StartMenuExperienceHost[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

StartMenuExperienceHost.exe
Size

1004KB
MD5

d5b8ae7e30dda62ceb09b38998483300
SHA1

344d2f07303b9ba301caf238971599c52b201eb4
SHA256

3b1dca74f068b1e7dd3c28c82cf344f0f4358604af6582d8867ff761d010296e
SHA512

ff7a15f0e7b9f24b048dbab0314e13ca4401dc796e5dd50a27be15a2c4a912a89223942ccf744a9e3eb5e83249a5232a96aa6664f884d80ff51716324db175c5
SSDEEP

12288:xV9S9FFhIIvqjdSr+HExn6FyS2IpVsZuT18siyMBdNDuMuKe:xYTqjd3kxn6FyCpVrT18siyMBd8

Score

1^/10

Malware Config

Signatures

Files

StartMenuExperienceHost.exe
.exe windows:10 windows x64

cd11c6ee2d417d3891c3933bb4f27b50

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/02/2023, 00:05

Not After

01/02/2024, 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a1:ea:9c:cf:a9:2f:e6:16:05:82:90:19:89:0e:3c:78:6a:a3:4f:81:23:06:41:f4:ac:2d:83:4d:be:01:23:4c
Signer

Actual PE Digest

a1:ea:9c:cf:a9:2f:e6:16:05:82:90:19:89:0e:3c:78:6a:a3:4f:81:23:06:41:f4:ac:2d:83:4d:be:01:23:4c

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_APPCONTAINER
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

api-ms-win-eventing-provider-l1-1-0

EventActivityIdControl
EventWriteTransfer
EventUnregister
EventSetInformation
EventRegister

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
OutputDebugStringW
DebugBreak

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
GetCurrentProcess
GetCurrentProcessId
TerminateProcess
GetStartupInfoW

api-ms-win-core-localization-l1-2-0

LCMapStringEx
FormatMessageW

api-ms-win-core-com-l1-1-0

CoTaskMemFree
CoGetContextToken
CoCreateFreeThreadedMarshaler
CoTaskMemAlloc

api-ms-win-core-registry-l1-1-0

RegSetValueExW
RegCloseKey
RegGetValueW
RegCreateKeyExW

api-ms-win-core-synch-l1-2-0

InitOnceExecuteOnce
InitOnceComplete
Sleep
InitOnceBeginInitialize

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError
SetLastError

api-ms-win-core-synch-l1-1-0

DeleteCriticalSection
AcquireSRWLockShared
ResetEvent
CreateMutexExW
CreateEventW
ReleaseSRWLockShared
OpenSemaphoreW
WaitForSingleObjectEx
ReleaseMutex
WaitForSingleObject
InitializeCriticalSectionEx
LeaveCriticalSection
EnterCriticalSection
CreateSemaphoreExW
SetEvent
InitializeCriticalSectionAndSpinCount
InitializeCriticalSection
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
ReleaseSemaphore

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer

api-ms-win-core-sysinfo-l1-2-0

GetProductInfo

api-ms-win-core-winrt-string-l1-1-0

WindowsCompareStringOrdinal
WindowsCreateStringReference
WindowsIsStringEmpty
WindowsGetStringRawBuffer
WindowsGetStringLen
WindowsDuplicateString
WindowsDeleteString
WindowsCreateString
WindowsConcatString

api-ms-win-core-psapi-l1-1-0

K32GetModuleFileNameExW

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleW
GetModuleHandleExW

api-ms-win-core-handle-l1-1-0

CloseHandle

wincorlib

?ReleaseInContextImpl@Details@Platform@@YAJPEAUIUnknown@@0@Z
??0ChangedStateException@Platform@@QE$AAA@XZ
?EventSourceInitialize@Details@Platform@@YAXPEAPEAX@Z
??0OutOfBoundsException@Platform@@QE$AAA@XZ
?GetObjectContext@Details@Platform@@YAPEAUIUnknown@@XZ
??0OutOfMemoryException@Platform@@QE$AAA@XZ
?EventSourceAdd@Details@Platform@@YA?AVEventRegistrationToken@Foundation@Windows@@PEAPEAXPEAUEventLock@12@PE$AAVDelegate@2@@Z
?GetProxyImpl@Details@Platform@@YAJPEAUIUnknown@@AEBU_GUID@@0PEAPEAU3@@Z
?__abi_cast_Object_to_String@__abi_details@@YAPE$AAVString@Platform@@_NPE$AAVObject@3@@Z
?ResolveWeakReference@Details@Platform@@YAPE$AAVObject@2@AEBU_GUID@@PEAPEAU__abi_IUnknown@@@Z
?EventSourceGetTargetArray@Details@Platform@@YAPEAXPEAXPEAUEventLock@12@@Z
?EventSourceGetTargetArraySize@Details@Platform@@YAIPEAX@Z
??0FailureException@Platform@@QE$AAA@XZ
?EventSourceRemove@Details@Platform@@YAXPEAPEAXPEAUEventLock@12@VEventRegistrationToken@Foundation@Windows@@@Z
??0NullReferenceException@Platform@@QE$AAA@XZ
??0InvalidArgumentException@Platform@@QE$AAA@XZ
??0NotImplementedException@Platform@@QE$AAA@XZ
?AllocateException@Heap@Details@Platform@@SAPEAX_K0@Z
?EventSourceUninitialize@Details@Platform@@YAXPEAPEAX@Z
?CreateException@Exception@Platform@@SAPE$AAV12@HPE$AAVString@2@@Z
?get@Message@Exception@Platform@@QE$AAAPE$AAVString@3@XZ
??0Object@Platform@@QE$AAA@XZ
?GetIBoxArrayVtable@Details@Platform@@YAPEAXPEAX@Z
?__abi_make_type_id@@YAPE$AAVType@Platform@@AEBU__abi_type_descriptor@@@Z
?get@FullName@Type@Platform@@QE$AAAPE$AAVString@3@XZ
?__abi_FailFast@@YAXXZ
?ReleaseTarget@ControlBlock@Details@Platform@@AEAAXXZ
?AlignedFree@Heap@Details@Platform@@SAXPEAX@Z
?Free@Heap@Details@Platform@@SAXPEAX@Z
?Allocate@Heap@Details@Platform@@SAPEAX_K0@Z
?__abi_WinRTraiseNotImplementedException@@YAXXZ
?__abi_WinRTraiseInvalidCastException@@YAXXZ
?__abi_WinRTraiseNullReferenceException@@YAXXZ
?__abi_WinRTraiseOperationCanceledException@@YAXXZ
?__abi_WinRTraiseFailureException@@YAXXZ
?__abi_WinRTraiseAccessDeniedException@@YAXXZ
?__abi_WinRTraiseOutOfMemoryException@@YAXXZ
?__abi_WinRTraiseInvalidArgumentException@@YAXXZ
?__abi_WinRTraiseOutOfBoundsException@@YAXXZ
?__abi_WinRTraiseChangedStateException@@YAXXZ
?__abi_WinRTraiseClassNotRegisteredException@@YAXXZ
?__abi_WinRTraiseWrongThreadException@@YAXXZ
?__abi_WinRTraiseDisconnectedException@@YAXXZ
?__abi_WinRTraiseObjectDisposedException@@YAXXZ
?__abi_WinRTraiseCOMException@@YAXJ@Z
?EventSourceGetTargetArrayEvent@Details@Platform@@YAPEAXPEAXIPEBXPEA_J@Z
?InitializeData@Details@Platform@@YAJH@Z
?UninitializeData@Details@Platform@@YAXH@Z
?GetActivationFactoryByPCWSTR@@YAJPEAXAEAVGuid@Platform@@PEAPEAX@Z
?ReCreateFromException@Details@Platform@@YAJPE$AAVException@2@@Z
?GetIidsFn@@YAJHPEAKPEBU__s_GUID@@PEAPEAVGuid@Platform@@@Z
??0Delegate@Platform@@QE$AAA@XZ
?__abi_cast_String_to_Object@__abi_details@@YAPE$AAVObject@Platform@@PE$AAVString@3@@Z
?GetTypeCode@Type@Platform@@SA?AW4TypeCode@2@PE$AAV12@@Z
?CreateValue@Details@Platform@@YAPE$AAVObject@2@W4TypeCode@2@PEBX@Z
?GetCmdArguments@Details@Platform@@YAPEAPEA_WPEAH@Z
?GetIBoxVtable@Details@Platform@@YAPEAXPEAX@Z
?__abi_ObjectToString@__abi_details@@YAPE$AAVString@Platform@@PE$AAVObject@3@_N@Z
?GetWeakReference@Details@Platform@@YAPEAU__abi_IUnknown@@QE$ADVObject@2@@Z

api-ms-win-crt-runtime-l1-1-0

_register_thread_local_exe_atexit_callback
_initterm
_c_exit
_set_error_mode
_initterm_e

api-ms-win-crt-string-l1-1-0

wcsnlen
memset
wcslen

api-ms-win-crt-locale-l1-1-0

_lock_locales
_unlock_locales

api-ms-win-crt-private-l1-1-0

__current_exception_context
__current_exception
memcmp
memcpy
__C_specific_handler
_CxxThrowException
__CxxFrameHandler3
strchr
_o____lc_codepage_func
_o____lc_collate_cp_func
_o____lc_locale_name_func
_o____mb_cur_max_func
_o___p__commode
_o___pctype_func
_o___std_exception_copy
_o___std_exception_destroy
_o___stdio_common_vsnprintf_s
_o___stdio_common_vswprintf
_o__callnewh
_o__calloc_base
_o__cexit
_o__configthreadlocale
_o__configure_narrow_argv
_o__crt_atexit
_o__errno
_o__exit
_o__free_base
_o__get_narrow_winmain_command_line
_o__initialize_narrow_environment
_o__initialize_onexit_table
_o__invalid_parameter_noinfo
_o__invalid_parameter_noinfo_noreturn
_o__malloc_base
memmove
_o__purecall
_o__register_onexit_function
_o__seh_filter_exe
_o__set_app_type
_o__set_fmode
_o__set_new_mode
_o__wcsdup
_o_abort
_o_exit
_o_free
_o_malloc
_o_realloc
_o_set_terminate
_o_setlocale
_o_terminate
_o_wcstol
__CxxFrameHandler4
__std_terminate
wcsrchr
wcsstr

api-ms-win-core-winrt-error-l1-1-0

RoFailFastWithErrorContext
SetRestrictedErrorInfo
RoOriginateError

api-ms-win-core-winrt-error-l1-1-1

RoReportUnhandledError

ntdll

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-string-l1-1-0

CompareStringEx
GetStringTypeW
WideCharToMultiByte
MultiByteToWideChar

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

Sections

.text
Size: 668KB - Virtual size: 667KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 239KB - Virtual size: 239KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 22KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 52KB - Virtual size: 51KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

cd11c6ee2d417d3891c3933bb4f27b50

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

a1:ea:9c:cf:a9:2f:e6:16:05:82:90:19:89:0e:3c:78:6a:a3:4f:81:23:06:41:f4:ac:2d:83:4d:be:01:23:4cSigner

Headers

DLL Characteristics

File Characteristics

Imports

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-handle-l1-1-0

wincorlib

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

ntdll

api-ms-win-core-util-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

Sections

.text Size: 668KB - Virtual size: 667KB

.rdata Size: 239KB - Virtual size: 239KB

.data Size: 22KB - Virtual size: 25KB

.pdata Size: 52KB - Virtual size: 51KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 11KB - Virtual size: 10KB

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

a1:ea:9c:cf:a9:2f:e6:16:05:82:90:19:89:0e:3c:78:6a:a3:4f:81:23:06:41:f4:ac:2d:83:4d:be:01:23:4c
Signer

.text
Size: 668KB - Virtual size: 667KB

.rdata
Size: 239KB - Virtual size: 239KB

.data
Size: 22KB - Virtual size: 25KB

.pdata
Size: 52KB - Virtual size: 51KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 11KB - Virtual size: 10KB