Taskmgr.exe

  • File Path: C:\WINDOWS\system32\Taskmgr.exe
  • Description: Task Manager

Screenshot

Taskmgr.exe

Hashes

Type Hash
MD5 85F06E7B3F8A078844169EE7B85C39B8
SHA1 2E513347EF73A78F50EC1C7E964C61E9CD82C114
SHA256 D5D9FF3AABFB524D80BFD5F457B40A3BD1EE757CD93806F88FBA57B7CAE88A2A
SHA384 58811AFC08471C9612CBCA89CE731647FAF849B2B6805697D04885D294836237C657F5307C843AE324A1D1616B2B137B
SHA512 DAFE88CF11046B9BF379B8A5527C51B9B179962CC6570F5762B9110C0847B1D89E3A77A99893FE702FAA176626A48BAF96A205B7270330A759FC2776EACA3FA7
SSDEEP 24576:MXyoyMygVR8ze2sp/TdXkLfCDfxME+XxX0vWbBVmcRu/eYTBS7+z:M66Tqe2ydXIfCFcXxX0vWbPmcRYeYTBx
IMP DD1A0E1A44EEF3249ADA4579D56D80D9
PESHA1 E6B43938A6EE72EC4E49F17E1542045AAF591A26
PE256 60D17B373C48AA3A2EA3719018EE3663B5FC7D41AA2217A52522131C16F515ED

Runtime Data

Window Title:

Task Manager

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\oleaccrc.dll.mui File
(R-D) C:\Windows\System32\en-US\propsys.dll.mui File
(R-D) C:\Windows\System32\en-US\Taskmgr.exe.mui File
(R-D) C:\Windows\SystemResources\Taskmgr.exe.mun File
(RW-) C:\Windows\System32 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467 File
(RWD) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db File
(RWD) C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\2\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000017.db Section
\Sessions\2\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\SessionImmersiveColorPreference Section
\Sessions\2\BaseNamedObjects\UrlZonesSM_TI-ADMIN Section
\Sessions\2\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\2\Windows\Theme1077709572 Section
\Windows\Theme3461253685 Section

Loaded Modules:

Path
C:\WINDOWS\System32\advapi32.dll
C:\WINDOWS\System32\combase.dll
C:\WINDOWS\system32\credui.dll
C:\WINDOWS\system32\d3d11.dll
C:\WINDOWS\system32\d3d12.dll
C:\WINDOWS\system32\DUI70.dll
C:\WINDOWS\system32\DUser.dll
C:\WINDOWS\system32\dxcore.dll
C:\WINDOWS\system32\dxgi.dll
C:\WINDOWS\System32\GDI32.dll
C:\WINDOWS\System32\gdi32full.dll
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\System32\msvcp_win.dll
C:\WINDOWS\System32\msvcrt.dll
C:\WINDOWS\System32\NSI.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\OLEAUT32.dll
C:\WINDOWS\system32\pdh.dll
C:\WINDOWS\SYSTEM32\powrprof.dll
C:\WINDOWS\System32\RPCRT4.dll
C:\WINDOWS\System32\sechost.dll
C:\WINDOWS\System32\SETUPAPI.dll
C:\WINDOWS\System32\SHCORE.DLL
C:\WINDOWS\System32\SHELL32.dll
C:\WINDOWS\System32\SHLWAPI.dll
C:\WINDOWS\system32\Taskmgr.exe
C:\WINDOWS\System32\ucrtbase.dll
C:\WINDOWS\System32\USER32.dll
C:\WINDOWS\system32\UxTheme.dll
C:\WINDOWS\System32\win32u.dll
C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467\COMCTL32.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Taskmgr.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.184 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.184
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/d5d9ff3aabfb524d80bfd5f457b40a3bd1ee757cd93806f88fba57b7cae88a2a/detection

Possible Misuse

The following table contains possible examples of Taskmgr.exe being misused. While Taskmgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_alert_lsass_access.yml - Some Taskmgr.exe related activity DRL 1.0
sigma win_susp_lsass_dump_generic.yml - '\taskmgr.exe' DRL 1.0
sigma sysmon_creation_system_file.yml - '\Taskmgr.exe' DRL 1.0
sigma sysmon_creation_system_file.yml - '\taskmgr.exe' DRL 1.0
sigma sysmon_cred_dump_lsass_access.yml - '\taskmgr.exe' DRL 1.0
sigma sysmon_lsass_memdump.yml description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10 DRL 1.0
sigma sysmon_lsass_memdump.yml - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html DRL 1.0
sigma win_susp_spoolsv_child_processes.yml - \taskmgr.exe DRL 1.0
sigma win_susp_taskmgr_localsystem.yml title: Taskmgr as LOCAL_SYSTEM DRL 1.0
sigma win_susp_taskmgr_localsystem.yml description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM DRL 1.0
sigma win_susp_taskmgr_localsystem.yml Image\|endswith: '\taskmgr.exe' DRL 1.0
sigma win_susp_taskmgr_parent.yml title: Taskmgr as Parent DRL 1.0
sigma win_susp_taskmgr_parent.yml ParentImage\|endswith: '\taskmgr.exe' DRL 1.0
sigma win_susp_taskmgr_parent.yml - '\taskmgr.exe' DRL 1.0
sigma win_system_exe_anomaly.yml - '\Taskmgr.exe' DRL 1.0
signature-base crime_cn_campaign_njrat.yar $a3 = “taskkill /f /im taskmgr.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s2 = “Kiwi Taskmgr no-gpo” fullword wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file taskmgr.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s1 = “taskmgr.chm” fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar ( filename == “taskmgr.exe” or filename == “Taskmgr.exe” ) and not 1 of ($s*) and not WINDOWS_UPDATE_BDC CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.