Taskmgr.exe
- File Path:
C:\WINDOWS\system32\Taskmgr.exe - Description: Task Manager
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | 85F06E7B3F8A078844169EE7B85C39B8 |
| SHA1 | 2E513347EF73A78F50EC1C7E964C61E9CD82C114 |
| SHA256 | D5D9FF3AABFB524D80BFD5F457B40A3BD1EE757CD93806F88FBA57B7CAE88A2A |
| SHA384 | 58811AFC08471C9612CBCA89CE731647FAF849B2B6805697D04885D294836237C657F5307C843AE324A1D1616B2B137B |
| SHA512 | DAFE88CF11046B9BF379B8A5527C51B9B179962CC6570F5762B9110C0847B1D89E3A77A99893FE702FAA176626A48BAF96A205B7270330A759FC2776EACA3FA7 |
| SSDEEP | 24576:MXyoyMygVR8ze2sp/TdXkLfCDfxME+XxX0vWbBVmcRu/eYTBS7+z:M66Tqe2ydXIfCFcXxX0vWbPmcRYeYTBx |
| IMP | DD1A0E1A44EEF3249ADA4579D56D80D9 |
| PESHA1 | E6B43938A6EE72EC4E49F17E1542045AAF591A26 |
| PE256 | 60D17B373C48AA3A2EA3719018EE3663B5FC7D41AA2217A52522131C16F515ED |
Runtime Data
Window Title:
Task Manager
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\oleaccrc.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\propsys.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\Taskmgr.exe.mui | File |
| (R-D) C:\Windows\SystemResources\Taskmgr.exe.mun | File |
| (RW-) C:\Windows\System32 | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467 | File |
| (RWD) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup | File |
| (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db | File |
| (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db | File |
| (RWD) C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup | File |
| \BaseNamedObjects__ComCatalogCache__ | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro | Section |
| \BaseNamedObjects\windows_shell_global_counters | Section |
| \Sessions\2\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000017.db | Section |
| \Sessions\2\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro | Section |
| \Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \Sessions\2\BaseNamedObjects\SessionImmersiveColorPreference | Section |
| \Sessions\2\BaseNamedObjects\UrlZonesSM_TI-ADMIN | Section |
| \Sessions\2\BaseNamedObjects\windows_shell_global_counters | Section |
| \Sessions\2\Windows\Theme1077709572 | Section |
| \Windows\Theme3461253685 | Section |
Loaded Modules:
| Path |
|---|
| C:\WINDOWS\System32\advapi32.dll |
| C:\WINDOWS\System32\combase.dll |
| C:\WINDOWS\system32\credui.dll |
| C:\WINDOWS\system32\d3d11.dll |
| C:\WINDOWS\system32\d3d12.dll |
| C:\WINDOWS\system32\DUI70.dll |
| C:\WINDOWS\system32\DUser.dll |
| C:\WINDOWS\system32\dxcore.dll |
| C:\WINDOWS\system32\dxgi.dll |
| C:\WINDOWS\System32\GDI32.dll |
| C:\WINDOWS\System32\gdi32full.dll |
| C:\WINDOWS\System32\KERNEL32.DLL |
| C:\WINDOWS\System32\KERNELBASE.dll |
| C:\WINDOWS\System32\msvcp_win.dll |
| C:\WINDOWS\System32\msvcrt.dll |
| C:\WINDOWS\System32\NSI.dll |
| C:\WINDOWS\SYSTEM32\ntdll.dll |
| C:\WINDOWS\System32\OLEAUT32.dll |
| C:\WINDOWS\system32\pdh.dll |
| C:\WINDOWS\SYSTEM32\powrprof.dll |
| C:\WINDOWS\System32\RPCRT4.dll |
| C:\WINDOWS\System32\sechost.dll |
| C:\WINDOWS\System32\SETUPAPI.dll |
| C:\WINDOWS\System32\SHCORE.DLL |
| C:\WINDOWS\System32\SHELL32.dll |
| C:\WINDOWS\System32\SHLWAPI.dll |
| C:\WINDOWS\system32\Taskmgr.exe |
| C:\WINDOWS\System32\ucrtbase.dll |
| C:\WINDOWS\System32\USER32.dll |
| C:\WINDOWS\system32\UxTheme.dll |
| C:\WINDOWS\System32\win32u.dll |
| C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467\COMCTL32.dll |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED - Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: Taskmgr.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.184 (WinBuild.160101.0800)
- Product Version: 10.0.22000.184
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/71
- VirusTotal Link: https://www.virustotal.com/gui/file/d5d9ff3aabfb524d80bfd5f457b40a3bd1ee757cd93806f88fba57b7cae88a2a/detection
Possible Misuse
The following table contains possible examples of Taskmgr.exe being misused. While Taskmgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | win_susp_lsass_dump_generic.yml | - '\taskmgr.exe' |
DRL 1.0 |
| sigma | win_alert_lsass_access.yml | - 'C:\Windows\System32\Taskmgr.exe' |
DRL 1.0 |
| sigma | win_alert_lsass_access.yml | - Some Taskmgr.exe related activity |
DRL 1.0 |
| sigma | file_event_win_creation_system_file.yml | - '\Taskmgr.exe' |
DRL 1.0 |
| sigma | file_event_win_creation_system_file.yml | - '\taskmgr.exe' |
DRL 1.0 |
| sigma | proc_access_win_cred_dump_lsass_access.yml | - 'C:\WINDOWS\system32\taskmgr.exe' |
DRL 1.0 |
| sigma | proc_access_win_cred_dump_lsass_access.yml | # - '\taskmgr.exe' |
DRL 1.0 |
| sigma | proc_access_win_lsass_memdump.yml | description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. |
DRL 1.0 |
| sigma | proc_access_win_lsass_memdump.yml | - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html |
DRL 1.0 |
| sigma | proc_access_win_susp_proc_access_lsass.yml | - 'C:\WINDOWS\system32\taskmgr.exe' |
DRL 1.0 |
| sigma | proc_creation_win_ransom_blackbyte.yml | - 'del C:\Windows\System32\Taskmgr.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | - \taskmgr.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_taskmgr_localsystem.yml | title: Taskmgr as LOCAL_SYSTEM |
DRL 1.0 |
| sigma | proc_creation_win_susp_taskmgr_localsystem.yml | description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM |
DRL 1.0 |
| sigma | proc_creation_win_susp_taskmgr_localsystem.yml | Image\|endswith: '\taskmgr.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_taskmgr_parent.yml | title: Taskmgr as Parent |
DRL 1.0 |
| sigma | proc_creation_win_susp_taskmgr_parent.yml | ParentImage\|endswith: '\taskmgr.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_taskmgr_parent.yml | - '\taskmgr.exe' |
DRL 1.0 |
| sigma | proc_creation_win_system_exe_anomaly.yml | - '\Taskmgr.exe' |
DRL 1.0 |
| signature-base | crime_cn_campaign_njrat.yar | $a3 = “taskkill /f /im taskmgr.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_cn_hacktools.yar | $s2 = “Kiwi Taskmgr no-gpo” fullword wide | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file taskmgr.exe” | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | $s1 = “taskmgr.chm” fullword | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | ( filename == “taskmgr.exe” or filename == “Taskmgr.exe” ) and not 1 of ($s*) and not WINDOWS_UPDATE_BDC | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.