PresentationHost.exe

  • File Path: C:\Windows\system32\PresentationHost.exe
  • Description: Windows Presentation Foundation Host

Hashes

Type Hash
MD5 3DD3F827425D39663544135A427CEC92
SHA1 44483EDB64B64DE425E5889F5B4BB01E9AA0CB7A
SHA256 54BE944EB17BC7DEB3618C7844580BDF74308A1F07DE10004CEB4A8ECCE2B367
SHA384 EC922394BEBD4A428792853F71A7EBB54379E45215F5B5B08EC87F44F357EA4CE2539818A92F4C010D3B0EEE3968CC52
SHA512 17F0AFBAAB04B05C57BB725DB80EFD2C5B995402418EE87385743A46AEF50007DAB5F60565106AADC44F416F6C7697FC044630164D03D2547460F4E67319BBEC
SSDEEP 6144:CFezZkNSw/gk9J9i1d55KNXwy3Odjp19k5KNXf:y6ZkN9J92lKVwy3OdLaKV

Runtime Data

Child Processes:

iexplore.exe

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: PresentationHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\PresentationHost.exe 63
C:\windows\system32\PresentationHost.exe 61
C:\WINDOWS\system32\PresentationHost.exe 55
C:\WINDOWS\system32\PresentationHost.exe 60
C:\Windows\system32\PresentationHost.exe 61
C:\windows\SysWOW64\PresentationHost.exe 68
C:\WINDOWS\SysWOW64\PresentationHost.exe 58
C:\Windows\SysWOW64\PresentationHost.exe 63
C:\WINDOWS\SysWOW64\PresentationHost.exe 66
C:\Windows\SysWOW64\PresentationHost.exe 63
C:\Windows\SysWOW64\PresentationHost.exe 65

Possible Misuse

The following table contains possible examples of PresentationHost.exe being misused. While PresentationHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Presentationhost.yml Name: Presentationhost.exe  
LOLBAS Presentationhost.yml - Command: Presentationhost.exe C:\temp\Evil.xbap  
LOLBAS Presentationhost.yml - Path: C:\Windows\System32\Presentationhost.exe  
LOLBAS Presentationhost.yml - Path: C:\Windows\SysWOW64\Presentationhost.exe  

MIT License. Copyright (c) 2020-2021 Strontic.