StartMenuExperienceHost.exe

  • File Path: C:\WINDOWS\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

Hashes

Type Hash
MD5 5E55DE025E599F7B4BCA7F08E8816B59
SHA1 0694AD44DB7D4C405777635E010CC8714DBFE1C1
SHA256 EC5F923E60D162C48058B7FDE56A85E74E45D979ED923330B07DC32B1ADAD473
SHA384 3F33231DDB83CC624F9A73318C55FA9C48466AC2776B82B6C3E8888402C9740C0CF0AE02D801C3BFA24DFB62FC39BE20
SHA512 083836C40CA3C34BA450FA7BB33AA3EFC66F92F1DBE2C1D69B4FF004516C7955BAF957DAC5084341707EA5CCC4E32988B409FA8C20518344A5AA8C06380D67AB
SSDEEP 12288:YSMiIZLwsYeQiNtbgJaMJrJNBP8jzs2rG/kCd20YG/FrJx:UiOLTbt0J7JrJ3P8jzs2rcYG/pD
IMP 4868D0DDFC825368A966364B34D69B91
PESHA1 518B2B5B2CE4D8326E71509E44A54D1A7C11F506
PE256 604495AEA977F2EBEBF926CD6C0230F0F45EB537B5B427A4000394D52B82C9A7

Runtime Data

Child Processes:

StartMenuExperienceHost.exe WerFault.exe

Open Handles:

Path Type
(RW-) C:\Windows\System32 File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename:
  • Product Name:
  • Company Name:
  • File Version:
  • Product Version:
  • Language:
  • Legal Copyright:
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/ec5f923e60d162c48058b7fde56a85e74e45d979ed923330b07dc32b1adad473/detection

Possible Misuse

The following table contains possible examples of StartMenuExperienceHost.exe being misused. While StartMenuExperienceHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_raw_disk_access_using_illegitimate_tools.yml Image\|startswith: 'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost' DRL 1.0
sigma sysmon_raw_disk_access_using_illegitimate_tools.yml Image\|endswith: '\StartMenuExperienceHost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.