PresentationHost.exe

  • File Path: C:\WINDOWS\system32\PresentationHost.exe
  • Description: Windows Presentation Foundation Host
  • Comments: Flavor=Retail

Hashes

Type Hash
MD5 49FA711824925D5FA0286A7FDE8C1821
SHA1 BAD31D3C32ABFBB8C4FC9FDB319A44738D0D65ED
SHA256 FED3EB0690FBF5702FB8F737F81E7F73E5649F0FE692BD4649F03DFAC81F07AD
SHA384 51D20D59155CFAA4AD2BB58DA4C86AB7C1223A5A1830C612DBA798C85DA4AF5A80088921E38C47C80859CD2442572DB1
SHA512 DD522992F5D0F2E01ECEB8567BC2990C8FC6AB9562777E091EE54F0F74C67839058D6AF68FDEEE24F6DEE85E198145210D7E2430B1B0DD2EB27A38E5499AF36C
SSDEEP 6144:GvMzhWcTzxZmi/tzLqt5KNXwy3Odjp19k5KNXf:GvMzIoPm2tnyKVwy3OdLaKV

Runtime Data

Child Processes:

iexplore.exe

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: PresentationHost.exe.mui
  • Product Name: Microsoft .NET Framework
  • Company Name: Microsoft Corporation
  • File Version: 4.0.41210.0 built by: Main
  • Product Version: 4.0.41210.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\PresentationHost.exe 60
C:\windows\system32\PresentationHost.exe 58
C:\Windows\system32\PresentationHost.exe 60
C:\WINDOWS\system32\PresentationHost.exe 61
C:\Windows\system32\PresentationHost.exe 61
C:\windows\SysWOW64\PresentationHost.exe 68
C:\WINDOWS\SysWOW64\PresentationHost.exe 58
C:\Windows\SysWOW64\PresentationHost.exe 60
C:\WINDOWS\SysWOW64\PresentationHost.exe 63
C:\Windows\SysWOW64\PresentationHost.exe 65
C:\Windows\SysWOW64\PresentationHost.exe 61

Possible Misuse

The following table contains possible examples of PresentationHost.exe being misused. While PresentationHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Presentationhost.yml Name: Presentationhost.exe  
LOLBAS Presentationhost.yml - Command: Presentationhost.exe C:\temp\Evil.xbap  
LOLBAS Presentationhost.yml - Path: C:\Windows\System32\Presentationhost.exe  
LOLBAS Presentationhost.yml - Path: C:\Windows\SysWOW64\Presentationhost.exe  

MIT License. Copyright (c) 2020-2021 Strontic.