taskhostw.exe

  • File Path: C:\Windows\system32\taskhostw.exe
  • Description: Host Process for Windows Tasks

Hashes

Type Hash
MD5 AF8D8590B0F74A7F514438DF3F1F4C22
SHA1 91896DF7DFC43D7018E10781C8AF392559BED7F7
SHA256 72279AD47EED7FBF2472214824696351B9CB2571B8EE5D8C92FADA23B378D812
SHA384 024E5B20311E6AC92017CE75BD9975BD66CDB5092D8976E614C56873467F79A269E3A754110A77D6ACF4091D629D9BBE
SHA512 966E9B793EAE2C522AE627C0CAECCD919382CB4B260BD6E830E4E106B3B5838744DE3A54C271466ED59E5260D4A5D7E207BBAC43A63259D1BBBA6B3E9D73C113
SSDEEP 1536:+1ZCzBzDm9RGtcpHyxlLfE38VsPPh2mBqXh+M2fBBjrg8KMOg7pPd:0Ezp1tcJyxlLfE38wP7sXh+nfB5g8KM7
IMP 3A0C6863CDE566AF997DB2DEFFF9D924
PESHA1 B714F79561971686E83C2A9A3B38E864B4D24FA8
PE256 6288F6548D4DA4EA4EC6298B72E2DA21580F859B0BCD108E983C265851AEB8CC

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\combase.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\system32\taskhostw.exe
C:\Windows\System32\ucrtbase.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: taskhostw.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/72279ad47eed7fbf2472214824696351b9cb2571b8ee5d8c92fada23b378d812/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\taskhostw.exe 47
C:\Windows\system32\taskhostw.exe 82
C:\Windows\system32\taskhostw.exe 82

Possible Misuse

The following table contains possible examples of taskhostw.exe being misused. While taskhostw.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_vss_ps_load.yml - 'taskhostw.exe' DRL 1.0
sigma image_load_wmi_module_load.yml - '\windows\system32\taskhostw.exe' # c:\windows\system32\taskhostw.exe DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml - 'C:\WINDOWS\system32\taskhostw.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\WINDOWS\system32\taskhostw.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml - 'C:\WINDOWS\system32\taskhostw.exe' DRL 1.0
atomic-red-team index.md - Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md - Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md ## Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md cmd.exe /K %APPDATA%\taskhostw.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1 MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.