CloudExperienceHostUser[.]dll

Sharing

Copy URL

Twitter E-mail

General

Target

CloudExperienceHostUser.dll
Size

199KB
MD5

870d89c1263926ee8fb460000e933291
SHA1

601296f3ff6361f21d8d76134d1e74a8aee7652c
SHA256

7fc30b11b1b5b5ee8a2a774ed7bc5b2cb38d1c2a530939239e9f00bfb981c057
SHA512

1475e0ae34f8cc95af6d2f9ea00909f982e268b707099985975d6b9b8073a127cf760d2c83a3b3bd4132ad008c7dafe12ae1b5bef6752878ee29881bcdb9d200
SSDEEP

6144:27ZE7XAT6WhTezB9jQpIp7JzrrGom4Hb2Bx:2lEj5j52Bx

Score

1^/10

Malware Config

Signatures

Files

CloudExperienceHostUser.dll
.dll windows:10 windows x86 arch:x86

0abe32fb1c07e951f270ab4eb65a823a

Code Sign

33:00:00:04:5f:f3:c9:6c:1a:7f:f7:da:1d:00:00:00:00:04:5f
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16-11-2023 19:20

Not After

14-11-2024 19:20

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ac:a5:e7:60:18:82:92:41:f3:01:6c:dc:de:5a:1f:1e:38:93:dd:e3:6c:6c:1e:0b:33:90:08:03:17:1e:6c:0a
Signer

Actual PE Digest

ac:a5:e7:60:18:82:92:41:f3:01:6c:dc:de:5a:1f:1e:38:93:dd:e3:6c:6c:1e:0b:33:90:08:03:17:1e:6c:0a

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

CloudExperienceHostUser.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_initterm

api-ms-win-crt-private-l1-1-0

_o__errno
_o__execute_onexit_table
_o__initialize_narrow_environment
_o__initialize_onexit_table
_o__invalid_parameter_noinfo
_o__invalid_parameter_noinfo_noreturn
_o__purecall
_o__register_onexit_function
_o__seh_filter_dll
memmove
_o__wtol
_o_free
_o_malloc
_o_terminate
_o_toupper
_except_handler4_common
_o__crt_atexit
_CxxThrowException
_o__configure_narrow_argv
_o__cexit
_o__callnewh
_o___stdio_common_vswprintf
_o___stdio_common_vsnprintf_s
_o___std_type_info_destroy_list
_o___std_exception_destroy
_o___std_exception_copy
__std_terminate
__CxxFrameHandler3
memcmp
memcpy

api-ms-win-crt-string-l1-1-0

memset

twinapi.appcore

ord2
ord3

api-ms-win-core-libraryloader-l1-2-0

DisableThreadLibraryCalls
GetProcAddress
GetModuleFileNameA
GetModuleHandleW
GetModuleHandleExW

api-ms-win-core-synch-l1-2-0

InitOnceExecuteOnce
InitOnceComplete
Sleep
InitOnceBeginInitialize

api-ms-win-core-synch-l1-1-0

CreateEventExW
CreateSemaphoreExW
SetEvent
ReleaseSemaphore
AcquireSRWLockShared
CreateMutexExW
AcquireSRWLockExclusive
WaitForSingleObject
OpenSemaphoreW
ReleaseMutex
ReleaseSRWLockShared
WaitForSingleObjectEx
ReleaseSRWLockExclusive

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

SetLastError
UnhandledExceptionFilter
RaiseException
SetUnhandledExceptionFilter
GetLastError

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateString
WindowsDuplicateString
HSTRING_UserUnmarshal
HSTRING_UserFree
HSTRING_UserMarshal
HSTRING_UserSize
WindowsCreateStringReference
WindowsDeleteString
WindowsGetStringRawBuffer
WindowsIsStringEmpty
WindowsStringHasEmbeddedNull

api-ms-win-eventing-provider-l1-1-0

EventProviderEnabled
EventActivityIdControl
EventUnregister
EventRegister
EventSetInformation
EventWriteTransfer

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
OpenProcessToken
GetCurrentProcess
TerminateProcess
GetProcessId
OpenThreadToken
GetCurrentProcessId
GetCurrentThread

api-ms-win-core-winrt-error-l1-1-0

RoOriginateErrorW
SetRestrictedErrorInfo
GetRestrictedErrorInfo
RoOriginateError
RoTransformError

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-processthreads-l1-1-1

OpenProcess
IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime
GetTickCount64

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-com-l1-1-0

PropVariantClear
CoGetCallContext
CoCreateFreeThreadedMarshaler
CoWaitForMultipleHandles
CoRevertToSelf
CoImpersonateClient
CoReleaseMarshalData
CoCreateInstance
StringFromCLSID
CoTaskMemFree
CoTaskMemAlloc
CoMarshalInterface
CoGetMalloc
CoGetCallerTID
CreateStreamOnHGlobal

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory
RoActivateInstance

rpcrt4

IUnknown_AddRef_Proxy
NdrCStdStubBuffer2_Release
NdrDllGetClassObject
NdrDllCanUnloadNow
CStdStubBuffer_Invoke
NdrStubForwardingFunction
NdrStubCall2
CStdStubBuffer_IsIIDSupported
CStdStubBuffer_DebugServerQueryInterface
IUnknown_QueryInterface_Proxy
NdrOleFree
CStdStubBuffer_AddRef
IUnknown_Release_Proxy
NdrOleAllocate
CStdStubBuffer_DebugServerRelease

api-ms-win-core-com-midlproxystub-l1-1-0

ObjectStublessClient7
NdrProxyForwardingFunction3
ObjectStublessClient15
ObjectStublessClient10
ObjectStublessClient9
ObjectStublessClient8
ObjectStublessClient13
ObjectStublessClient16
ObjectStublessClient6
CStdStubBuffer2_Disconnect
NdrProxyForwardingFunction5
CStdStubBuffer2_CountRefs
ObjectStublessClient11
NdrProxyForwardingFunction4
CStdStubBuffer2_Connect
ObjectStublessClient12
ObjectStublessClient14
CStdStubBuffer2_QueryInterface

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo
IsErrorPropagationEnabled
RoReportFailedDelegate

api-ms-win-core-registry-l1-1-0

RegGetValueW
RegCloseKey
RegSetValueExW
RegOpenKeyExW

api-ms-win-core-string-l1-1-0

MultiByteToWideChar

api-ms-win-security-base-l1-1-0

RevertToSelf
GetAce
EqualSid
DuplicateTokenEx
GetTokenInformation

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-stateseparation-helpers-l1-1-0

GetPersistedRegistryLocationW

combase

ord147

ntdll

RtlNtStatusToDosError
RtlCreateAcl
NtSetSecurityObject
RtlCreateSecurityDescriptor
NtQuerySecurityObject
RtlAddAccessAllowedAce
RtlSetDaclSecurityDescriptor
RtlGetAce
RtlLengthSid
RtlQueryInformationAcl
RtlAddAce
RtlGetDaclSecurityDescriptor

propsys

PropVariantToStringAlloc

msvcp_win

?_Xlength_error@std@@YAXPBD@Z

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Exports

Exports

DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject

Sections

.text
Size: 166KB - Virtual size: 165KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 44B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0abe32fb1c07e951f270ab4eb65a823a

Code Sign

33:00:00:04:5f:f3:c9:6c:1a:7f:f7:da:1d:00:00:00:00:04:5fCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

ac:a5:e7:60:18:82:92:41:f3:01:6c:dc:de:5a:1f:1e:38:93:dd:e3:6c:6c:1e:0b:33:90:08:03:17:1e:6c:0aSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-crt-string-l1-1-0

twinapi.appcore

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-winrt-l1-1-0

rpcrt4

api-ms-win-core-com-midlproxystub-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-registry-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-stateseparation-helpers-l1-1-0

combase

ntdll

propsys

msvcp_win

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-apiquery-l1-1-0

Exports

Exports

Sections

.text Size: 166KB - Virtual size: 165KB

.data Size: 512B - Virtual size: 2KB

.idata Size: 8KB - Virtual size: 8KB

.didat Size: 512B - Virtual size: 44B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 12KB - Virtual size: 11KB

33:00:00:04:5f:f3:c9:6c:1a:7f:f7:da:1d:00:00:00:00:04:5f
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

ac:a5:e7:60:18:82:92:41:f3:01:6c:dc:de:5a:1f:1e:38:93:dd:e3:6c:6c:1e:0b:33:90:08:03:17:1e:6c:0a
Signer

.text
Size: 166KB - Virtual size: 165KB

.data
Size: 512B - Virtual size: 2KB

.idata
Size: 8KB - Virtual size: 8KB

.didat
Size: 512B - Virtual size: 44B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 12KB - Virtual size: 11KB