taskhostw.exe

  • File Path: C:\Windows\system32\taskhostw.exe
  • Description: Host Process for Windows Tasks

Hashes

Type Hash
MD5 B2B02A857A2AA316EC17DD3BC73406C3
SHA1 B970BFA8A50D49D7DADB4BEAF17BCE0F62A8143C
SHA256 59C34F131DCEDCC34252D2AB18754481843EFB2A64A92996391330C321154943
SHA384 FC073DA6769EDADDD0EC4325DCC697F60983DB8CBDA3F8247F68E83AEC2D0231E16D47066ADBF0D57E520866363D6C4C
SHA512 A9AD7C90656BFE25F7CF1A657D965170EC103A56CBC1FA58DC735D8EF6EDB9D327037E2FAE75F24DD2C9D8DFB63DE0F21027D341FA2460EFB29A07C84A9215FF
SSDEEP 1536:+1ZCzBzDm9RGtcpHyxlLfE38VsPPh2mBqXh+MGfv6BirgrKdO3yfP9J/:0Ezp1tcJyxlLfE38wP7sXh+HfCogrKdP
IMP 3A0C6863CDE566AF997DB2DEFFF9D924
PESHA1 B80FFB5C8474121865F49C6CA4935C53FA08DAF1
PE256 614D057889E734F81F915FD6399FAFCDE007BE163917935E7C8EDD0E3F4BBFBF

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\combase.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\system32\taskhostw.exe
C:\Windows\System32\ucrtbase.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: taskhostw.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/59c34f131dcedcc34252d2ab18754481843efb2a64a92996391330c321154943/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\taskhostw.exe 44
C:\Windows\system32\taskhostw.exe 94
C:\Windows\system32\taskhostw.exe 82

Possible Misuse

The following table contains possible examples of taskhostw.exe being misused. While taskhostw.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_vss_ps_load.yml - 'taskhostw.exe' DRL 1.0
sigma image_load_wmi_module_load.yml - '\windows\system32\taskhostw.exe' # c:\windows\system32\taskhostw.exe DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml - 'C:\WINDOWS\system32\taskhostw.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\WINDOWS\system32\taskhostw.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml - 'C:\WINDOWS\system32\taskhostw.exe' DRL 1.0
atomic-red-team index.md - Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md - Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md ## Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md cmd.exe /K %APPDATA%\taskhostw.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1 MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.