PresentationHost.exe

  • File Path: C:\WINDOWS\SysWOW64\PresentationHost.exe
  • Description: Windows Presentation Foundation Host
  • Comments: Flavor=Retail

Hashes

Type Hash
MD5 A1204EFC65BFBF5198A23CB21E1C0562
SHA1 A17EA5533E8F185BA88679D0FD61A4B18DBF5C24
SHA256 E85EC38B9B042FD8D9A250A21E62A0F0ADF2B1D5B8EFF281E84522307F0F9B39
SHA384 85B83887C6F3C68AC06FA44CF20BC18319579A4379BD06764D9AA002CF1A3456CCE73D5B670D5E6DC06CAEC0AF95365A
SHA512 F219FECDDE43FA7FA910E295F068801F14E6456C7E7CBC0BEAF9151E0AE56974132F6ABC95C4C96D2D3A7DE71A39373E717BF4074589F67985C0633E8EF84424
SSDEEP 6144:KiNlP9X7m8Psd5KNXwy3Odjp19k5KNXfY:zNlP5aOQKVwy3OdLaKV

Runtime Data

Child Processes:

iexplore.exe

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: PresentationHost.exe.mui
  • Product Name: Microsoft .NET Framework
  • Company Name: Microsoft Corporation
  • File Version: 4.0.41210.0 built by: Main
  • Product Version: 4.0.41210.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\PresentationHost.exe 66
C:\windows\system32\PresentationHost.exe 60
C:\Windows\system32\PresentationHost.exe 66
C:\WINDOWS\system32\PresentationHost.exe 54
C:\WINDOWS\system32\PresentationHost.exe 63
C:\Windows\system32\PresentationHost.exe 63
C:\windows\SysWOW64\PresentationHost.exe 74
C:\WINDOWS\SysWOW64\PresentationHost.exe 63
C:\Windows\SysWOW64\PresentationHost.exe 61
C:\Windows\SysWOW64\PresentationHost.exe 66
C:\Windows\SysWOW64\PresentationHost.exe 69

Possible Misuse

The following table contains possible examples of PresentationHost.exe being misused. While PresentationHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Presentationhost.yml Name: Presentationhost.exe  
LOLBAS Presentationhost.yml - Command: Presentationhost.exe C:\temp\Evil.xbap  
LOLBAS Presentationhost.yml - Path: C:\Windows\System32\Presentationhost.exe  
LOLBAS Presentationhost.yml - Path: C:\Windows\SysWOW64\Presentationhost.exe  

MIT License. Copyright (c) 2020-2021 Strontic.