Taskmgr.exe

  • File Path: C:\Windows\SysWOW64\Taskmgr.exe
  • Description: Task Manager

Screenshot

Taskmgr.exe

Hashes

Type Hash
MD5 C5239F4DF441290CE4B7A5948F15604A
SHA1 2B40070F305F84C74C0D6F304DAB647657E42EEE
SHA256 5C5C162B1B5688FAA1928380829E4BDB12A84E07893A6C1EC39FEDBA1464D81D
SHA384 C09640BE0B2E50F6558A520ED1779AE7A81455F2A3387DA57798EF754C7AD70667CAB0B91BD0D32F09595265F63932A6
SHA512 2520069025E721655F131233B63DFBBD1D867B8CDB0D4EBBC2098AA30E3AFEECD85A1595E14C0723B7F8C63B155E5035F740B9D9149F4AF0EEFE77F26C0AD057
SSDEEP 24576:kzMSNfqoIUXK16MR4TpTfdI0sVTo8KJfF62W6f1dIRNKB:uNfqsXx5fdI02c8eg2jf1dIjK
IMP 7664BDECACB8B0F17968E983BF0717BE
PESHA1 F8A5C8A9A1D15CA09C69D8561DBCB16E6269215F
PE256 3054E68E41BFB62AC1677D3E0E48A3E21351D2B76B6AA2579FADEBDE78F6C99E

Runtime Data

Window Title:

Task Manager

Open Handles:

Path Type
(R-D) C:\Windows\apppatch\DirectXApps_FOD.sdb File
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\oleaccrc.dll.mui File
(R-D) C:\Windows\System32\en-US\propsys.dll.mui File
(R-D) C:\Windows\System32\en-US\Taskmgr.exe.mui File
(R-D) C:\Windows\SystemResources\Taskmgr.exe.mun File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627 File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000009.db Section
\Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro Section
\Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\Windows\Theme1175649999 Section
\Windows\Theme601709542 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\Taskmgr.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Taskmgr.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.662 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.662
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/5c5c162b1b5688faa1928380829e4bdb12a84e07893a6c1ec39fedba1464d81d/detection

Possible Misuse

The following table contains possible examples of Taskmgr.exe being misused. While Taskmgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_alert_lsass_access.yml - Some Taskmgr.exe related activity DRL 1.0
sigma win_susp_lsass_dump_generic.yml - '\taskmgr.exe' DRL 1.0
sigma sysmon_creation_system_file.yml - '*\Taskmgr.exe' DRL 1.0
sigma sysmon_creation_system_file.yml - '*\taskmgr.exe' DRL 1.0
sigma sysmon_cred_dump_lsass_access.yml - '\taskmgr.exe' DRL 1.0
sigma sysmon_lsass_memdump.yml description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10 DRL 1.0
sigma sysmon_lsass_memdump.yml - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html DRL 1.0
sigma win_susp_taskmgr_localsystem.yml title: Taskmgr as LOCAL_SYSTEM DRL 1.0
sigma win_susp_taskmgr_localsystem.yml description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM DRL 1.0
sigma win_susp_taskmgr_localsystem.yml Image: '*\taskmgr.exe' DRL 1.0
sigma win_susp_taskmgr_parent.yml title: Taskmgr as Parent DRL 1.0
sigma win_susp_taskmgr_parent.yml ParentImage: '*\taskmgr.exe' DRL 1.0
sigma win_susp_taskmgr_parent.yml - '*\taskmgr.exe' DRL 1.0
sigma win_system_exe_anomaly.yml - '*\Taskmgr.exe' DRL 1.0
signature-base crime_cn_campaign_njrat.yar $a3 = “taskkill /f /im taskmgr.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s2 = “Kiwi Taskmgr no-gpo” fullword wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file taskmgr.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s1 = “taskmgr.chm” fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar ( filename == “taskmgr.exe” or filename == “Taskmgr.exe” ) and not 1 of ($s*) and not WINDOWS_UPDATE_BDC CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.