× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 50f2abb613df4813ce74f3b0df080497f689dfcad11f0fc7cd5ea4cdaf093bdf
File name: taskmgr.exe
Detection ratio: 0 / 43
Analysis date: 2012-03-05 12:18:45 UTC ( 4 years, 2 months ago ) View latest
Trusted source! This file belongs to the Microsoft Corporation software catalogue.
Antivirus Result Update
AVG 20120305
AhnLab-V3 20120305
AntiVir 20120305
Antiy-AVL 20120305
Avast 20120305
BitDefender 20120305
ByteHero 20120305
CAT-QuickHeal 20120305
ClamAV 20120305
Commtouch 20120304
Comodo 20120305
DrWeb 20120305
Emsisoft 20120305
F-Prot 20120304
F-Secure 20120305
Fortinet 20120305
GData 20120305
Ikarus 20120305
Jiangmin 20120301
K7AntiVirus 20120302
Kaspersky 20120305
McAfee 20120302
McAfee-GW-Edition 20120304
Microsoft 20120305
NOD32 20120305
Norman 20120304
PCTools 20120228
Panda 20120305
Prevx 20120305
Rising 20120305
SUPERAntiSpyware 20120302
Sophos 20120305
Symantec 20120305
TheHacker 20120305
TrendMicro 20120304
TrendMicro-HouseCall 20120305
VBA32 20120305
VIPRE 20120305
ViRobot 20120305
VirusBuster 20120304
eSafe 20120305
eTrust-Vet 20120305
nProtect 20120304
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name taskmgr.exe
Internal name taskmgr
File version 6.1.7601.17514 (win7sp1_rtm.101119-1850)
Description Windows Task Manager
Signature verification Signed file, verified signature
Signing date 8:37 PM 11/20/2010
Signers
[+] Microsoft Windows
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Windows Verification PCA
Valid from 10:57 PM 12/7/2009
Valid to 10:57 PM 3/7/2011
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 02ECEEA9D5E0A9F3E39B6F4EC3F7131ED4E352C4
Serial number 61 15 23 0F 00 00 00 00 00 0A
[+] Microsoft Windows Verification PCA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Root Certificate Authority
Valid from 10:55 PM 9/15/2005
Valid to 11:05 PM 3/15/2016
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 5DF0D7571B0780783960C68B78571FFD7EDAF021
Serial number 61 07 02 DC 00 00 00 00 00 0B
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm sha1RSA
Thumbprint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
Counter signers
[+] Microsoft Time-Stamp Service
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Time-Stamp PCA
Valid from 8:12 PM 7/25/2008
Valid to 8:22 PM 7/25/2011
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 56E832A33DDC8CF2C916DA7CBB1175CBACABAE2C
Serial number 61 03 DC F6 00 00 00 00 00 0C
[+] Microsoft Time-Stamp PCA
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 1:53 PM 4/3/2007
Valid to 2:03 PM 4/3/2021
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 375FCB825C3DC3752A02E34EB70993B4997191EF
Serial number 61 16 68 34 00 00 00 00 00 1C
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm sha1RSA
Thumbrint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2010-11-20 08:56:01
Entry Point 0x00008387
Number of sections 4
PE sections
PE imports
RegCreateKeyExW
OpenThreadWaitChainSession
RegCloseKey
EventWrite
OpenServiceW
QueryServiceConfigW
ControlService
RegQueryValueExW
CloseServiceHandle
CreateWellKnownSid
OpenProcessToken
RegOpenKeyExW
EnumServicesStatusExW
SetTokenInformation
EventUnregister
GetTokenInformation
DuplicateTokenEx
IsValidSid
StartServiceW
AdjustTokenPrivileges
GetThreadWaitChain
RevertToSelf
EventRegister
RegSetValueExW
OpenSCManagerW
ImpersonateLoggedOnUser
CloseThreadWaitChainSession
Ord(337)
Ord(336)
Ord(328)
Ord(329)
Ord(334)
Ord(338)
ImageList_Create
Ord(331)
Ord(345)
ImageList_Remove
Ord(17)
CreateStatusWindowW
ImageList_SetIconSize
ImageList_ReplaceIcon
GetDeviceCaps
GetCurrentObject
LineTo
DeleteDC
CreateFontIndirectW
SetBkMode
MoveToEx
CreatePen
GetCharWidth32W
GetStockObject
SelectObject
SetTextColor
GetObjectW
BitBlt
SetBkColor
CreateCompatibleDC
DeleteObject
CreateCompatibleBitmap
Rectangle
GetAdaptersAddresses
GetIfEntry2
NhGetInterfaceNameFromDeviceGuid
CreateToolhelp32Snapshot
OpenThread
HeapFree
lstrlenW
DelayLoadFailureHook
lstrlenA
GetModuleFileNameW
DeviceIoControl
WaitForSingleObject
TrySubmitThreadpoolCallback
SetEvent
GetThreadTimes
CompareStringW
GetTickCount
SetProcessShutdownParameters
InterlockedExchange
GetLogicalProcessorInformationEx
lstrcmpiW
GetCommandLineW
CreateThreadpoolCleanupGroup
DuplicateHandle
HeapSetInformation
GetCurrentProcess
GetPriorityClass
LoadLibraryExA
GetCurrentDirectoryW
GetCurrentProcessId
CloseThreadpoolCleanupGroupMembers
OpenProcess
LockResource
ProcessIdToSessionId
QueryFullProcessImageNameW
GetStartupInfoW
ReleaseMutex
UnhandledExceptionFilter
SetErrorMode
MultiByteToWideChar
HeapSize
ReadProcessMemory
GetProcAddress
InterlockedCompareExchange
GetLocaleInfoW
GetComputerNameW
GetTimeFormatW
CreateThread
LoadLibraryW
ExpandEnvironmentStringsW
GetExitCodeThread
SetUnhandledExceptionFilter
GetModuleHandleA
GetVersionExW
GetTempPathW
CreateMutexW
MulDiv
GetSystemTimeAsFileTime
GetErrorMode
Thread32Next
CloseThreadpoolCleanupGroup
Thread32First
HeapReAlloc
SetPriorityClass
FreeLibrary
LocalFree
FormatMessageW
IsWow64Process
CreateEventW
GetNumaHighestNodeNumber
QueryPerformanceCounter
LoadResource
FindResourceExW
CreateFileW
CreateProcessW
CallbackMayRunLong
Sleep
TerminateProcess
GetLastError
HeapAlloc
GetCurrentThreadId
GetProcessHeap
lstrcmpW
GetNumberFormatW
SetLastError
CloseHandle
Ord(75)
Ord(100)
Ord(61)
ShellAboutW
Ord(245)
DuplicateIcon
SHOpenFolderAndSelectItems
ShellExecuteExW
SHParseDisplayName
Shell_NotifyIconW
CommandLineToArgvW
Ord(348)
Ord(618)
Ord(158)
Ord(437)
PathAppendW
Ord(16)
PathAddExtensionW
StrStrW
StrFormatByteSizeW
PathRemoveExtensionW
GetUserNameExW
RedrawWindow
GetForegroundWindow
DrawTextW
EnumDesktopsW
DestroyMenu
GetGuiResources
SetWindowPos
GetNextDlgTabItem
IsWindow
OpenIcon
AppendMenuW
DispatchMessageW
GetCursorPos
CharLowerBuffW
GetDlgCtrlID
HungWindowFromGhostWindow
SendMessageW
GhostWindowFromHungWindow
GetClassInfoW
AllowSetForegroundWindow
SetMenuDefaultItem
SetScrollPos
GetThreadDesktop
LoadImageW
GetWindowTextW
GetWindowTextLengthW
MsgWaitForMultipleObjects
DestroyWindow
GetParent
UpdateWindow
PostQuitMessage
SetProcessDPIAware
GetMessageW
ShowWindow
PeekMessageW
EnableWindow
ShowWindowAsync
TranslateMessage
SetThreadDesktop
GetWindow
InternalGetWindowText
LoadAcceleratorsW
RegisterClassW
OpenDesktopW
IsZoomed
LoadStringW
SetWindowLongW
IsHungAppWindow
IsIconic
TrackPopupMenuEx
GetSubMenu
SetTimer
IsDialogMessageW
SwitchToThisWindow
MonitorFromPoint
DeferWindowPos
GetDialogBaseUnits
CreateWindowExW
GetWindowLongW
SetFocus
RegisterWindowMessageW
GetMonitorInfoW
DefWindowProcW
KillTimer
CheckMenuRadioItem
ChangeWindowMessageFilterEx
MapWindowPoints
GetSystemMetrics
EnableMenuItem
GetWindowRect
EnumDesktopWindows
GetProcessWindowStation
GetScrollInfo
CreateDialogParamW
CheckMenuItem
GetClassLongW
GetLastActivePopup
SetWindowTextW
GetDlgItem
PostMessageW
PostThreadMessageW
IsDlgButtonChecked
CheckDlgButton
GetDesktopWindow
LoadCursorW
LoadIconW
GetMenuItemID
FillRect
SetForegroundWindow
GetMenuItemInfoW
ReleaseDC
EndDialog
FindWindowW
EndTask
GetShellWindow
MessageBeep
LoadMenuW
RemoveMenu
GetWindowThreadProcessId
GetSysColorBrush
BeginDeferWindowPos
MessageBoxW
GetMenu
SetMenu
MoveWindow
DialogBoxParamW
CascadeWindows
GetFocus
GetSysColor
SetDlgItemTextW
SetScrollInfo
GetKeyState
EndDeferWindowPos
DestroyIcon
IsWindowVisible
TileWindows
SystemParametersInfoW
GetDC
SetRect
DeleteMenu
InvalidateRect
CallWindowProcW
GetClassNameW
GetClientRect
CloseDesktop
SendMessageTimeoutW
TranslateAcceleratorW
SetCursor
IsThemeActive
SetWindowTheme
VDMTerminateTaskWOW
VDMEnumTaskWOWEx
CredUIPromptForCredentialsW
__p__fmode
__wgetmainargs
memset
_ftol2
_wcsicmp
swscanf_s
_vsnwprintf
_amsg_exit
?terminate@@YAXXZ
??2@YAPAXI@Z
memcpy
_wcsdup
_ftol2_sse
exit
towlower
strrchr
__setusermatherr
_controlfp
_XcptFilter
_cexit
_i64tow_s
__p__commode
??3@YAXPAX@Z
free
_except_handler4_common
_wtol
memmove
wcsrchr
_ui64tow_s
wcsstr
_initterm
_exit
_wcmdln
__set_app_type
RtlNtStatusToDosError
RtlInitUnicodeString
NtOpenProcessToken
NtOpenFile
RtlDeleteCriticalSection
NtSetInformationProcess
NtSetInformationFile
RtlTimeToElapsedTimeFields
NtOpenThread
NtOpenThreadToken
NtQueryTimerResolution
NtQueryInformationToken
RtlTryEnterCriticalSection
WinSqmAddToStream
RtlInitializeCriticalSection
RtlLeaveCriticalSection
RtlEnterCriticalSection
NtQuerySystemInformation
NtQueryInformationProcess
NtClose
PcwCreateQuery
PcwCollectData
PcwAddQueryItem
EvtClose
EvtSubscribe
Number of PE resources by type
RT_ICON 53
RT_GROUP_ICON 17
RT_BITMAP 3
RT_MANIFEST 1
WEVT_TEMPLATE 1
MUI 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 77
Debug information
ExifTool file metadata
SubsystemVersion
6.1

InitializedDataSize
110592

ImageVersion
6.1

ProductName
Microsoft Windows Operating System

FileVersionNumber
6.1.7601.17514

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

LinkerVersion
9.0

FileTypeExtension
exe

OriginalFileName
taskmgr.exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
6.1.7601.17514 (win7sp1_rtm.101119-1850)

TimeStamp
2010:11:20 09:56:01+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
taskmgr

ProductVersion
6.1.7601.17514

FileDescription
Windows Task Manager

OSVersion
6.1

FileOS
Windows NT 32-bit

LegalCopyright
Microsoft Corporation. All rights reserved.

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
118784

FileSubtype
0

ProductVersionNumber
6.1.7601.17514

EntryPoint
0x8387

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
PE resource-wise parents
Overlay parents
Compressed bundles
File identification
MD5 545bf7eaa24a9e062857d0742ec0b28a
SHA1 d748d5b325e5dd4fadeb837a59f61e55d2636d31
SHA256 50f2abb613df4813ce74f3b0df080497f689dfcad11f0fc7cd5ea4cdaf093bdf
ssdeep
3072:pH2eGGLRntP8pp24NtkoOhlowctY4FNCFvj0mUXx5WNLqZz/JevbRcMhA:pHepEi7Oh+txfj0Lq+TeMm

authentihash 8b1deca198e078a887b29bcb71b1f409968327b8671a6566624b9faca5773c8f
imphash c8e0b2ae275fc85dcd34a3b111fe1eb4
File size 222.0 KB ( 227328 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win64 Executable (generic) (64.6%)
Win32 Dynamic Link Library (generic) (15.3%)
Win32 Executable (generic) (10.5%)
Generic Win/DOS Executable (4.6%)
DOS Executable Generic (4.6%)
Tags
peexe signed trusted

Trusted verdicts
This file belongs to the Microsoft Corporation software catalogue. The file is often found with taskmgr.exe as its name.
VirusTotal metadata
First submission 2011-01-17 11:57:27 UTC ( 5 years, 4 months ago )
Last submission 2016-05-31 23:13:59 UTC ( 6 hours, 12 minutes ago )
File names b92482932d85744d99c3fadfdacd9b82.tmp
d748d5b325e5dd4fadeb837a59f61e55d2636d31.exe
8f7f91eecfadd249bffa389ce30fbbcd.tmp
c1bf9156eed21949b0111c0c9a4d0295.tmp
774b3053a354974e8c1a9f3ed861c189.tmp
taskmgr(1433).exe
e076b283-db33-407e-972d-f633a4e9b0280.0
446e79ef3747c045925aee978dfbd5ba.tmp
5735f09141082e49ba7dd3f20c9217cc.tmp
61d6972bf3ad874ca50f0ca005c72f24.tmp
8c4304e4e333a0439c2e999907dd55cf.tmp
67c82c1b3a16594881f794855e5cc0d2.tmp
d6059ff86dfebf45b0ed94d1c88c2452.tmp
23910c48e478ab4190f85358f3453b33.tmp
c3994c1ce9997f4891feefe702e30ddb.tmp
9c7d493ace71444ea8a289ab8e5a4dd7.tmp
de6d9e9714081d41a7d222f9d0ff13b9.tmp
1151b9d344abfc4daf41c06245cb6eae.tmp
972a8e1c4c86bc4bb8b572463a2650f9.tmp
5312bc0cb700874aab0f680c166d0e2d.tmp
4b8354cac5704740b1e116c3a390777f.tmp
89836177a491234b88b5d888ad83d7b5.tmp
df6f153772dbf94cb96f6335abfc17d7.tmp
fa765a6a012c054cab68fdc5435271bf.tmp
94a9578b2e7c504dab2961426a5783ea.tmp
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/doc/pua.html .

Symantec reputation Suspicious.Insight
Behaviour characterization
Zemana
dll-injection

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!