ShellExperienceHost[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

ShellExperienceHost.exe
Size

925KB
MD5

009eb7525eb2aea39526cca56fb38dec
SHA1

bcef0a2f1956a5bab7d045ea9504a13cc931cd45
SHA256

3f0048d3df9799044a828e8501198df34c96ada2a64e633a780ae28debfcea4b
SHA512

f77dbab864a648cb7a30575cd5b38168a33adc2f4da25f9f4918f16ec53b8599c0cc013c614e8c9279e193b2221047c6c8f7a81e10e73b384ef9040c4cb4bf03
SSDEEP

24576:8eN23XWEeXGKTv48Kq1MM4OHUWkYBMxYKrs:JEH5eXGxtqqYKQ

Score

1^/10

Malware Config

Signatures

Files

ShellExperienceHost.exe
.exe windows:6 windows x86

111ac677fd865c0373a486b18e018f55

Code Sign

33:00:00:00:bc:e1:20:fd:d2:7c:c8:ee:93:00:00:00:00:00:bc
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18/08/2015, 17:15

Not After

18/11/2016, 17:15

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ea:a1:d5:fd:2e:49:90:dc:f5:6e:23:1e:df:66:d9:74:01:67:52:13:c8:9f:f0:16:17:06:13:02:35:a4:9b:14
Signer

Actual PE Digest

ea:a1:d5:fd:2e:49:90:dc:f5:6e:23:1e:df:66:d9:74:01:67:52:13:c8:9f:f0:16:17:06:13:02:35:a4:9b:14

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

_wcsdup
abort
___lc_collate_cp_func
calloc
__pctype_func
___lc_codepage_func
___lc_handle_func
___mb_cur_max_func
__crtCompareStringW
__crtLCMapStringW
setlocale
memcpy
??0exception@@QAE@ABQBDH@Z
_callnewh
_CxxThrowException
memset
wcslen
__ExceptionPtrCurrentException
_get_current_locale
_free_locale
?terminate@@YAXXZ
memmove
_vsnwprintf
free
malloc
memcpy_s
?set_terminate@@YAP6AXXZP6AXXZ@Z
??0exception@@QAE@ABV0@@Z
_controlfp
_except_handler4_common
_acmdln
_initterm
__setusermatherr
_ismbblead
__p__fmode
_cexit
_exit
exit
__set_app_type
__getmainargs
_amsg_exit
__p__commode
_XcptFilter
__CxxFrameHandler3
_onexit
__dllonexit
_unlock
_lock
??1type_info@@UAE@XZ
realloc
strchr
??3@YAXPAX@Z
??1bad_cast@@UAE@XZ
__ExceptionPtrCopy
__ExceptionPtrDestroy
_purecall
??0bad_cast@@QAE@ABV0@@Z
wcsrchr
wcstol
__ExceptionPtrCreate
_errno
wcsstr
_vsnprintf_s
??0exception@@QAE@XZ
??0exception@@QAE@ABQBD@Z
??0bad_cast@@QAE@PBD@Z
??1exception@@UAE@XZ
?what@exception@@UBEPBDXZ

wincorlib

?CreateException@Exception@Platform@@SAP$AAV12@H@Z
?Allocate@Heap@Details@Platform@@SAPAXII@Z
?__abi_WinRTraiseCOMException@@YGXJ@Z
?__abi_WinRTraiseObjectDisposedException@@YGXXZ
?__abi_WinRTraiseDisconnectedException@@YGXXZ
?__abi_WinRTraiseWrongThreadException@@YGXXZ
?__abi_WinRTraiseClassNotRegisteredException@@YGXXZ
?__abi_WinRTraiseChangedStateException@@YGXXZ
?__abi_WinRTraiseOutOfBoundsException@@YGXXZ
?__abi_WinRTraiseInvalidArgumentException@@YGXXZ
?__abi_WinRTraiseOutOfMemoryException@@YGXXZ
?__abi_WinRTraiseAccessDeniedException@@YGXXZ
?__abi_WinRTraiseFailureException@@YGXXZ
?__abi_WinRTraiseOperationCanceledException@@YGXXZ
?__abi_WinRTraiseNullReferenceException@@YGXXZ
?__abi_WinRTraiseInvalidCastException@@YGXXZ
?__abi_WinRTraiseNotImplementedException@@YGXXZ
?Free@Heap@Details@Platform@@SAXPAX@Z
?AlignedFree@Heap@Details@Platform@@SAXPAX@Z
?ReleaseTarget@ControlBlock@Details@Platform@@AAEXXZ
?ReleaseInContextImpl@Details@Platform@@YGJPAUIUnknown@@0@Z
?GetObjectContext@Details@Platform@@YGPAUIUnknown@@XZ
?__abi_FailFast@@YGXXZ
?GetCmdArguments@Details@Platform@@YGPAPA_WPAH@Z
?GetIidsFn@@YGJHPAKPBU__s_GUID@@PAPAVGuid@Platform@@@Z
?GetActivationFactoryByPCWSTR@@YGJPAXAAVGuid@Platform@@PAPAX@Z
?UninitializeData@Details@Platform@@YGXH@Z
?InitializeData@Details@Platform@@YGJH@Z
?get@FullName@Type@Platform@@Q$AAAP$AAVString@3@XZ
?__abi_ObjectToString@__abi_details@@YGP$AAVString@Platform@@P$AAVObject@3@_N@Z
?GetIBoxVtable@Details@Platform@@YGPAXPAX@Z
?CreateValue@Details@Platform@@YGP$AAVObject@2@W4TypeCode@2@PBX@Z
?__abi_make_type_id@@YGP$AAVType@Platform@@ABU__abi_type_descriptor@@@Z
?GetTypeCode@Type@Platform@@SA?AW4TypeCode@2@P$AAV12@@Z
?__abi_cast_String_to_Object@__abi_details@@YGP$AAVObject@Platform@@P$AAVString@3@@Z
?__abi_cast_Object_to_String@__abi_details@@YGP$AAVString@Platform@@_NP$AAVObject@3@@Z
?EventSourceGetTargetArrayEvent@Details@Platform@@YGPAXPAXIPBXPA_J@Z
?EventSourceGetTargetArraySize@Details@Platform@@YGIPAX@Z
?EventSourceGetTargetArray@Details@Platform@@YGPAXPAXPAUEventLock@12@@Z
?ResolveWeakReference@Details@Platform@@YGP$AAVObject@2@ABU_GUID@@PAPAU__abi_IUnknown@@@Z
??0ChangedStateException@Platform@@Q$AAA@XZ
?EventSourceInitialize@Details@Platform@@YGXPAPAX@Z
??0OutOfBoundsException@Platform@@Q$AAA@XZ
??0FailureException@Platform@@Q$AAA@XZ
??0OutOfMemoryException@Platform@@Q$AAA@XZ
?EventSourceAdd@Details@Platform@@YG?AVEventRegistrationToken@Foundation@Windows@@PAPAXPAUEventLock@12@P$AAVDelegate@2@@Z
?EventSourceRemove@Details@Platform@@YGXPAPAXPAUEventLock@12@VEventRegistrationToken@Foundation@Windows@@@Z
??0InvalidArgumentException@Platform@@Q$AAA@XZ
??0NotImplementedException@Platform@@Q$AAA@XZ
?EventSourceUninitialize@Details@Platform@@YGXPAPAX@Z
?GetWeakReference@Details@Platform@@YGPAU__abi_IUnknown@@Q$ADVObject@2@@Z
?CreateException@Exception@Platform@@SAP$AAV12@HP$AAVString@2@@Z
?get@Message@Exception@Platform@@Q$AAAP$AAVString@3@XZ
?GetIBoxArrayVtable@Details@Platform@@YGPAXPAX@Z
??0NullReferenceException@Platform@@Q$AAA@XZ
?ReCreateException@Exception@Platform@@SAP$AAV12@H@Z
??0Object@Platform@@Q$AAA@XZ
??0DisconnectedException@Platform@@Q$AAA@XZ
?AllocateException@Heap@Details@Platform@@SAPAXII@Z
?GetProxyImpl@Details@Platform@@YGJPAUIUnknown@@ABU_GUID@@0PAPAU3@@Z
??0Delegate@Platform@@Q$AAA@XZ
?Allocate@Heap@Details@Platform@@SAPAXI@Z
?__abi_translateCurrentException@@YGJ_N@Z

api-ms-win-core-com-l1-1-1

CoGetObjectContext
CoTaskMemFree
CoTaskMemAlloc
CoCreateFreeThreadedMarshaler
CoGetApartmentType
CoMarshalInterThreadInterfaceInStream
CoGetContextToken
CoGetInterfaceAndReleaseStream

api-ms-win-eventing-provider-l1-1-0

EventActivityIdControl
EventWriteTransfer
EventSetInformation
EventRegister
EventUnregister

api-ms-win-core-processthreads-l1-1-2

GetCurrentThreadId
TerminateProcess
GetCurrentProcess
GetCurrentProcessId

api-ms-win-core-heap-l1-2-0

HeapFree
HeapAlloc
GetProcessHeap

api-ms-win-core-debug-l1-1-1

OutputDebugStringW

api-ms-win-core-localization-l1-2-1

FormatMessageW

api-ms-win-core-synch-l1-2-0

ReleaseSemaphore
EnterCriticalSection
CreateEventExW
OpenSemaphoreW
CreateSemaphoreExW
WaitForSingleObjectEx
DeleteCriticalSection
InitOnceComplete
InitOnceBeginInitialize
Sleep
LeaveCriticalSection
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
InitializeCriticalSectionEx
WaitForSingleObject
ReleaseMutex
ResetEvent
SetEvent
CreateMutexExW

api-ms-win-core-largeinteger-l1-1-0

MulDiv

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameA
LoadLibraryExW
GetModuleHandleExW
GetProcAddress
GetModuleHandleA

api-ms-win-core-errorhandling-l1-1-1

GetLastError
UnhandledExceptionFilter
SetLastError
SetUnhandledExceptionFilter

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-kernel32-legacy-l1-1-1

GetStartupInfoA

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-2-1

GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-winrt-error-l1-1-1

RoOriginateError
RoFailFastWithErrorContext
RoReportUnhandledError
SetRestrictedErrorInfo

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateStringReference
WindowsDuplicateString
WindowsDeleteString
WindowsCompareStringOrdinal
WindowsIsStringEmpty
WindowsConcatString
WindowsGetStringRawBuffer
WindowsCreateString
WindowsGetStringLen

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar
GetStringTypeW

api-ms-win-core-delayload-l1-1-1

DelayLoadFailureHook
ResolveDelayLoadedAPI

Sections

.text
Size: 593KB - Virtual size: 593KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 235KB - Virtual size: 235KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 32KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didat
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 53KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

111ac677fd865c0373a486b18e018f55

Code Sign

33:00:00:00:bc:e1:20:fd:d2:7c:c8:ee:93:00:00:00:00:00:bcCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

ea:a1:d5:fd:2e:49:90:dc:f5:6e:23:1e:df:66:d9:74:01:67:52:13:c8:9f:f0:16:17:06:13:02:35:a4:9b:14Signer

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

wincorlib

api-ms-win-core-com-l1-1-1

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-heap-l1-2-0

api-ms-win-core-debug-l1-1-1

api-ms-win-core-localization-l1-2-1

api-ms-win-core-synch-l1-2-0

api-ms-win-core-largeinteger-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-handle-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-util-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-delayload-l1-1-1

Sections

.text Size: 593KB - Virtual size: 593KB

.rdata Size: 235KB - Virtual size: 235KB

.data Size: 32KB - Virtual size: 33KB

.didat Size: 512B - Virtual size: 16B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 53KB - Virtual size: 52KB

33:00:00:00:bc:e1:20:fd:d2:7c:c8:ee:93:00:00:00:00:00:bc
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

ea:a1:d5:fd:2e:49:90:dc:f5:6e:23:1e:df:66:d9:74:01:67:52:13:c8:9f:f0:16:17:06:13:02:35:a4:9b:14
Signer

.text
Size: 593KB - Virtual size: 593KB

.rdata
Size: 235KB - Virtual size: 235KB

.data
Size: 32KB - Virtual size: 33KB

.didat
Size: 512B - Virtual size: 16B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 53KB - Virtual size: 52KB