backgroundTaskHost.exe

  • File Path: C:\Windows\SysWOW64\backgroundTaskHost.exe
  • Description: Background Task Host

Hashes

Type Hash
MD5 F290D12F0351B56708B3DF1EC26CB45B
SHA1 8992D17CBE7275F69B8CABEE0EE6BCFBDD1B3596
SHA256 CD2BF90FE5CD57DC49AF50950C8CE3CFC6433CCE7B68FB20DFD78E30A865B134
SHA384 2AB41422D0E4942EE8227472D42B7E0A3F6BDA9929B240DAF6EE9835A0D7E2115CF7D096B001E1C1BB20CD5F8D1A7FBF
SHA512 918C3D82CA9E8386EF0BCAD06B5238DF9DC6E5F9C3B58EEFC0A10E90F1A3EEE613503281E31567FD498AFF439AE850CCACC6F0DD5EF23273FBA3AFBC5641EB13
SSDEEP 384:oLapnnorHWBWqGWhr6wDDBRJLrUJAl3qQBYJ:kknOHWbJr6wD1PLIuS
IMP B01956F70C2FC1C81D9AF197F35D4D75
PESHA1 F2B4B70338939B44D86BC5D578C54DDE3BAF7D6C
PE256 979EF31565289D7672F368247B466854F8A89F7432C51DE5F6DCADC69D9BE100

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\backgroundTaskHost.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: backgroundTaskHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.546 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.546
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/cd2bf90fe5cd57dc49af50950c8ce3cfc6433cce7b68fb20dfd78e30a865b134/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\6bea57fb-8dfb-4177-9ae8-42e8b3529933_RuntimeDeviceInstall.dll 35
C:\Windows\system32\DeviceCensus.exe 29
C:\Windows\system32\LocationFrameworkPS.dll 27
C:\Windows\system32\migwiz\migres.dll 35
C:\Windows\system32\ResetEngine.exe 38
C:\Windows\system32\ResetEngine.exe 35
C:\Windows\system32\ScriptRunner.exe 35
C:\Windows\system32\ScriptRunner.exe 32
C:\Windows\system32\WerEnc.dll 38
C:\Windows\SystemApps\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\UndockedDevKit.exe 43
C:\Windows\SysWOW64\backgroundTaskHost.exe 57
C:\Windows\SysWOW64\dllhost.exe 33
C:\Windows\SysWOW64\WerEnc.dll 33

Possible Misuse

The following table contains possible examples of backgroundTaskHost.exe being misused. While backgroundTaskHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_abusing_azure_browser_sso.yml - '\BackgroundTaskHost.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - '\backgroundTaskHost.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\WINDOWS\system32\backgroundTaskHost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.