Taskmgr.exe

File Path: C:\Windows\SysWOW64\Taskmgr.exe
Description: Task Manager

Screenshot

Taskmgr.exe

Hashes

Type	Hash
MD5	`61A8F02536AB07E430715B98BAD49CAB`
SHA1	`E28DE42FC3A993305178F8EB422F5ACE9EA8B175`
SHA256	`4F5CE43A424F1970C3A4D53EBD57C158180F30D60C71DB329EE9EAC772EF3BFA`
SHA384	`13C899E8FFDE3D5E7B6CCAF0F5BEA9BF95DB5AA6F7B38B501B8A823C001EDADF4007690B7467AB415CA1ABDCF8647FE8`
SHA512	`DEF5296894CACD6B6A86AA47D6FC33854EC4EDB8D19A6800F02D6897E36CCC67769CE2FD81752A6B3091204F30747FF8CCE6758B145CD115515DAFAA0E9A14E0`
SSDEEP	`24576:OzM4t3869GFIoldFz4Dz0Q4XOqA2ASEEvyk2f1dfd:et389FXo0Q4ezCNqJf1dfd`
IMP	`7664BDECACB8B0F17968E983BF0717BE`
PESHA1	`0B78D47C61553477C38D3E895936E0FD92AC142E`
PE256	`144841F5542B7137E7050584A6DB8F42AAC237E7933817198155A72DFCACEFA2`

Runtime Data

Child Processes:

explorer.exe

Window Title:

Task Manager

Open Handles:

Path	Type
(R-D) C:\Windows\apppatch\DirectXApps_FOD.sdb	File
(R-D) C:\Windows\Fonts\StaticCache.dat	File
(R-D) C:\Windows\System32\en-US\oleaccrc.dll.mui	File
(R-D) C:\Windows\System32\en-US\Taskmgr.exe.mui	File
(R-D) C:\Windows\SystemResources\Taskmgr.exe.mun	File
(RW-) C:\Users\user	File
(RW-) C:\Windows	File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984	File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	File
\BaseNamedObjects__ComCatalogCache__	Section
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db	Section
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db	Section
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*cversions.2	Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0	Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0	Section
\Sessions\1\BaseNamedObjects\C:UsersuserAppDataLocalMicrosoftWindowsCaches{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000023.db	Section
\Sessions\1\BaseNamedObjects\C:UsersuserAppDataLocalMicrosoftWindowsCachescversions.3.ro	Section
\Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference	Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters	Section
\Sessions\1\Windows\Theme449731986	Section
\Windows\Theme1396518710	Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\Taskmgr.exe

Signature

Status: Signature verified.
Serial: 33000002EC6579AD1E670890130000000002EC
Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: Taskmgr.exe
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 10.0.19041.1202 (WinBuild.160101.0800)
Product Version: 10.0.19041.1202
Language: English (United States)
Machine Type: 32-bit

File Scan

VirusTotal Detections: 0/73
VirusTotal Link: https://www.virustotal.com/gui/file/4f5ce43a424f1970c3a4d53ebd57c158180f30d60c71db329ee9eac772ef3bfa/detection

Possible Misuse

The following table contains possible examples of Taskmgr.exe being misused. While Taskmgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	win_susp_lsass_dump_generic.yml	`- '\taskmgr.exe'`	DRL 1.0
sigma	win_alert_lsass_access.yml	`- 'C:\Windows\System32\Taskmgr.exe'`	DRL 1.0
sigma	win_alert_lsass_access.yml	`- Some Taskmgr.exe related activity`	DRL 1.0
sigma	file_event_win_creation_system_file.yml	`- '\Taskmgr.exe'`	DRL 1.0
sigma	file_event_win_creation_system_file.yml	`- '\taskmgr.exe'`	DRL 1.0
sigma	proc_access_win_cred_dump_lsass_access.yml	`- 'C:\WINDOWS\system32\taskmgr.exe'`	DRL 1.0
sigma	proc_access_win_cred_dump_lsass_access.yml	`# - '\taskmgr.exe'`	DRL 1.0
sigma	proc_access_win_lsass_memdump.yml	`description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.`	DRL 1.0
sigma	proc_access_win_lsass_memdump.yml	`- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html`	DRL 1.0
sigma	proc_access_win_susp_proc_access_lsass.yml	`- 'C:\WINDOWS\system32\taskmgr.exe'`	DRL 1.0
sigma	proc_creation_win_ransom_blackbyte.yml	`- 'del C:\Windows\System32\Taskmgr.exe'`	DRL 1.0
sigma	proc_creation_win_susp_spoolsv_child_processes.yml	`- \taskmgr.exe`	DRL 1.0
sigma	proc_creation_win_susp_taskmgr_localsystem.yml	`title: Taskmgr as LOCAL_SYSTEM`	DRL 1.0
sigma	proc_creation_win_susp_taskmgr_localsystem.yml	`description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM`	DRL 1.0
sigma	proc_creation_win_susp_taskmgr_localsystem.yml	`Image\\|endswith: '\taskmgr.exe'`	DRL 1.0
sigma	proc_creation_win_susp_taskmgr_parent.yml	`title: Taskmgr as Parent`	DRL 1.0
sigma	proc_creation_win_susp_taskmgr_parent.yml	`ParentImage\\|endswith: '\taskmgr.exe'`	DRL 1.0
sigma	proc_creation_win_susp_taskmgr_parent.yml	`- '\taskmgr.exe'`	DRL 1.0
sigma	proc_creation_win_system_exe_anomaly.yml	`- '\Taskmgr.exe'`	DRL 1.0
signature-base	crime_cn_campaign_njrat.yar	$a3 = “taskkill /f /im taskmgr.exe” fullword ascii	CC BY-NC 4.0
signature-base	gen_cn_hacktools.yar	$s2 = “Kiwi Taskmgr no-gpo” fullword wide	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file taskmgr.exe”	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	$s1 = “taskmgr.chm” fullword	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	( filename == “taskmgr.exe” or filename == “Taskmgr.exe” ) and not 1 of ($s*) and not WINDOWS_UPDATE_BDC	CC BY-NC 4.0