taskhostw.exe

  • File Path: C:\WINDOWS\system32\taskhostw.exe
  • Description: Host Process for Windows Tasks

Hashes

Type Hash
MD5 8AC325C757FA721B272ECEA19EBCF745
SHA1 9245F36AA783167E0AFE948B1C0E8E7F3B81E3D4
SHA256 0BEC3128B241FA533DC5A9D3F62AA41323D205DEFC30DCDE228C5ECC2D1E50A9
SHA384 A07271653F5CDA69F41E4CF3FC8E55FEA4CF1E2D99CD86D9A4CB77FBC6D408E335502F99E1E9835202DB7A64E53F59CF
SHA512 B0D66CB3AE5A19D33A62779DDF93A38AD9FDA4660D364BDBF5BE10C32E087B8484EFCD208EB5B4BFE10D37517F43265D9BBFB29A163946A17F8C6AE0D10303AA
SSDEEP 1536:b2cfEpwTrLoyh7ac8xcZzktOT+K8fTrTbKU2d8TPeF:bdf9P38xyzGOT+K8f3TbKUrTo

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: taskhostw.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of taskhostw.exe being misused. While taskhostw.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_vss_ps_load.yml - 'taskhostw.exe' DRL 1.0
sigma image_load_wmi_module_load.yml - '\windows\system32\taskhostw.exe' # c:\windows\system32\taskhostw.exe DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml - 'C:\WINDOWS\system32\taskhostw.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\WINDOWS\system32\taskhostw.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml - 'C:\WINDOWS\system32\taskhostw.exe' DRL 1.0
atomic-red-team index.md - Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md - Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md ## Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md cmd.exe /K %APPDATA%\taskhostw.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1 MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.