Taskmgr.exe

  • File Path: C:\Windows\SysWOW64\Taskmgr.exe
  • Description: Task Manager

Screenshot

Taskmgr.exe

Hashes

Type Hash
MD5 719821FAFBB0255708C1F3709DFF090A
SHA1 6C584DC8A8CCCEBCEF486478EE65BF5C0DD3A4E6
SHA256 2CD93ADD1272E528E4D46A24F06CAFE4DAC90EFDC509B49E168EA164BE495803
SHA384 B5F5259051CC836E668520FC7F24D9EEF0D73C361EEF8F138391B8C61B8D440884E7C74CE009C27393CC0E616EFA6C15
SHA512 4FB68B00A6A2943CB59DF4DA338314A95010182EAD5F7B628113CD69875BA970C8C24C772A6E4EA24DA5288D6C63D26587CB88FE814D141CC3D67D7C628C8FE7
SSDEEP 24576:TzMMjpncoJGNdpPbHelpMiLdzFcRg/6u1Xsknsf1dzev:1jpnkdpkpLdzWuzcff1dzo
IMP 6D526B071B0AD117CAE0160341F4627E
PESHA1 61B55477B8961E4F6363E270D92E980700A461F9
PE256 A9AB411F6F7766E14B290EAAF29EC915ADEEBDF2CDACF991FF74BC1B03CDED9F

Runtime Data

Window Title:

Task Manager

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\oleaccrc.dll.mui File
(R-D) C:\Windows\System32\en-US\Taskmgr.exe.mui File
(R-D) C:\Windows\SystemResources\Taskmgr.exe.mun File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627 File
(RWD) C:\Windows File
(RWD) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\pris File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000008.db Section
\Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro Section
\Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\Windows\Theme1800662698 Section
\Windows\Theme722103516 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\Taskmgr.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Taskmgr.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.546 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.546
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/2cd93add1272e528e4d46a24f06cafe4dac90efdc509b49e168ea164be495803/detection

Possible Misuse

The following table contains possible examples of Taskmgr.exe being misused. While Taskmgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_lsass_dump_generic.yml - '\taskmgr.exe' DRL 1.0
sigma win_alert_lsass_access.yml - 'C:\Windows\System32\Taskmgr.exe' DRL 1.0
sigma win_alert_lsass_access.yml - Some Taskmgr.exe related activity DRL 1.0
sigma file_event_win_creation_system_file.yml - '\Taskmgr.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\taskmgr.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml - 'C:\WINDOWS\system32\taskmgr.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml # - '\taskmgr.exe' DRL 1.0
sigma proc_access_win_lsass_memdump.yml description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. DRL 1.0
sigma proc_access_win_lsass_memdump.yml - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml - 'C:\WINDOWS\system32\taskmgr.exe' DRL 1.0
sigma proc_creation_win_ransom_blackbyte.yml - 'del C:\Windows\System32\Taskmgr.exe' DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml - \taskmgr.exe DRL 1.0
sigma proc_creation_win_susp_taskmgr_localsystem.yml title: Taskmgr as LOCAL_SYSTEM DRL 1.0
sigma proc_creation_win_susp_taskmgr_localsystem.yml description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM DRL 1.0
sigma proc_creation_win_susp_taskmgr_localsystem.yml Image\|endswith: '\taskmgr.exe' DRL 1.0
sigma proc_creation_win_susp_taskmgr_parent.yml title: Taskmgr as Parent DRL 1.0
sigma proc_creation_win_susp_taskmgr_parent.yml ParentImage\|endswith: '\taskmgr.exe' DRL 1.0
sigma proc_creation_win_susp_taskmgr_parent.yml - '\taskmgr.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\Taskmgr.exe' DRL 1.0
signature-base crime_cn_campaign_njrat.yar $a3 = “taskkill /f /im taskmgr.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s2 = “Kiwi Taskmgr no-gpo” fullword wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file taskmgr.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s1 = “taskmgr.chm” fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar ( filename == “taskmgr.exe” or filename == “Taskmgr.exe” ) and not 1 of ($s*) and not WINDOWS_UPDATE_BDC CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.