Taskmgr.exe

  • File Path: C:\Windows\system32\Taskmgr.exe
  • Description: Task Manager

Screenshot

Taskmgr.exe

Hashes

Type Hash
MD5 085DEA8FAD1133171C5CA43B3A1113CD
SHA1 D5519FEE10324AEFEF6AAB144416513C966541C5
SHA256 9095106C3229E14FB7F2B61F45ABF93E9B51F0CDAB4540B5E8FB9DF1EA399ED4
SHA384 445A110F905681592380C5A8716F27957EA06627C32D9A26F501725E0718F25A3E402B676B4814555E38EA5CFC03A47E
SHA512 09DA5827D26C2BC07A53CAA435B53A91C6D380B215FF3DF86DB054F7DA0696A886CB2EAF5A4F6609FD8669C5BA3B4752E1E373FFBD1F8A738F4126DAD8DA0CAC
SSDEEP 24576:Tx0igU3AEffLrtHagN86ijDj+6DwwbCutTYnpsjzA8nN21d73eU:Fzz3LJHagN86ij+kCuNYpsnA8nN21d7v
IMP 6C979042BFB94D319299531016A3C673
PESHA1 7F49764D8B757DDF8220AB118E6E1626463A5A72
PE256 EEE8B30E8523D2AE0DA989D12D20C2039667F48BD54DC0D57D2950918145623A

Runtime Data

Window Title:

Task Manager

Open Handles:

Path Type
(R-D) C:\Windows\apppatch\DirectXApps_FOD.sdb File
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\oleaccrc.dll.mui File
(R-D) C:\Windows\System32\en-US\propsys.dll.mui File
(R-D) C:\Windows\System32\en-US\Taskmgr.exe.mui File
(R-D) C:\Windows\SystemResources\Taskmgr.exe.mun File
(RW-) C:\Users\user\Documents File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21 File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000009.db Section
\Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro Section
\Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\Windows\Theme1703657751 Section
\Windows\Theme1455388728 Section

Loaded Modules:

Path
C:\Windows\System32\advapi32.dll
C:\Windows\System32\bcrypt.dll
C:\Windows\System32\cfgmgr32.dll
C:\Windows\System32\combase.dll
C:\Windows\system32\credui.dll
C:\Windows\system32\d3d11.dll
C:\Windows\system32\d3d12.dll
C:\Windows\system32\DUI70.dll
C:\Windows\system32\DUser.dll
C:\Windows\system32\dxcore.dll
C:\Windows\system32\dxgi.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\System32\NSI.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\system32\pdh.dll
C:\Windows\SYSTEM32\powrprof.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\SETUPAPI.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\SHLWAPI.dll
C:\Windows\system32\Taskmgr.exe
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\system32\UxTheme.dll
C:\Windows\System32\win32u.dll
C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21\COMCTL32.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Taskmgr.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/66
  • VirusTotal Link: https://www.virustotal.com/gui/file/9095106c3229e14fb7f2b61f45abf93e9b51f0cdab4540b5e8fb9df1ea399ed4/detection/

Possible Misuse

The following table contains possible examples of Taskmgr.exe being misused. While Taskmgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_alert_lsass_access.yml - Some Taskmgr.exe related activity DRL 1.0
sigma win_susp_lsass_dump_generic.yml - '\taskmgr.exe' DRL 1.0
sigma sysmon_creation_system_file.yml - '*\Taskmgr.exe' DRL 1.0
sigma sysmon_creation_system_file.yml - '*\taskmgr.exe' DRL 1.0
sigma sysmon_cred_dump_lsass_access.yml - '\taskmgr.exe' DRL 1.0
sigma sysmon_lsass_memdump.yml description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10 DRL 1.0
sigma sysmon_lsass_memdump.yml - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html DRL 1.0
sigma win_susp_taskmgr_localsystem.yml title: Taskmgr as LOCAL_SYSTEM DRL 1.0
sigma win_susp_taskmgr_localsystem.yml description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM DRL 1.0
sigma win_susp_taskmgr_localsystem.yml Image: '*\taskmgr.exe' DRL 1.0
sigma win_susp_taskmgr_parent.yml title: Taskmgr as Parent DRL 1.0
sigma win_susp_taskmgr_parent.yml ParentImage: '*\taskmgr.exe' DRL 1.0
sigma win_susp_taskmgr_parent.yml - '*\taskmgr.exe' DRL 1.0
sigma win_system_exe_anomaly.yml - '*\Taskmgr.exe' DRL 1.0
signature-base crime_cn_campaign_njrat.yar $a3 = “taskkill /f /im taskmgr.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s2 = “Kiwi Taskmgr no-gpo” fullword wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file taskmgr.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s1 = “taskmgr.chm” fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar ( filename == “taskmgr.exe” or filename == “Taskmgr.exe” ) and not 1 of ($s*) and not WINDOWS_UPDATE_BDC CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.