Taskmgr.exe

  • File Path: C:\windows\SysWOW64\Taskmgr.exe
  • Description: Task Manager

Screenshot

Taskmgr.exe

Hashes

Type Hash
MD5 9919D598108E8E449D98ABA2C43D2F20
SHA1 4AA9BF6DF9F16DF19BBF5F6F67265F68F94B4880
SHA256 DE72DCB5E14F7D6A4B3E55B273A10A16C6DE77DBB7A6F8575EA14E52AA58583C
SHA384 2DF9DD8F0CADE60487904BB0792C0BFB721D1D85481C93A99464DDE6C9644C8FBFBD590E9A7C25313A2A46D5D3703C9E
SHA512 ADE8538DD91B230BFFF77DADBF7CDDA6A947A174CCE54E58AF2E6D0585CD921724859DA6E92289746D773FD58BC28E05EC6105255E8928DF13CDCD5656A1361E
SSDEEP 12288:nB3FY4HweKPoLYtRRc3EB11N3JBdb2P2Rp7pkprpeK7BxE7q4BPE2:nB1pH8iSU0BhJrccSrAcBe7q4h/

Signature

  • Status: Signature verified.
  • Serial: 330000004EA1D80770A9BBE94400000000004E
  • Thumbprint: DF3B9B7E5AEA1AA0B82EA25F542A6A00963AB890
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Taskmgr.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of Taskmgr.exe being misused. While Taskmgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_lsass_dump_generic.yml - '\taskmgr.exe' DRL 1.0
sigma win_alert_lsass_access.yml - 'C:\Windows\System32\Taskmgr.exe' DRL 1.0
sigma win_alert_lsass_access.yml - Some Taskmgr.exe related activity DRL 1.0
sigma file_event_win_creation_system_file.yml - '\Taskmgr.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\taskmgr.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml - 'C:\WINDOWS\system32\taskmgr.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml # - '\taskmgr.exe' DRL 1.0
sigma proc_access_win_lsass_memdump.yml description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. DRL 1.0
sigma proc_access_win_lsass_memdump.yml - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml - 'C:\WINDOWS\system32\taskmgr.exe' DRL 1.0
sigma proc_creation_win_ransom_blackbyte.yml - 'del C:\Windows\System32\Taskmgr.exe' DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml - \taskmgr.exe DRL 1.0
sigma proc_creation_win_susp_taskmgr_localsystem.yml title: Taskmgr as LOCAL_SYSTEM DRL 1.0
sigma proc_creation_win_susp_taskmgr_localsystem.yml description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM DRL 1.0
sigma proc_creation_win_susp_taskmgr_localsystem.yml Image\|endswith: '\taskmgr.exe' DRL 1.0
sigma proc_creation_win_susp_taskmgr_parent.yml title: Taskmgr as Parent DRL 1.0
sigma proc_creation_win_susp_taskmgr_parent.yml ParentImage\|endswith: '\taskmgr.exe' DRL 1.0
sigma proc_creation_win_susp_taskmgr_parent.yml - '\taskmgr.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\Taskmgr.exe' DRL 1.0
signature-base crime_cn_campaign_njrat.yar $a3 = “taskkill /f /im taskmgr.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s2 = “Kiwi Taskmgr no-gpo” fullword wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file taskmgr.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s1 = “taskmgr.chm” fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar ( filename == “taskmgr.exe” or filename == “Taskmgr.exe” ) and not 1 of ($s*) and not WINDOWS_UPDATE_BDC CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.