PresentationHost.exe

  • File Path: C:\Windows\system32\PresentationHost.exe
  • Description: Windows Presentation Foundation Host

Hashes

Type Hash
MD5 193F1CA0ADF261816AC02CFD6553C96D
SHA1 1A53BBECD49F42F4B919241E5C0F8F4DA55807CE
SHA256 6A51D20B0D5E3889A5BF168BF6C9A81AE50CCF74C5349547146F11C6016A87DB
SHA384 6896012A88A39FA5E822B0EC126FBE2BB44BBD385557F0D09344250BAC1418BB787B6D056CEFF347E24F67E151453550
SHA512 EF778890C769FAC09B770902FC6D1F03417105BF947E3FA96A06287F9866D585A5C1F008756B4E3B0C707C4A13893F02C51A199012CA0882CBB934808512AA96
SSDEEP 6144:aM9Qd26/6a7xX2LOgh5KNXwy3Odjp19k5KNXf:z9QA6/rGikKVwy3OdLaKV
IMP 9BACECDCCE64D5DF2F33D2DEB36930D0
PESHA1 B9A69E2123FB36B74D71A994A5FEF6906D455103
PE256 B8ABCF810E3A2783133DF57CA7E57A7BC47D1CE3E3317366EB5DB501B4A46EE8

Runtime Data

Child Processes:

iexplore.exe

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\cfgmgr32.dll
C:\Windows\System32\combase.dll
C:\Windows\system32\CRYPTBASE.DLL
C:\Windows\System32\cryptsp.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\system32\iertutil.dll
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\system32\mscoree.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\OLE32.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\powrprof.dll
C:\Windows\system32\PresentationHost.exe
C:\Windows\System32\profapi.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\shlwapi.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\system32\urlmon.dll
C:\Windows\System32\USER32.dll
C:\Windows\system32\VERSION.dll
C:\Windows\System32\win32u.dll
C:\Windows\System32\windows.storage.dll
C:\Windows\system32\WININET.dll

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: PresentationHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/6a51d20b0d5e3889a5bf168bf6c9a81ae50ccf74c5349547146f11c6016a87db/detection/

File Similarity (ssdeep match)

File Score
C:\windows\system32\PresentationHost.exe 57
C:\Windows\system32\PresentationHost.exe 63
C:\WINDOWS\system32\PresentationHost.exe 52
C:\WINDOWS\system32\PresentationHost.exe 60
C:\Windows\system32\PresentationHost.exe 54
C:\windows\SysWOW64\PresentationHost.exe 66
C:\WINDOWS\SysWOW64\PresentationHost.exe 57
C:\Windows\SysWOW64\PresentationHost.exe 68
C:\WINDOWS\SysWOW64\PresentationHost.exe 66
C:\Windows\SysWOW64\PresentationHost.exe 68
C:\Windows\SysWOW64\PresentationHost.exe 65

Possible Misuse

The following table contains possible examples of PresentationHost.exe being misused. While PresentationHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Presentationhost.yml Name: Presentationhost.exe  
LOLBAS Presentationhost.yml - Command: Presentationhost.exe C:\temp\Evil.xbap  
LOLBAS Presentationhost.yml - Path: C:\Windows\System32\Presentationhost.exe  
LOLBAS Presentationhost.yml - Path: C:\Windows\SysWOW64\Presentationhost.exe  

MIT License. Copyright (c) 2020-2021 Strontic.