Taskmgr.exe

File Path: C:\windows\SysWOW64\Taskmgr.exe
Description: Task Manager

Screenshot

Taskmgr.exe

Hashes

Type	Hash
MD5	`9919D598108E8E449D98ABA2C43D2F20`
SHA1	`4AA9BF6DF9F16DF19BBF5F6F67265F68F94B4880`
SHA256	`DE72DCB5E14F7D6A4B3E55B273A10A16C6DE77DBB7A6F8575EA14E52AA58583C`
SHA384	`2DF9DD8F0CADE60487904BB0792C0BFB721D1D85481C93A99464DDE6C9644C8FBFBD590E9A7C25313A2A46D5D3703C9E`
SHA512	`ADE8538DD91B230BFFF77DADBF7CDDA6A947A174CCE54E58AF2E6D0585CD921724859DA6E92289746D773FD58BC28E05EC6105255E8928DF13CDCD5656A1361E`
SSDEEP	`12288:nB3FY4HweKPoLYtRRc3EB11N3JBdb2P2Rp7pkprpeK7BxE7q4BPE2:nB1pH8iSU0BhJrccSrAcBe7q4h/`

Signature

Status: Signature verified.
Serial: 330000004EA1D80770A9BBE94400000000004E
Thumbprint: DF3B9B7E5AEA1AA0B82EA25F542A6A00963AB890
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: Taskmgr.exe.mui
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
Product Version: 6.3.9600.16384
Language: English (United States)

Possible Misuse

The following table contains possible examples of Taskmgr.exe being misused. While Taskmgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	win_susp_lsass_dump_generic.yml	`- '\taskmgr.exe'`	DRL 1.0
sigma	win_alert_lsass_access.yml	`- 'C:\Windows\System32\Taskmgr.exe'`	DRL 1.0
sigma	win_alert_lsass_access.yml	`- Some Taskmgr.exe related activity`	DRL 1.0
sigma	file_event_win_creation_system_file.yml	`- '\Taskmgr.exe'`	DRL 1.0
sigma	file_event_win_creation_system_file.yml	`- '\taskmgr.exe'`	DRL 1.0
sigma	proc_access_win_cred_dump_lsass_access.yml	`- 'C:\WINDOWS\system32\taskmgr.exe'`	DRL 1.0
sigma	proc_access_win_cred_dump_lsass_access.yml	`# - '\taskmgr.exe'`	DRL 1.0
sigma	proc_access_win_lsass_memdump.yml	`description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.`	DRL 1.0
sigma	proc_access_win_lsass_memdump.yml	`- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html`	DRL 1.0
sigma	proc_access_win_susp_proc_access_lsass.yml	`- 'C:\WINDOWS\system32\taskmgr.exe'`	DRL 1.0
sigma	proc_creation_win_ransom_blackbyte.yml	`- 'del C:\Windows\System32\Taskmgr.exe'`	DRL 1.0
sigma	proc_creation_win_susp_spoolsv_child_processes.yml	`- \taskmgr.exe`	DRL 1.0
sigma	proc_creation_win_susp_taskmgr_localsystem.yml	`title: Taskmgr as LOCAL_SYSTEM`	DRL 1.0
sigma	proc_creation_win_susp_taskmgr_localsystem.yml	`description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM`	DRL 1.0
sigma	proc_creation_win_susp_taskmgr_localsystem.yml	`Image\\|endswith: '\taskmgr.exe'`	DRL 1.0
sigma	proc_creation_win_susp_taskmgr_parent.yml	`title: Taskmgr as Parent`	DRL 1.0
sigma	proc_creation_win_susp_taskmgr_parent.yml	`ParentImage\\|endswith: '\taskmgr.exe'`	DRL 1.0
sigma	proc_creation_win_susp_taskmgr_parent.yml	`- '\taskmgr.exe'`	DRL 1.0
sigma	proc_creation_win_system_exe_anomaly.yml	`- '\Taskmgr.exe'`	DRL 1.0
signature-base	crime_cn_campaign_njrat.yar	$a3 = “taskkill /f /im taskmgr.exe” fullword ascii	CC BY-NC 4.0
signature-base	gen_cn_hacktools.yar	$s2 = “Kiwi Taskmgr no-gpo” fullword wide	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file taskmgr.exe”	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	$s1 = “taskmgr.chm” fullword	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	( filename == “taskmgr.exe” or filename == “Taskmgr.exe” ) and not 1 of ($s*) and not WINDOWS_UPDATE_BDC	CC BY-NC 4.0