.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
5 007
Read events
4 728
Write events
279
Delete events
0

Modification events

(PID) Process:(4628) dllhost.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:SEE_MASK_NOZONECHECKS
Value:
1
(PID) Process:(4628) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:48d5ba838ff96f257a6ef43143620b5a
Value:
"C:\Users\admin\AppData\Local\Temp\dllhost.exe" ..
(PID) Process:(4628) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:48d5ba838ff96f257a6ef43143620b5a
Value:
"C:\Users\admin\AppData\Local\Temp\dllhost.exe" ..
(PID) Process:(4628) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\48d5ba838ff96f257a6ef43143620b5a
Operation:writeName:[kl]
Value:
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4628dllhost.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\48d5ba838ff96f257a6ef43143620b5a.exeexecutable
MD5:DD96C8DC0FFA96A781E5C1CB9C5B32CC
SHA256:C1520F75BE97626CF4938F76ED988AF9097A82620245698DBA6A131F1040A05F
3888TaskMgr.exeC:\Users\admin\AppData\Local\Temp\dllhost.exeexecutable
MD5:DD96C8DC0FFA96A781E5C1CB9C5B32CC
SHA256:C1520F75BE97626CF4938F76ED988AF9097A82620245698DBA6A131F1040A05F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
40
DNS requests
12
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4920
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
4920
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4920
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
4920
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
4920
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
4920
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4920
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4628
dllhost.exe
147.185.221.27:39536
PLAYIT-GG
US
malicious
4920
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4920
SIHClient.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
4920
SIHClient.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4920
SIHClient.exe
20.242.39.171:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7148
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 172.217.16.142
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted
login.live.com
  • 20.190.160.17
  • 20.190.160.128
  • 40.126.32.72
  • 40.126.32.134
  • 20.190.160.131
  • 20.190.160.4
  • 20.190.160.132
  • 40.126.32.140
whitelisted

Threats

PID
Process
Class
Message
4628
dllhost.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
4628
dllhost.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] njRAT Bladabindi CnC Communication command ll
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TaskMgr.exe