backgroundTaskHost.exe

  • File Path: C:\Windows\system32\backgroundTaskHost.exe
  • Description: Background Task Host

Hashes

Type Hash
MD5 50D5FD1290D94D46ACCA0585311E74D5
SHA1 339E4E69D2120B97CE34B9A8D3597FF8E0A73561
SHA256 B8E176FE76A1454A00C4AF0F8BF8870650D9C33D3E333239A59445C5B35C9A37
SHA384 652E1102EDEB000B95F54DDC85BE8C4D7E92001F17AB8E8F6CF0021F0F6EFF087626F40B1C1C357C35E4FF141FA62700
SHA512 A89427027064F3B60948F6CD89D467A9E54A6947B8C73E73F9A252E1608CBA1A144DA77C47D5E36BD991649D878772934D93007A4B8A2AF005A39837851635D6
SSDEEP 384:H1dPOeFIR79Mjs0HijWFGWCmXjDBRJWrKudlZp06:PPO6tHimrXj1PWrTzB
IMP D2ACF1CBC4A6DB14A34C687B9362D66B
PESHA1 5A701540717DCE09B46A5B32C4E4D3AF1772249B
PE256 0E4697A91FAE48B1615889413132351D216890E78A07E67734222FFEA2E78B61

Runtime Data

Loaded Modules:

Path
C:\Windows\system32\backgroundTaskHost.exe
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\clbcatq.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RMCLIENT.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\twinapi.appcore.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\WinTypes.dll

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: backgroundTaskHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/b8e176fe76a1454a00c4af0f8bf8870650d9c33d3e333239a59445c5b35c9a37/detection/

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Common Files\microsoft shared\Ink\TabTip32.exe 38
C:\WINDOWS\system32\backgroundTaskHost.exe 35
C:\Windows\system32\browser_broker.exe 35
C:\WINDOWS\system32\dllhost.exe 33
C:\Windows\system32\dllhost.exe 36
C:\Windows\system32\oobe\FirstLogonAnim.exe 32
C:\WINDOWS\system32\oobe\FirstLogonAnim.exe 30
C:\Windows\system32\prproc.exe 33
C:\WINDOWS\system32\prproc.exe 29
C:\Windows\system32\ScriptRunner.exe 35
C:\Windows\system32\SlideToShutDown.exe 33
C:\WINDOWS\system32\SlideToShutDown.exe 32
C:\WINDOWS\SysWOW64\backgroundTaskHost.exe 40
C:\Windows\SysWOW64\backgroundTaskHost.exe 46
C:\Windows\SysWOW64\CameraSettingsUIHost.exe 27
C:\WINDOWS\SysWOW64\CameraSettingsUIHost.exe 33
C:\WINDOWS\SysWOW64\dllhost.exe 33
C:\Windows\SysWOW64\dllhost.exe 35

Possible Misuse

The following table contains possible examples of backgroundTaskHost.exe being misused. While backgroundTaskHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_abusing_azure_browser_sso.yml - '\BackgroundTaskHost.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - '\backgroundTaskHost.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\WINDOWS\system32\backgroundTaskHost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.