× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 50f2abb613df4813ce74f3b0df080497f689dfcad11f0fc7cd5ea4cdaf093bdf
File name: taskmgr.exe
Detection ratio: 0 / 43
Analysis date: 2012-03-05 12:18:45 UTC ( 2 years, 1 month ago ) View latest
Probably harmless! There are strong indicators suggesting that this file is safe to use.
Antivirus Result Update
AVG 20120305
AhnLab-V3 20120305
AntiVir 20120305
Antiy-AVL 20120305
Avast 20120305
BitDefender 20120305
ByteHero 20120305
CAT-QuickHeal 20120305
ClamAV 20120305
Commtouch 20120304
Comodo 20120305
DrWeb 20120305
Emsisoft 20120305
F-Prot 20120304
F-Secure 20120305
Fortinet 20120305
GData 20120305
Ikarus 20120305
Jiangmin 20120301
K7AntiVirus 20120302
Kaspersky 20120305
McAfee 20120302
McAfee-GW-Edition 20120304
Microsoft 20120305
NOD32 20120305
Norman 20120304
PCTools 20120228
Panda 20120305
Prevx 20120305
Rising 20120305
SUPERAntiSpyware 20120302
Sophos 20120305
Symantec 20120305
TheHacker 20120305
TrendMicro 20120304
TrendMicro-HouseCall 20120305
VBA32 20120305
VIPRE 20120305
ViRobot 20120305
VirusBuster 20120304
eSafe 20120305
eTrust-Vet 20120305
nProtect 20120304
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block
Copyright
© Microsoft Corporation. All rights reserved.

Publisher Microsoft Windows
Product Microsoft® Windows® Operating System
Original name taskmgr.exe.mui
Internal name taskmgr
File version 6.1.7600.16385 (win7_rtm.090713-1255)
Description Windows Task Manager
Signature verification Signed file, verified signature
Signing date 8:37 PM 11/20/2010
Signers
[+] Microsoft Windows
Status Certificate out of its validity period
Valid from 10:57 PM 12/7/2009
Valid to 10:57 PM 3/7/2011
Valid usage Code Signing, NT5 Crypto
Algorithm SHA1
Thumbrint 02ECEEA9D5E0A9F3E39B6F4EC3F7131ED4E352C4
Serial number 61 15 23 0F 00 00 00 00 00 0A
[+] Microsoft Windows Verification PCA
Status Valid
Valid from 10:55 PM 9/15/2005
Valid to 11:05 PM 3/15/2016
Valid usage Code Signing, NT5 Crypto
Algorithm SHA1
Thumbrint 5DF0D7571B0780783960C68B78571FFD7EDAF021
Serial number 61 07 02 DC 00 00 00 00 00 0B
[+] Microsoft Root Certificate Authority
Status Valid
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm SHA1
Thumbrint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
Counter signers
[+] Microsoft Time-Stamp Service
Status Certificate out of its validity period
Valid from 8:12 PM 7/25/2008
Valid to 8:22 PM 7/25/2011
Valid usage Timestamp Signing
Algorithm SHA1
Thumbrint 56E832A33DDC8CF2C916DA7CBB1175CBACABAE2C
Serial number 61 03 DC F6 00 00 00 00 00 0C
[+] Microsoft Time-Stamp PCA
Status Valid
Valid from 1:53 PM 4/3/2007
Valid to 2:03 PM 4/3/2021
Valid usage Timestamp Signing
Algorithm SHA1
Thumbrint 375FCB825C3DC3752A02E34EB70993B4997191EF
Serial number 61 16 68 34 00 00 00 00 00 1C
[+] Microsoft Root Certificate Authority
Status Valid
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm SHA1
Thumbrint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2010-11-20 08:56:01
Entry Point 0x00008387
Number of sections 4
PE sections
PE imports
RegCreateKeyExW
OpenThreadWaitChainSession
RegCloseKey
EventWrite
OpenServiceW
QueryServiceConfigW
ControlService
RegQueryValueExW
CloseServiceHandle
CreateWellKnownSid
OpenProcessToken
RegOpenKeyExW
EnumServicesStatusExW
SetTokenInformation
EventUnregister
GetTokenInformation
DuplicateTokenEx
IsValidSid
StartServiceW
AdjustTokenPrivileges
GetThreadWaitChain
RevertToSelf
EventRegister
RegSetValueExW
OpenSCManagerW
ImpersonateLoggedOnUser
CloseThreadWaitChainSession
Ord(337)
Ord(336)
Ord(328)
Ord(329)
Ord(334)
Ord(338)
ImageList_Create
Ord(331)
Ord(345)
ImageList_Remove
Ord(17)
CreateStatusWindowW
ImageList_SetIconSize
ImageList_ReplaceIcon
GetDeviceCaps
GetCurrentObject
LineTo
DeleteDC
CreateFontIndirectW
SetBkMode
MoveToEx
CreatePen
GetCharWidth32W
GetStockObject
SelectObject
SetTextColor
GetObjectW
BitBlt
SetBkColor
CreateCompatibleDC
DeleteObject
CreateCompatibleBitmap
Rectangle
GetAdaptersAddresses
GetIfEntry2
NhGetInterfaceNameFromDeviceGuid
CreateToolhelp32Snapshot
OpenThread
HeapFree
lstrlenW
DelayLoadFailureHook
lstrlenA
GetModuleFileNameW
DeviceIoControl
WaitForSingleObject
TrySubmitThreadpoolCallback
SetEvent
GetThreadTimes
CompareStringW
GetTickCount
SetProcessShutdownParameters
InterlockedExchange
GetLogicalProcessorInformationEx
lstrcmpiW
GetCommandLineW
CreateThreadpoolCleanupGroup
DuplicateHandle
HeapSetInformation
GetCurrentProcess
GetPriorityClass
LoadLibraryExA
GetCurrentDirectoryW
GetCurrentProcessId
CloseThreadpoolCleanupGroupMembers
OpenProcess
LockResource
ProcessIdToSessionId
QueryFullProcessImageNameW
GetStartupInfoW
ReleaseMutex
UnhandledExceptionFilter
SetErrorMode
MultiByteToWideChar
HeapSize
ReadProcessMemory
GetProcAddress
InterlockedCompareExchange
GetLocaleInfoW
GetComputerNameW
GetTimeFormatW
CreateThread
LoadLibraryW
ExpandEnvironmentStringsW
GetExitCodeThread
SetUnhandledExceptionFilter
GetModuleHandleA
GetVersionExW
GetTempPathW
CreateMutexW
MulDiv
GetSystemTimeAsFileTime
GetErrorMode
Thread32Next
CloseThreadpoolCleanupGroup
Thread32First
HeapReAlloc
SetPriorityClass
FreeLibrary
LocalFree
FormatMessageW
IsWow64Process
CreateEventW
GetNumaHighestNodeNumber
QueryPerformanceCounter
LoadResource
FindResourceExW
CreateFileW
CreateProcessW
CallbackMayRunLong
Sleep
TerminateProcess
GetLastError
HeapAlloc
GetCurrentThreadId
GetProcessHeap
lstrcmpW
GetNumberFormatW
SetLastError
CloseHandle
Ord(75)
Ord(100)
Ord(61)
ShellAboutW
Ord(245)
DuplicateIcon
SHOpenFolderAndSelectItems
ShellExecuteExW
SHParseDisplayName
Shell_NotifyIconW
CommandLineToArgvW
Ord(348)
Ord(618)
Ord(158)
Ord(437)
PathAppendW
Ord(16)
PathAddExtensionW
StrStrW
StrFormatByteSizeW
PathRemoveExtensionW
GetUserNameExW
RedrawWindow
GetForegroundWindow
DrawTextW
EnumDesktopsW
DestroyMenu
GetGuiResources
SetWindowPos
GetNextDlgTabItem
IsWindow
OpenIcon
AppendMenuW
DispatchMessageW
GetCursorPos
CharLowerBuffW
GetDlgCtrlID
HungWindowFromGhostWindow
SendMessageW
GhostWindowFromHungWindow
GetClassInfoW
AllowSetForegroundWindow
SetMenuDefaultItem
SetScrollPos
GetThreadDesktop
LoadImageW
GetWindowTextW
GetWindowTextLengthW
MsgWaitForMultipleObjects
DestroyWindow
GetParent
UpdateWindow
PostQuitMessage
SetProcessDPIAware
GetMessageW
ShowWindow
PeekMessageW
EnableWindow
ShowWindowAsync
TranslateMessage
SetThreadDesktop
GetWindow
InternalGetWindowText
LoadAcceleratorsW
RegisterClassW
OpenDesktopW
IsZoomed
LoadStringW
SetWindowLongW
IsHungAppWindow
IsIconic
TrackPopupMenuEx
GetSubMenu
SetTimer
IsDialogMessageW
SwitchToThisWindow
MonitorFromPoint
DeferWindowPos
GetDialogBaseUnits
CreateWindowExW
GetWindowLongW
SetFocus
RegisterWindowMessageW
GetMonitorInfoW
DefWindowProcW
KillTimer
CheckMenuRadioItem
ChangeWindowMessageFilterEx
MapWindowPoints
GetSystemMetrics
EnableMenuItem
GetWindowRect
EnumDesktopWindows
GetProcessWindowStation
GetScrollInfo
CreateDialogParamW
CheckMenuItem
GetClassLongW
GetLastActivePopup
SetWindowTextW
GetDlgItem
PostMessageW
PostThreadMessageW
IsDlgButtonChecked
CheckDlgButton
GetDesktopWindow
LoadCursorW
LoadIconW
GetMenuItemID
FillRect
SetForegroundWindow
GetMenuItemInfoW
ReleaseDC
EndDialog
FindWindowW
EndTask
GetShellWindow
MessageBeep
LoadMenuW
RemoveMenu
GetWindowThreadProcessId
GetSysColorBrush
BeginDeferWindowPos
MessageBoxW
GetMenu
SetMenu
MoveWindow
DialogBoxParamW
CascadeWindows
GetFocus
GetSysColor
SetDlgItemTextW
SetScrollInfo
GetKeyState
EndDeferWindowPos
DestroyIcon
IsWindowVisible
TileWindows
SystemParametersInfoW
GetDC
SetRect
DeleteMenu
InvalidateRect
CallWindowProcW
GetClassNameW
GetClientRect
CloseDesktop
SendMessageTimeoutW
TranslateAcceleratorW
SetCursor
IsThemeActive
SetWindowTheme
VDMTerminateTaskWOW
VDMEnumTaskWOWEx
CredUIPromptForCredentialsW
__p__fmode
__wgetmainargs
memset
_ftol2
_wcsicmp
swscanf_s
_vsnwprintf
_amsg_exit
?terminate@@YAXXZ
??2@YAPAXI@Z
memcpy
_wcsdup
_ftol2_sse
exit
towlower
strrchr
__setusermatherr
_controlfp
_XcptFilter
_cexit
_i64tow_s
__p__commode
??3@YAXPAX@Z
free
_except_handler4_common
_wtol
memmove
wcsrchr
_ui64tow_s
wcsstr
_initterm
_exit
_wcmdln
__set_app_type
RtlNtStatusToDosError
RtlInitUnicodeString
NtOpenProcessToken
NtOpenFile
RtlDeleteCriticalSection
NtSetInformationProcess
NtSetInformationFile
RtlTimeToElapsedTimeFields
NtOpenThread
NtOpenThreadToken
NtQueryTimerResolution
NtQueryInformationToken
RtlTryEnterCriticalSection
WinSqmAddToStream
RtlInitializeCriticalSection
RtlLeaveCriticalSection
RtlEnterCriticalSection
NtQuerySystemInformation
NtQueryInformationProcess
NtClose
PcwCreateQuery
PcwCollectData
PcwAddQueryItem
EvtClose
EvtSubscribe
Number of PE resources by type
RT_ICON 53
RT_GROUP_ICON 17
RT_BITMAP 3
RT_MANIFEST 1
WEVT_TEMPLATE 1
MUI 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 77
ExifTool file metadata
SubsystemVersion
6.1

InitializedDataSize
110592

ImageVersion
6.1

ProductName
Microsoft Windows Operating System

FileVersionNumber
6.1.7601.17514

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

LinkerVersion
9.0

OriginalFilename
taskmgr.exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
6.1.7601.17514 (win7sp1_rtm.101119-1850)

TimeStamp
2010:11:20 09:56:01+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
taskmgr

FileAccessDate
2014:04:16 23:23:20+01:00

ProductVersion
6.1.7601.17514

FileDescription
Windows Task Manager

OSVersion
6.1

FileCreateDate
2014:04:16 23:23:20+01:00

FileOS
Windows NT 32-bit

LegalCopyright
Microsoft Corporation. All rights reserved.

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
118784

FileSubtype
0

ProductVersionNumber
6.1.7601.17514

EntryPoint
0x8387

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Compressed bundles
File identification
MD5 545bf7eaa24a9e062857d0742ec0b28a
SHA1 d748d5b325e5dd4fadeb837a59f61e55d2636d31
SHA256 50f2abb613df4813ce74f3b0df080497f689dfcad11f0fc7cd5ea4cdaf093bdf
ssdeep
3072:pH2eGGLRntP8pp24NtkoOhlowctY4FNCFvj0mUXx5WNLqZz/JevbRcMhA:pHepEi7Oh+txfj0Lq+TeMm

imphash c8e0b2ae275fc85dcd34a3b111fe1eb4
File size 222.0 KB ( 227328 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe signed mz

VirusTotal metadata
First submission 2011-01-17 11:57:27 UTC ( 3 years, 3 months ago )
Last submission 2014-04-16 22:22:59 UTC ( 2 days, 8 hours ago )
File names 7c08c3fcdb86254a888f61af83216578.tmp
b9a6340af6d11c49ac452f4c2b556b32.tmp
8ef04731cc1643459185399f592687a4.tmp
taskmgr.exe
c317289c200f8c44a09e18267f80d356.tmp
2d362477b847eb6909ec7963e6d6b127_taskmgr.exe.safe
pictures.exe
4bab278ffdb2e243a7cd749298784ed4.tmp
taskmgr.exe
a349b57fb3bcaf4cba752707dfe09b4e.tmp
8d26418637c58c478c7ee38d9f56a506.tmp
50F2ABB613DF4813CE74F3B0DF080497F689DFCAD11F0FC7CD5EA4CDAF093BDF
file-2945747_exe
taskmgr.com
smona131194816770307464086
545bf7eaa24a9e062857d0742ec0b28a
d4c13b1eac10ca4a8b3d166628289db7.tmp
4c821a5552306a4ba18b1091adf933d9.tmp
FlashUp.exe
f5d4fa97f4376045ab2ceab8baa5cf34.tmp
taskmgr.exe
236223cb70d64c49b6dd7afe6781dd72.tmp
40356eac1e117e46a932de24ea0bdf71.tmp
7cee0ad407f09a4ebc88c35b6dd6c635.tmp
AudioTreiber_x64.exe
Advanced heuristic and reputation engines
ClamAV PUA
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/index.php?s=pua&lang=en .

Symantec reputation Suspicious.Insight
Behaviour characterization
Zemana
dll-injection

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!