backgroundTaskHost.exe

  • File Path: C:\Windows\SysWOW64\backgroundTaskHost.exe
  • Description: Background Task Host

Hashes

Type Hash
MD5 F8D636BD68156F0C653DBC3D69FC0F08
SHA1 7202469A81C40BD2494C10B3DEF77F5F57CA97A1
SHA256 1B170E9624D0C6A699F6FED4F612802B3D82C21B6C27F9B41296C1F814A0F668
SHA384 28BB3C6125D637A0214D9C72FB47EE1646D9091EA2C4B9FE7066EACA2200BAEF6AF9DB35C765B3CD85BF3E84C9AEE557
SHA512 2A8225F311C545796FEEB3901611E4EBB611247D3FC05AFFC9DF8FA6031413E337B0283E99C62F682097B7C419E7D237898080C645883D7C3E82F67CD5A4CE40
SSDEEP 192:EADhE8DRi+A44ArvBucqK9to2AfXQHWH5WqeGWz+U/3XjDBQABJysQlmqnajzhfN:EiPA41vBTo0HWZWFGWamXjDBRJy6lPZN
IMP B01956F70C2FC1C81D9AF197F35D4D75
PESHA1 C486BE40F0928FB172C0A16E8869B731F7BABB4B
PE256 CD9D65C63206D407B1426555A3F42680B9FD7555A178485309481AE5B8FEDB3B

Runtime Data

Child Processes:

backgroundTaskHost.exe WerFault.exe

Open Handles:

Path Type
(RW-) C:\Users\user File
(RW-) C:\Windows File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\backgroundTaskHost.exe

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: backgroundTaskHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/1b170e9624d0c6a699f6fed4f612802b3d82c21b6c27f9b41296c1f814a0f668/detection/

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Common Files\microsoft shared\Ink\TabTip32.exe 35
C:\Windows\system32\backgroundTaskHost.exe 46
C:\WINDOWS\system32\backgroundTaskHost.exe 40
C:\Windows\system32\browser_broker.exe 35
C:\WINDOWS\system32\dllhost.exe 35
C:\Windows\system32\dllhost.exe 38
C:\Windows\system32\oobe\FirstLogonAnim.exe 38
C:\WINDOWS\system32\oobe\FirstLogonAnim.exe 40
C:\Windows\system32\prproc.exe 40
C:\WINDOWS\system32\prproc.exe 38
C:\Windows\system32\ScriptRunner.exe 35
C:\Windows\system32\SlideToShutDown.exe 33
C:\WINDOWS\system32\SlideToShutDown.exe 35
C:\Windows\SysWOW64\backgroundTaskHost.exe 46
C:\WINDOWS\SysWOW64\backgroundTaskHost.exe 54
C:\Windows\SysWOW64\CameraSettingsUIHost.exe 36
C:\WINDOWS\SysWOW64\CameraSettingsUIHost.exe 38
C:\WINDOWS\SysWOW64\dllhost.exe 36
C:\Windows\SysWOW64\dllhost.exe 36

Possible Misuse

The following table contains possible examples of backgroundTaskHost.exe being misused. While backgroundTaskHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_abusing_azure_browser_sso.yml - '\BackgroundTaskHost.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - '\backgroundTaskHost.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\WINDOWS\system32\backgroundTaskHost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.