ShellExperienceHost[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

ShellExperienceHost.exe
Size

1.6MB
MD5

9b8de9d4edf68eef2c1e490abc291567
SHA1

07bdf43cf49b2f404f8e67fd8f9feaa26ba37ec6
SHA256

0ca78990791f4c02a19dff504925657993b5c4cf0523cf0d40e11dee47012a7e
SHA512

c6d24dbe32e0fc7e96a7467c26d1a554879fe8a57296bd1231f8205d27c69a1f92b947af386d8cb10b30e34611a3818d6cc19e296da021785e7f7634cb5045ac
SSDEEP

24576:zuUWSfP6UDQ3Ux4ziHw/xUEQJ17On3Jr1KvVFFRHEvi2OiXPB:zuUlfP65Ux4FpUEQJ17On3JrcFdVEB

Score

1^/10

Malware Config

Signatures

Files

ShellExperienceHost.exe
.exe windows x64

72533fd2ce483cdc50d7d46f66737e44

Code Sign

33:00:00:03:8b:79:45:c1:8b:0e:b6:87:ec:00:00:00:00:03:8b
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

05/05/2022, 19:23

Not After

04/05/2023, 19:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

3c:97:53:44:9a:44:54:98:dc:6b:9a:5d:61:41:3d:5c:76:de:c9:41:b3:74:5f:cc:72:ed:82:eb:03:30:0d:bb
Signer

Actual PE Digest

3c:97:53:44:9a:44:54:98:dc:6b:9a:5d:61:41:3d:5c:76:de:c9:41:b3:74:5f:cc:72:ed:82:eb:03:30:0d:bb

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_APPCONTAINER
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
GetModuleHandleW
GetModuleFileNameA
GetModuleHandleExW

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapFree
HeapAlloc

api-ms-win-core-synch-l1-1-0

WaitForSingleObject
InitializeCriticalSectionEx
CreateSemaphoreExW
DeleteCriticalSection
LeaveCriticalSection
TryAcquireSRWLockExclusive
AcquireSRWLockExclusive
InitializeSRWLock
EnterCriticalSection
ReleaseSemaphore
InitializeCriticalSection
OpenSemaphoreW
ReleaseMutex
ReleaseSRWLockShared
WaitForSingleObjectEx
CreateMutexExW
AcquireSRWLockShared
ReleaseSRWLockExclusive
InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
CreateEventW

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolWork
CreateThreadpoolWork
FreeLibraryWhenCallbackReturns
SetThreadpoolTimer
CreateThreadpoolTimer
CloseThreadpoolTimer
SubmitThreadpoolWork
WaitForThreadpoolTimerCallbacks

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventWriteTransfer
EventActivityIdControl
EventUnregister
EventSetInformation

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
TerminateProcess
GetStartupInfoW
GetCurrentProcessId
GetCurrentProcess

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
OutputDebugStringW
DebugBreak

api-ms-win-core-localization-l1-2-0

LCMapStringEx
FormatMessageW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter
RaiseException
SetLastError
GetLastError

api-ms-win-core-com-l1-1-0

CoTaskMemFree
CoCreateInstance
CoGetObjectContext
CoGetContextToken
CoTaskMemAlloc
CoCreateFreeThreadedMarshaler
CoIncrementMTAUsage
IIDFromString
CoGetApartmentType

dxgi

DXGIDeclareAdapterRemovalSupport

api-ms-win-core-largeinteger-l1-1-0

MulDiv

api-ms-win-core-synch-l1-2-0

InitOnceBeginInitialize
InitOnceExecuteOnce
WakeAllConditionVariable
InitializeConditionVariable
WakeConditionVariable
SleepConditionVariableSRW
InitOnceComplete

api-ms-win-core-winrt-string-l1-1-0

WindowsCompareStringOrdinal
WindowsCreateStringReference
WindowsPromoteStringBuffer
WindowsPreallocateStringBuffer
WindowsIsStringEmpty
WindowsGetStringRawBuffer
WindowsGetStringLen
WindowsDuplicateString
WindowsDeleteStringBuffer
WindowsDeleteString
WindowsCreateString
WindowsConcatString

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory

api-ms-win-core-file-l1-1-0

DeleteFileW

api-ms-win-core-kernel32-legacy-l1-1-0

MoveFileW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFileExistsW

wincorlib

?EventSourceAdd@Details@Platform@@YA?AVEventRegistrationToken@Foundation@Windows@@PEAPEAXPEAUEventLock@12@PE$AAVDelegate@2@@Z
?EventSourceRemove@Details@Platform@@YAXPEAPEAXPEAUEventLock@12@VEventRegistrationToken@Foundation@Windows@@@Z
??0InvalidArgumentException@Platform@@QE$AAA@XZ
??0NotImplementedException@Platform@@QE$AAA@XZ
?EventSourceUninitialize@Details@Platform@@YAXPEAPEAX@Z
?GetWeakReference@Details@Platform@@YAPEAU__abi_IUnknown@@QE$ADVObject@2@@Z
?CreateException@Exception@Platform@@SAPE$AAV12@HPE$AAVString@2@@Z
?get@Message@Exception@Platform@@QE$AAAPE$AAVString@3@XZ
?GetIBoxArrayVtable@Details@Platform@@YAPEAXPEAX@Z
?__abi_ObjectToString@__abi_details@@YAPE$AAVString@Platform@@PE$AAVObject@3@_N@Z
?GetIBoxVtable@Details@Platform@@YAPEAXPEAX@Z
?CreateValue@Details@Platform@@YAPE$AAVObject@2@W4TypeCode@2@PEBX@Z
?__abi_make_type_id@@YAPE$AAVType@Platform@@AEBU__abi_type_descriptor@@@Z
?GetTypeCode@Type@Platform@@SA?AW4TypeCode@2@PE$AAV12@@Z
??0NullReferenceException@Platform@@QE$AAA@XZ
?ReCreateException@Exception@Platform@@SAPE$AAV12@H@Z
??0Object@Platform@@QE$AAA@XZ
??0DisconnectedException@Platform@@QE$AAA@XZ
?AllocateException@Heap@Details@Platform@@SAPEAX_K0@Z
?GetObjectContext@Details@Platform@@YAPEAUIUnknown@@XZ
?GetProxyImpl@Details@Platform@@YAJPEAUIUnknown@@AEBU_GUID@@0PEAPEAU3@@Z
?EventSourceGetTargetArrayEvent@Details@Platform@@YAPEAXPEAXIPEBXPEA_J@Z
?Allocate@Heap@Details@Platform@@SAPEAX_K@Z
?__abi_FailFast@@YAXXZ
?ReleaseInContextImpl@Details@Platform@@YAJPEAUIUnknown@@0@Z
?ReleaseTarget@ControlBlock@Details@Platform@@AEAAXXZ
?AlignedFree@Heap@Details@Platform@@SAXPEAX@Z
??0FailureException@Platform@@QE$AAA@XZ
?__abi_WinRTraiseNotImplementedException@@YAXXZ
?__abi_WinRTraiseInvalidCastException@@YAXXZ
?__abi_WinRTraiseNullReferenceException@@YAXXZ
?__abi_WinRTraiseOperationCanceledException@@YAXXZ
?__abi_WinRTraiseFailureException@@YAXXZ
?__abi_WinRTraiseAccessDeniedException@@YAXXZ
?__abi_WinRTraiseOutOfMemoryException@@YAXXZ
?__abi_WinRTraiseInvalidArgumentException@@YAXXZ
?__abi_WinRTraiseOutOfBoundsException@@YAXXZ
?__abi_WinRTraiseChangedStateException@@YAXXZ
?__abi_WinRTraiseClassNotRegisteredException@@YAXXZ
?__abi_WinRTraiseWrongThreadException@@YAXXZ
?__abi_WinRTraiseDisconnectedException@@YAXXZ
?InitializeData@Details@Platform@@YAJH@Z
?UninitializeData@Details@Platform@@YAXH@Z
?GetActivationFactoryByPCWSTR@@YAJPEAXAEAVGuid@Platform@@PEAPEAX@Z
?ReCreateFromException@Details@Platform@@YAJPE$AAVException@2@@Z
?GetIidsFn@@YAJHPEAKPEBU__s_GUID@@PEAPEAVGuid@Platform@@@Z
?__abi_cast_Object_to_String@__abi_details@@YAPE$AAVString@Platform@@_NPE$AAVObject@3@@Z
?__abi_cast_String_to_Object@__abi_details@@YAPE$AAVObject@Platform@@PE$AAVString@3@@Z
?get@FullName@Type@Platform@@QE$AAAPE$AAVString@3@XZ
??0ChangedStateException@Platform@@QE$AAA@XZ
?GetCmdArguments@Details@Platform@@YAPEAPEA_WPEAH@Z
?__abi_WinRTraiseObjectDisposedException@@YAXXZ
?__abi_WinRTraiseCOMException@@YAXJ@Z
?Allocate@Heap@Details@Platform@@SAPEAX_K0@Z
??0OutOfMemoryException@Platform@@QE$AAA@XZ
?EventSourceInitialize@Details@Platform@@YAXPEAPEAX@Z
??0OutOfBoundsException@Platform@@QE$AAA@XZ
?ResolveWeakReference@Details@Platform@@YAPE$AAVObject@2@AEBU_GUID@@PEAPEAU__abi_IUnknown@@@Z
?EventSourceGetTargetArray@Details@Platform@@YAPEAXPEAXPEAUEventLock@12@@Z
?Free@Heap@Details@Platform@@SAXPEAX@Z
?EventSourceGetTargetArraySize@Details@Platform@@YAIPEAX@Z
??0Delegate@Platform@@QE$AAA@XZ

api-ms-win-crt-runtime-l1-1-0

_set_error_mode
_initterm
_initterm_e
_c_exit
_register_thread_local_exe_atexit_callback

api-ms-win-crt-string-l1-1-0

wcsnlen
memset
wcslen

api-ms-win-crt-locale-l1-1-0

_lock_locales
_unlock_locales

api-ms-win-crt-private-l1-1-0

_o___pctype_func
_o___std_exception_copy
_o___std_exception_destroy
_o___stdio_common_vsnprintf_s
_o___stdio_common_vswprintf
_o__callnewh
_o__calloc_base
_o__cexit
_o__configthreadlocale
_o__configure_narrow_argv
_o__crt_atexit
_o__errno
_o__exit
_o__free_base
_o__get_narrow_winmain_command_line
_o__initialize_narrow_environment
_o__initialize_onexit_table
_o__invalid_parameter_noinfo
_o__invalid_parameter_noinfo_noreturn
_o__malloc_base
_o__purecall
_o__register_onexit_function
_o___p__commode
_o__seh_filter_exe
_o__set_app_type
_o__set_fmode
_o__set_new_mode
_o__wcsdup
_o_abort
_o_exit
_o_free
_o_malloc
_o_realloc
_o_set_terminate
_o_setlocale
_o_terminate
_o_wcstol
__CxxFrameHandler4
__std_terminate
wcsstr
wcsrchr
strchr
_CxxThrowException
__CxxFrameHandler3
__current_exception
__AdjustPointer
__processing_throw
__GetPlatformExceptionInfo
__C_specific_handler
memcmp
memcpy
_o____mb_cur_max_func
_o____lc_locale_name_func
_o____lc_collate_cp_func
_o____lc_codepage_func
memmove

api-ms-win-core-winrt-error-l1-1-0

RoOriginateError
SetRestrictedErrorInfo
GetRestrictedErrorInfo
RoFailFastWithErrorContext

api-ms-win-core-winrt-error-l1-1-1

RoReportUnhandledError
RoOriginateLanguageException

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-rtlsupport-l1-1-0

RtlPcToFileHeader
RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent

api-ms-win-core-string-l1-1-0

CompareStringEx
WideCharToMultiByte
GetStringTypeW
MultiByteToWideChar

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime

api-ms-win-core-interlocked-l1-1-0

InterlockedPushEntrySList
InitializeSListHead

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

oleaut32

SysFreeString

api-ms-win-crt-math-l1-1-0

ceilf

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 394KB - Virtual size: 393KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 43KB - Virtual size: 81KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 77KB - Virtual size: 77KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

72533fd2ce483cdc50d7d46f66737e44

Code Sign

33:00:00:03:8b:79:45:c1:8b:0e:b6:87:ec:00:00:00:00:03:8bCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

3c:97:53:44:9a:44:54:98:dc:6b:9a:5d:61:41:3d:5c:76:de:c9:41:b3:74:5f:cc:72:ed:82:eb:03:30:0d:bbSigner

Headers

DLL Characteristics

File Characteristics

Imports

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-com-l1-1-0

dxgi

api-ms-win-core-largeinteger-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

wincorlib

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-util-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-string-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

oleaut32

api-ms-win-crt-math-l1-1-0

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.rdata Size: 394KB - Virtual size: 393KB

.data Size: 43KB - Virtual size: 81KB

.pdata Size: 77KB - Virtual size: 77KB

.didat Size: 512B - Virtual size: 32B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 18KB - Virtual size: 17KB

33:00:00:03:8b:79:45:c1:8b:0e:b6:87:ec:00:00:00:00:03:8b
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

3c:97:53:44:9a:44:54:98:dc:6b:9a:5d:61:41:3d:5c:76:de:c9:41:b3:74:5f:cc:72:ed:82:eb:03:30:0d:bb
Signer

.text
Size: 1.1MB - Virtual size: 1.1MB

.rdata
Size: 394KB - Virtual size: 393KB

.data
Size: 43KB - Virtual size: 81KB

.pdata
Size: 77KB - Virtual size: 77KB

.didat
Size: 512B - Virtual size: 32B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 18KB - Virtual size: 17KB