PresentationHost.exe

  • File Path: C:\WINDOWS\system32\PresentationHost.exe
  • Description: Windows Presentation Foundation Host

Hashes

Type Hash
MD5 446800712B6CAAC7B594F45AEA84F782
SHA1 55B9DF2F1090688C79F02751A9A96C346CE105E0
SHA256 BB432C938C36F4127EC91B074CD88D4AAD73EF3947E542DB8295B04052C75D0C
SHA384 BCF5862C16FB0EC7BD778F2CBC7C8468D78C3C779D853838EBA4DE9E1DD6CE12582A0C98A2DA18D80A0BC7EE091FBED5
SHA512 FD9952B899C24553B7C887019D28981C4CE71CEC1D60C9250D07DDDD88EB107910640B2431FD4986AF557EB2CA648E1D7FF6A4C34631D91668A272D3B471A40B
SSDEEP 6144:vXhWMcgT1nmZ5k+J1qKNZNgIbUnbO5KNXwy3Odjp19k5KNXf:vXhW9gT1mZpq+ZNVgbGKVwy3OdLaKV
IMP B1C8422BE3A752BDAD4E20658B636E91
PESHA1 69B357ECA418A7A2A251F1DE45E370DF2BED9528
PE256 DCD1579DA5E81F0023C395A3E3D1E158434F494596525F05DAE089962E73A3C5

Runtime Data

Child Processes:

iexplore.exe

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\PresentationHost.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: PresentationHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/bb432c938c36f4127ec91b074cd88d4aad73ef3947e542db8295b04052c75d0c/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\PresentationHost.exe 52
C:\windows\system32\PresentationHost.exe 55
C:\Windows\system32\PresentationHost.exe 55
C:\WINDOWS\system32\PresentationHost.exe 61
C:\Windows\system32\PresentationHost.exe 54
C:\windows\SysWOW64\PresentationHost.exe 60
C:\WINDOWS\SysWOW64\PresentationHost.exe 54
C:\Windows\SysWOW64\PresentationHost.exe 54
C:\WINDOWS\SysWOW64\PresentationHost.exe 54
C:\Windows\SysWOW64\PresentationHost.exe 52
C:\Windows\SysWOW64\PresentationHost.exe 54

Possible Misuse

The following table contains possible examples of PresentationHost.exe being misused. While PresentationHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Presentationhost.yml Name: Presentationhost.exe  
LOLBAS Presentationhost.yml - Command: Presentationhost.exe C:\temp\Evil.xbap  
LOLBAS Presentationhost.yml - Path: C:\Windows\System32\Presentationhost.exe  
LOLBAS Presentationhost.yml - Path: C:\Windows\SysWOW64\Presentationhost.exe  

MIT License. Copyright (c) 2020-2021 Strontic.