PresentationHost.exe

  • File Path: C:\Windows\SysWOW64\PresentationHost.exe
  • Description: Windows Presentation Foundation Host

Hashes

Type Hash
MD5 B73ECB016B35D5B7ACB91125924525E5
SHA1 37FE45C0A85900D869A41F996DD19949F78C4EC4
SHA256 B3982E67820ABC7B41818A7236232CE6DE92689B76B6F152FAB9EF302528566D
SHA384 C2EDBBA50566EC3BDB8153E6144B15F5C6EDE8EA441B0E2625F0449277DBB4D9A40E767ABFF0D8481CDEE2460BFC00D8
SHA512 0BEA9890DBCD3AFD2889D0E7C0F2746995169E7B424F58D4998C50BC49D2B37D30F5BD1845D3079B25F9963AF2B71F136719CBD9FDA37F7B85874992096B3E1D
SSDEEP 6144:gW/3xqCu+WWzLw5KNXwy3Odjp19k5KNXfB:1/3U9cQKVwy3OdLaKV
IMP 88138F425FD4CF0102598C830D4A0EB1
PESHA1 E31F07A26406252D97DB2AC1E06B8E20264CA31C
PE256 F471CDFB85D96D0466230FC9306F2C000993394B7643C42559799ED99965CE90

Runtime Data

Child Processes:

iexplore.exe

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\PresentationHost.exe

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: PresentationHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/b3982e67820abc7b41818a7236232ce6de92689b76b6f152fab9ef302528566d/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\PresentationHost.exe 68
C:\windows\system32\PresentationHost.exe 61
C:\Windows\system32\PresentationHost.exe 63
C:\WINDOWS\system32\PresentationHost.exe 52
C:\WINDOWS\system32\PresentationHost.exe 65
C:\Windows\system32\PresentationHost.exe 61
C:\windows\SysWOW64\PresentationHost.exe 69
C:\WINDOWS\SysWOW64\PresentationHost.exe 63
C:\Windows\SysWOW64\PresentationHost.exe 63
C:\WINDOWS\SysWOW64\PresentationHost.exe 66
C:\Windows\SysWOW64\PresentationHost.exe 69

Possible Misuse

The following table contains possible examples of PresentationHost.exe being misused. While PresentationHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Presentationhost.yml Name: Presentationhost.exe  
LOLBAS Presentationhost.yml - Command: Presentationhost.exe C:\temp\Evil.xbap  
LOLBAS Presentationhost.yml - Path: C:\Windows\System32\Presentationhost.exe  
LOLBAS Presentationhost.yml - Path: C:\Windows\SysWOW64\Presentationhost.exe  

MIT License. Copyright (c) 2020-2021 Strontic.