Taskmgr.exe
- File Path:
C:\Windows\SysWOW64\Taskmgr.exe - Description: Task Manager
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | C5239F4DF441290CE4B7A5948F15604A |
| SHA1 | 2B40070F305F84C74C0D6F304DAB647657E42EEE |
| SHA256 | 5C5C162B1B5688FAA1928380829E4BDB12A84E07893A6C1EC39FEDBA1464D81D |
| SHA384 | C09640BE0B2E50F6558A520ED1779AE7A81455F2A3387DA57798EF754C7AD70667CAB0B91BD0D32F09595265F63932A6 |
| SHA512 | 2520069025E721655F131233B63DFBBD1D867B8CDB0D4EBBC2098AA30E3AFEECD85A1595E14C0723B7F8C63B155E5035F740B9D9149F4AF0EEFE77F26C0AD057 |
| SSDEEP | 24576:kzMSNfqoIUXK16MR4TpTfdI0sVTo8KJfF62W6f1dIRNKB:uNfqsXx5fdI02c8eg2jf1dIjK |
| IMP | 7664BDECACB8B0F17968E983BF0717BE |
| PESHA1 | F8A5C8A9A1D15CA09C69D8561DBCB16E6269215F |
| PE256 | 3054E68E41BFB62AC1677D3E0E48A3E21351D2B76B6AA2579FADEBDE78F6C99E |
Runtime Data
Window Title:
Task Manager
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\apppatch\DirectXApps_FOD.sdb | File |
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (R-D) C:\Windows\System32\en-US\oleaccrc.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\propsys.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\Taskmgr.exe.mui | File |
| (R-D) C:\Windows\SystemResources\Taskmgr.exe.mun | File |
| (RW-) C:\Users\user | File |
| (RW-) C:\Windows | File |
| (RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627 | File |
| (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db | File |
| (RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db | File |
| \BaseNamedObjects__ComCatalogCache__ | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000009.db | Section |
| \Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro | Section |
| \Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference | Section |
| \Sessions\1\BaseNamedObjects\windows_shell_global_counters | Section |
| \Sessions\1\Windows\Theme1175649999 | Section |
| \Windows\Theme601709542 | Section |
Loaded Modules:
| Path |
|---|
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
| C:\Windows\SysWOW64\Taskmgr.exe |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: Taskmgr.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.662 (WinBuild.160101.0800)
- Product Version: 10.0.19041.662
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/76
- VirusTotal Link: https://www.virustotal.com/gui/file/5c5c162b1b5688faa1928380829e4bdb12a84e07893a6c1ec39fedba1464d81d/detection
Possible Misuse
The following table contains possible examples of Taskmgr.exe being misused. While Taskmgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | win_susp_lsass_dump_generic.yml | - '\taskmgr.exe' |
DRL 1.0 |
| sigma | win_alert_lsass_access.yml | - 'C:\Windows\System32\Taskmgr.exe' |
DRL 1.0 |
| sigma | win_alert_lsass_access.yml | - Some Taskmgr.exe related activity |
DRL 1.0 |
| sigma | file_event_win_creation_system_file.yml | - '\Taskmgr.exe' |
DRL 1.0 |
| sigma | file_event_win_creation_system_file.yml | - '\taskmgr.exe' |
DRL 1.0 |
| sigma | proc_access_win_cred_dump_lsass_access.yml | - 'C:\WINDOWS\system32\taskmgr.exe' |
DRL 1.0 |
| sigma | proc_access_win_cred_dump_lsass_access.yml | # - '\taskmgr.exe' |
DRL 1.0 |
| sigma | proc_access_win_lsass_memdump.yml | description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. |
DRL 1.0 |
| sigma | proc_access_win_lsass_memdump.yml | - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html |
DRL 1.0 |
| sigma | proc_access_win_susp_proc_access_lsass.yml | - 'C:\WINDOWS\system32\taskmgr.exe' |
DRL 1.0 |
| sigma | proc_creation_win_ransom_blackbyte.yml | - 'del C:\Windows\System32\Taskmgr.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | - \taskmgr.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_taskmgr_localsystem.yml | title: Taskmgr as LOCAL_SYSTEM |
DRL 1.0 |
| sigma | proc_creation_win_susp_taskmgr_localsystem.yml | description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM |
DRL 1.0 |
| sigma | proc_creation_win_susp_taskmgr_localsystem.yml | Image\|endswith: '\taskmgr.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_taskmgr_parent.yml | title: Taskmgr as Parent |
DRL 1.0 |
| sigma | proc_creation_win_susp_taskmgr_parent.yml | ParentImage\|endswith: '\taskmgr.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_taskmgr_parent.yml | - '\taskmgr.exe' |
DRL 1.0 |
| sigma | proc_creation_win_system_exe_anomaly.yml | - '\Taskmgr.exe' |
DRL 1.0 |
| signature-base | crime_cn_campaign_njrat.yar | $a3 = “taskkill /f /im taskmgr.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_cn_hacktools.yar | $s2 = “Kiwi Taskmgr no-gpo” fullword wide | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file taskmgr.exe” | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | $s1 = “taskmgr.chm” fullword | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | ( filename == “taskmgr.exe” or filename == “Taskmgr.exe” ) and not 1 of ($s*) and not WINDOWS_UPDATE_BDC | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.