PresentationHost.exe

  • File Path: C:\Windows\SysWOW64\PresentationHost.exe
  • Description: Windows Presentation Foundation Host

Hashes

Type Hash
MD5 C6671F8B9F073785FD617661AD1F1C45
SHA1 DA141EC60E3CE6CC8A9CF60D13C4DEB6CB105B4A
SHA256 D9C533B6109160ABBF139D83C438806563E212D5C877192B64E4304806626C0A
SHA384 88AE0D8BA707375F80B836041B9E8C6F77AC01E5AAD33ED6DADD60D6259631ABFC7D460AB539DC74150F3EDE879E9469
SHA512 DC2D3A9E766F46DC5FC3296B2AC17642234BE1CC87EAA83EC7994C68915AF31CD5FE7CA7B561253EDAAE775E669E9D8AF926A0C20F3634037AF7A40257B09DBE
SSDEEP 6144:A0z2luCY78kez5KNXwy3Odjp19k5KNXf:AC2lu97ZQKVwy3OdLaKV
IMP EAABF5736556491C472D1B684E7EB9A1
PESHA1 C8CE9AA7164D1A765B69E42A23A404BC295FCA21
PE256 0BDC09FBCFA4F9A69B9C7575E35B13DAE940D01622186E873ABCDF2C541EBF44

Runtime Data

Child Processes:

iexplore.exe

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\PresentationHost.exe

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: PresentationHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/d9c533b6109160abbf139d83c438806563e212d5c877192b64e4304806626c0a/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\PresentationHost.exe 65
C:\windows\system32\PresentationHost.exe 60
C:\Windows\system32\PresentationHost.exe 65
C:\WINDOWS\system32\PresentationHost.exe 54
C:\WINDOWS\system32\PresentationHost.exe 61
C:\Windows\system32\PresentationHost.exe 66
C:\windows\SysWOW64\PresentationHost.exe 68
C:\WINDOWS\SysWOW64\PresentationHost.exe 68
C:\Windows\SysWOW64\PresentationHost.exe 63
C:\WINDOWS\SysWOW64\PresentationHost.exe 69
C:\Windows\SysWOW64\PresentationHost.exe 69

Possible Misuse

The following table contains possible examples of PresentationHost.exe being misused. While PresentationHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Presentationhost.yml Name: Presentationhost.exe  
LOLBAS Presentationhost.yml - Command: Presentationhost.exe C:\temp\Evil.xbap  
LOLBAS Presentationhost.yml - Path: C:\Windows\System32\Presentationhost.exe  
LOLBAS Presentationhost.yml - Path: C:\Windows\SysWOW64\Presentationhost.exe  

MIT License. Copyright (c) 2020-2021 Strontic.