File name:

taskhostw.exe

Full analysis: https://app.any.run/tasks/847d9478-c6c0-4879-a874-465b02ee7bff
Verdict: Malicious activity
Analysis date: March 01, 2026, 15:55:39
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
telegram
autoit
evasion
ims-api
generic
themida
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 12 sections
MD5:

68D501EAD891BB9903C5F010255D87F1

SHA1:

718E88068AAA5EDEF2241633B01F147834D2F91D

SHA256:

E8E3C717E96793A7CEF2ACE0AA35A854AD4A7AB8A9E45825A6019C42181CFC22

SSDEEP:

196608:Q41x95SKW/BMViINltDnz9OhQxU5qZXM5Fnpt/RRpolptbPO:/fslMVvNfhO6xU77nptrpol+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the BIOS version

      • taskhostw.exe (PID: 2336)

    • Executable content was dropped or overwritten

      • taskhostw.exe (PID: 2336)

    • Potential Corporate Privacy Violation

      • taskhostw.exe (PID: 2336)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • taskhostw.exe (PID: 2336)

    • Checks for external IP

      • svchost.exe (PID: 2292)

  • INFO

    • Checks supported languages

      • taskhostw.exe (PID: 2336)

    • The sample compiled with english language support

      • taskhostw.exe (PID: 2336)

    • Reads the computer name

      • taskhostw.exe (PID: 2336)

    • Create files in a temporary directory

      • taskhostw.exe (PID: 2336)

    • Reads mouse settings

      • taskhostw.exe (PID: 2336)

    • Reads CPU info

      • taskhostw.exe (PID: 2336)

    • Creates files in the program directory

      • taskhostw.exe (PID: 2336)

    • Checks proxy server information

      • taskhostw.exe (PID: 2336)
      • slui.exe (PID: 8228)

    • Reads security settings of Internet Explorer

      • taskhostw.exe (PID: 2336)

    • Creates files or folders in the user directory

      • taskhostw.exe (PID: 2336)

    • Reads the machine GUID from the registry

      • taskhostw.exe (PID: 2336)

    • The process uses AutoIt

      • taskhostw.exe (PID: 2336)

    • Themida protector has been detected

      • taskhostw.exe (PID: 2336)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(2336) taskhostw.exe
Telegram-Tokens (1)6694077640:AAGNnkSYN1Rm7AVm3ouSxm5yx2anD6lepZA
Telegram-Info-Links
6694077640:AAGNnkSYN1Rm7AVm3ouSxm5yx2anD6lepZA
Get info about bothttps://api.telegram.org/bot6694077640:AAGNnkSYN1Rm7AVm3ouSxm5yx2anD6lepZA/getMe
Get incoming updateshttps://api.telegram.org/bot6694077640:AAGNnkSYN1Rm7AVm3ouSxm5yx2anD6lepZA/getUpdates
Get webhookhttps://api.telegram.org/bot6694077640:AAGNnkSYN1Rm7AVm3ouSxm5yx2anD6lepZA/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot6694077640:AAGNnkSYN1Rm7AVm3ouSxm5yx2anD6lepZA/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot6694077640:AAGNnkSYN1Rm7AVm3ouSxm5yx2anD6lepZA/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token6694077640:AAGNnkSYN1Rm7AVm3ouSxm5yx2anD6lepZA
End-PointgetMe
Args
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:05:21 16:37:40+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.16
CodeSize: 734208
InitializedDataSize: 23512064
UninitializedDataSize: -
EntryPoint: 0x1e5db28
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 10.0.0.3
ProductVersionNumber: 10.0.0.3
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Realtek Semiconductor
FileDescription: Realtek HD Audio
FileVersion: 10.0.0.3
InternalName: RtHDVBgProc.exe
LegalCopyright: 2017 (c) Realtek Semiconductor. All rights reserved.
OriginalFileName: taskhostw.exe
ProductName: Realtek HD Audio
ProductVersion: 10.0.0.3
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start taskhostw.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2292C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2336"C:\Users\admin\Desktop\taskhostw.exe" C:\Users\admin\Desktop\taskhostw.exe
explorer.exe
User:
admin
Company:
Realtek Semiconductor
Integrity Level:
MEDIUM
Description:
Realtek HD Audio
Version:
10.0.0.3
Modules
Images
c:\users\admin\desktop\taskhostw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
ims-api
(PID) Process(2336) taskhostw.exe
Telegram-Tokens (1)6694077640:AAGNnkSYN1Rm7AVm3ouSxm5yx2anD6lepZA
Telegram-Info-Links
6694077640:AAGNnkSYN1Rm7AVm3ouSxm5yx2anD6lepZA
Get info about bothttps://api.telegram.org/bot6694077640:AAGNnkSYN1Rm7AVm3ouSxm5yx2anD6lepZA/getMe
Get incoming updateshttps://api.telegram.org/bot6694077640:AAGNnkSYN1Rm7AVm3ouSxm5yx2anD6lepZA/getUpdates
Get webhookhttps://api.telegram.org/bot6694077640:AAGNnkSYN1Rm7AVm3ouSxm5yx2anD6lepZA/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot6694077640:AAGNnkSYN1Rm7AVm3ouSxm5yx2anD6lepZA/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot6694077640:AAGNnkSYN1Rm7AVm3ouSxm5yx2anD6lepZA/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token6694077640:AAGNnkSYN1Rm7AVm3ouSxm5yx2anD6lepZA
End-PointgetMe
Args
8228C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
6 982
Read events
6 942
Write events
3
Delete events
37

Modification events

(PID) Process:(2336) taskhostw.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2336) taskhostw.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2336) taskhostw.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2336) taskhostw.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Operation:delete valueName:Realtek HD Audio
Value:
Executable files
1
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2336taskhostw.exeC:\Users\admin\AppData\Local\Temp\aut9E81.tmpbinary
MD5:52B38C5025C2ECFA9A101E97CC48BFDF
SHA256:D35F48DF7A4B20E7213B9530A9401F52D8EEEF833EFD0836583A841835BAFDC1
2336taskhostw.exeC:\Users\admin\AppData\Local\Temp\aut9B73.tmpexecutable
MD5:BE3B1C4ED8E565B95DCCB9FFBAAFA249
SHA256:8F2A1E7E29712B1783EB8320E9C2EC78176BB3EFE9FA14656AB7736A01242779
2336taskhostw.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\json[1].jsontext
MD5:CF32E3E523EE76E4544DE3300D2BA12B
SHA256:BE5803376BAAF5295F115FC10AE70B781115A083DC2A2EBD3CD8BFC9CFD4F135
2336taskhostw.exeC:\ProgramData\Setup\bip39.txttext
MD5:51CA2264F5B3AD532A4D6DAE175E1750
SHA256:D2BD2AEB50AC5DF60C1EB10AFCEC2B680D5A8A9F2BBC74A15C45BF3525528334
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
48
TCP/UDP connections
49
DNS requests
20
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6352
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
6352
SIHClient.exe
GET
200
135.233.95.135:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
8776
svchost.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
6352
SIHClient.exe
GET
200
135.233.95.144:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
POST
200
40.126.32.138:443
https://login.live.com/RST2.srf
US
text
11.1 Kb
whitelisted
6352
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
23.216.77.20:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
23.216.77.20:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
8776
svchost.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
google.com
  • 142.250.201.78
whitelisted
crl.microsoft.com
  • 23.216.77.20
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.59.18.102
  • 88.221.169.152
whitelisted
login.live.com
  • 20.190.159.2
  • 20.190.159.0
  • 20.190.159.68
  • 40.126.31.69
  • 40.126.31.2
  • 20.190.159.129
  • 20.190.159.75
  • 20.190.159.131
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
www.google.com
  • 142.251.36.100
whitelisted
api.telegram.org
  • 149.154.166.110
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted

Threats

PID
Process
Class
Message
2292
svchost.exe
Misc activity
INFO [ANY.RUN] External IP Check (ip-api .com)
2292
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2292
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2336
taskhostw.exe
Potential Corporate Privacy Violation
ET INFO Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2336
taskhostw.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
2292
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
2336
taskhostw.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
taskhostw.exe