ServerManager.exe
- File Path:
C:\Windows\system32\ServerManager.exe - Description: Server Manager
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | 65ADE21DC82C01972891285581D85866 |
| SHA1 | D6E44F1F5D9DF6EBEEDB3D986EA057D42D48EB83 |
| SHA256 | 57FB008FAEB05DD34FC1C224CE456B38CED950243FBAC7F7CB348DF68F990EBE |
| SHA384 | 80D3F5E653E25C67C3F55F91EE339E9FE26854360DD48C74A280552D3522BAF53D4FF8B2CC40F77357BEACDAE657BC3C |
| SHA512 | AA9D0C7F33F64EACE2E0350065BEEE138457E73A263B145D98E1BAEA0A8EE48AABB27C057C6582A7D6A2CC8FAAA59ED2503F02BA4ECC662FD937048656BE809B |
| SSDEEP | 3072:2X/CdVBluX1B/7a5jLf8fyOcR1HnPYctZLF9nM6zQf:2vCdrElhwfzAGR9M |
| IMP | F34D5F2D4577ED6D9CEEC516C1F5A744 |
| PESHA1 | 5F43FC13EC92E5599B4A8138030F1E790ED59D2E |
| PE256 | 75AEAF515FDD94240EDE99FA86D1CEC0D3F154835C816E26B4FE44F064424FA7 |
Runtime Data
Child Processes:
Configure-SMRemoting.exe
Window Title:
Server Manager
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\msctfui.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\propsys.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\shell32.dll.mui | File |
| (RW-) C:\Users\user | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567 | File |
| (RWD) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools | File |
| ...\Cor_SxSPublic_IPCBlock | Section |
| \BaseNamedObjects__ComCatalogCache__ | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro | Section |
| \BaseNamedObjects\Cor_Private_IPCBlock_v4_4240 | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \BaseNamedObjects\windows_shell_global_counters | Section |
| \RPC Control\DSEC1090 | Section |
| \Sessions\2\BaseNamedObjects\1090HWNDInterface:f04ae | Section |
| \Sessions\2\BaseNamedObjects\ServerManagerMultiMachine | Section |
| \Sessions\2\BaseNamedObjects\UrlZonesSM_Administrator | Section |
| \Sessions\2\BaseNamedObjects\windows_shell_global_counters | Section |
| \Sessions\2\Windows\Theme2131664586 | Section |
| \Windows\Theme966197582 | Section |
Loaded Modules:
| Path |
|---|
| C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Meefd589e#\56fe9c165d19a05f8b992578906dd4d4\Microsoft.Management.UI.ni.dll |
| C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\0c9a1da5f56dfaa4fb36197766a8741f\Microsoft.Windows.ServerManager.Common.ni.dll |
| C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\5543cca0df435801e2303ff46a482ed5\mscorlib.ni.dll |
| C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8#\5aed9b86d6cdfe40010a07e62084f773\PresentationFramework.Aero.ni.dll |
| C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe#\2765d5dfb05e889760491cc0e1f68a4e\PresentationFramework-SystemXml.ni.dll |
| C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\d1101640429a2c3d8c6c257103ad22c1\PresentationFramework.ni.dll |
| C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c#\3f2a862342191027edcb96c316333f89\PresentationFramework-SystemCore.ni.dll |
| C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca#\fc91c5553de4f5b4c206769962382b62\PresentationFramework.Aero2.ni.dll |
| C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\8fad18d47be73b98845c53d0e6d3b964\PresentationCore.ni.dll |
| C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\875dc3cfd53efc9f9a5c63016cd239d7\System.Configuration.ni.dll |
| C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\f29b1120627489754c4b8dd317bbe950\System.Core.ni.dll |
| C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\6c6bbae87386b6a33957366eae0e4470\System.Drawing.ni.dll |
| C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bb0ca52db926eaec4a94a8b656f61a94\System.Management.Automation.ni.dll |
| C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\23c1e20aa87eccaf2c33ba9f47d2319e\System.Windows.Forms.ni.dll |
| C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xaml\12c01954752c224882de75b4418c8382\System.Xaml.ni.dll |
| C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\488d073901c2c0fb8ccbcbe182b6b160\System.Xml.ni.dll |
| C:\Windows\assembly\NativeImages_v4.0.30319_64\System\6885802f40fd803e49150d8a2b43a09b\System.ni.dll |
| C:\Windows\assembly\NativeImages_v4.0.30319_64\UIAutomationTypes\f898d852ca0a3bf2329018f1997c623a\UIAutomationTypes.ni.dll |
| C:\Windows\assembly\NativeImages_v4.0.30319_64\WindowsBase\7766b716f453669f6453022ce957c6ad\WindowsBase.ni.dll |
| C:\Windows\assembly\NativeImages_v4.0.30319_64\WindowsForm0b574481#\e2c08b0632621691500c621ae2daec64\WindowsFormsIntegration.ni.dll |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationNative_v0400.dll |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\wpfgfx_v0400.dll |
| C:\Windows\System32\ADVAPI32.dll |
| C:\Windows\SYSTEM32\Bcp47Langs.dll |
| C:\Windows\System32\bcrypt.dll |
| C:\Windows\System32\bcryptPrimitives.dll |
| C:\Windows\System32\cfgmgr32.dll |
| C:\Windows\System32\clbcatq.dll |
| C:\Windows\system32\ColorAdapterClient.dll |
| C:\Windows\System32\combase.dll |
| C:\Windows\System32\CRYPT32.dll |
| C:\Windows\system32\CRYPTBASE.dll |
| C:\Windows\System32\CRYPTSP.dll |
| C:\Windows\system32\d3d10warp.dll |
| C:\Windows\system32\d3d11.dll |
| C:\Windows\system32\d3d9.dll |
| C:\Windows\system32\dataexchange.dll |
| C:\Windows\system32\dcomp.dll |
| C:\Windows\system32\dwmapi.dll |
| C:\Windows\SYSTEM32\dwrite.dll |
| C:\Windows\system32\dxgi.dll |
| C:\Windows\System32\GDI32.dll |
| C:\Windows\System32\gdi32full.dll |
| C:\Windows\system32\iertutil.dll |
| C:\Windows\System32\IMM32.DLL |
| C:\Windows\System32\kernel.appcore.dll |
| C:\Windows\System32\KERNEL32.dll |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\System32\MSASN1.dll |
| C:\Windows\system32\mscms.dll |
| C:\Windows\SYSTEM32\MSCOREE.DLL |
| C:\Windows\System32\MSCTF.dll |
| C:\Windows\system32\msctfui.dll |
| C:\Windows\System32\msvcp_win.dll |
| C:\Windows\system32\MSVCP120_CLR0400.dll |
| C:\Windows\SYSTEM32\MSVCR120_CLR0400.dll |
| C:\Windows\System32\msvcrt.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\ole32.dll |
| C:\Windows\System32\OLEAUT32.dll |
| C:\Windows\System32\powrprof.dll |
| C:\Windows\System32\profapi.dll |
| C:\Windows\system32\PROPSYS.dll |
| C:\Windows\system32\RMCLIENT.dll |
| C:\Windows\System32\RPCRT4.dll |
| C:\Windows\system32\rsaenh.dll |
| C:\Windows\System32\sechost.dll |
| C:\Windows\system32\ServerManager.exe |
| C:\Windows\System32\shcore.dll |
| C:\Windows\System32\shell32.dll |
| C:\Windows\System32\SHLWAPI.dll |
| C:\Windows\system32\SspiCli.dll |
| C:\Windows\system32\twinapi.appcore.dll |
| C:\Windows\System32\ucrtbase.dll |
| C:\Windows\SYSTEM32\UIAutomationCore.dll |
| C:\Windows\system32\urlmon.dll |
| C:\Windows\System32\USER32.dll |
| C:\Windows\system32\USERENV.dll |
| C:\Windows\system32\uxtheme.dll |
| C:\Windows\system32\VERSION.dll |
| C:\Windows\System32\win32u.dll |
| C:\Windows\System32\windows.storage.dll |
| C:\Windows\SYSTEM32\WindowsCodecs.dll |
| C:\Windows\SYSTEM32\WINSTA.dll |
| C:\Windows\SYSTEM32\wtsapi32.dll |
| C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567\comctl32.dll |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: servermanager.dll
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.168 (WinBuild.160101.0800)
- Product Version: 10.0.17763.168
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/68
- VirusTotal Link: https://www.virustotal.com/gui/file/57fb008faeb05dd34fc1c224ce456b38ced950243fbac7f7cb348df68f990ebe/detection/
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\system32\ServerManager.exe | 68 |
Possible Misuse
The following table contains possible examples of ServerManager.exe being misused. While ServerManager.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | image_load_in_memory_powershell.yml | - '\ServerManager.exe' |
DRL 1.0 |
| sigma | image_load_wsman_provider_image_load.yml | - 'C:\Windows\System32\ServerManager.exe' |
DRL 1.0 |
MIT License. Copyright (c) 2020-2021 Strontic.