CloudExperienceHostUser[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

CloudExperienceHostUser.dll
Size

182KB
MD5

bc2174b5010107f7eb68ecf04482decf
SHA1

8ac9a35ab2312e76379d6a1d1fd89acdfa340d11
SHA256

c544caca6e6accdbbb9e43a0a314abb37fd8a4e61fbb9620a816ecdafc0d0d11
SHA512

f47f29f3d515a820030d080f3f29fdd5ca21dd84b2724fe3a1fc00e64c6f730c00e51ebb053d71938846140863623a4f3523201aff32649a533659402d2ef50e
SSDEEP

3072:mFcVjoxtaTIf77sqQ0Mdl5U5DIMYCglC9dO8iBzQWONbx2y1c2bWGRnhV4/OKinj:mFcVjoxtaTIfs0MdllL8iBzQWONbx2gj

Score

1^/10

Malware Config

Signatures

Files

CloudExperienceHostUser.dll
.dll windows:10 windows x86 arch:x86

170218471edef7d2b8a0dd916ba22848

Code Sign

33:00:00:02:66:bd:15:80:ef:a7:5c:d6:d3:00:00:00:00:02:66
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/03/2020, 18:30

Not After

03/03/2021, 18:30

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

b9:87:35:88:51:15:5e:a0:68:fa:13:e2:cd:4e:46:53:4e:68:2f:73:87:10:d4:c2:b2:36:60:e2:a9:f2:e8:36
Signer

Actual PE Digest

b9:87:35:88:51:15:5e:a0:68:fa:13:e2:cd:4e:46:53:4e:68:2f:73:87:10:d4:c2:b2:36:60:e2:a9:f2:e8:36

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

CloudExperienceHostUser.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_initterm

api-ms-win-crt-string-l1-1-0

memset

api-ms-win-crt-private-l1-1-0

_o__initialize_narrow_environment
_o__initialize_onexit_table
_o__invalid_parameter_noinfo
_o__invalid_parameter_noinfo_noreturn
_o__purecall
_o__register_onexit_function
_o__seh_filter_dll
memmove
_o__execute_onexit_table
_o_free
_o_malloc
_o_toupper
_except_handler4_common
_o__errno
_CxxThrowException
_o__crt_atexit
_o__configure_narrow_argv
_o__cexit
_o__callnewh
_o___stdio_common_vswprintf
_o___stdio_common_vsnprintf_s
_o___std_type_info_destroy_list
_o___std_exception_destroy
_o___std_exception_copy
__std_terminate
__CxxFrameHandler3
memcmp
memcpy

twinapi.appcore

ord2
ord3

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
GetModuleFileNameA
GetModuleHandleExW
GetProcAddress
DisableThreadLibraryCalls

api-ms-win-core-synch-l1-1-0

ReleaseSRWLockExclusive
CreateEventW
ResetEvent
SetEvent
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
WaitForSingleObjectEx
AcquireSRWLockExclusive
ReleaseSRWLockShared
CreateEventExW
ReleaseMutex
AcquireSRWLockShared
CreateMutexExW
WaitForSingleObject
OpenSemaphoreW
ReleaseSemaphore
CreateSemaphoreExW

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

RaiseException
GetLastError
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateString
WindowsDeleteString
WindowsDuplicateString
HSTRING_UserUnmarshal
HSTRING_UserFree
HSTRING_UserMarshal
HSTRING_UserSize
WindowsCreateStringReference
WindowsGetStringRawBuffer
WindowsIsStringEmpty
WindowsStringHasEmbeddedNull

api-ms-win-eventing-provider-l1-1-0

EventActivityIdControl
EventUnregister
EventRegister
EventSetInformation
EventWriteTransfer
EventProviderEnabled

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
OpenProcessToken
GetCurrentProcessId
OpenThreadToken
GetProcessId
GetCurrentProcess
TerminateProcess
GetCurrentThread

api-ms-win-core-winrt-error-l1-1-0

GetRestrictedErrorInfo
SetRestrictedErrorInfo
RoOriginateError
RoOriginateErrorW
RoTransformError

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
IsDebuggerPresent
DebugBreak

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent
OpenProcess

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount64
GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-com-l1-1-0

CoGetCallerTID
CoReleaseMarshalData
CoGetCallContext
StringFromCLSID
PropVariantClear
CoMarshalInterface
CoImpersonateClient
CreateStreamOnHGlobal
CoGetMalloc
CoTaskMemAlloc
CoTaskMemFree
CoCreateInstance
CoRevertToSelf
CoCreateFreeThreadedMarshaler
CoWaitForMultipleHandles

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory
RoActivateInstance

rpcrt4

NdrDllGetClassObject
NdrDllCanUnloadNow
NdrCStdStubBuffer2_Release
NdrStubForwardingFunction
NdrStubCall2
IUnknown_AddRef_Proxy
CStdStubBuffer_DebugServerQueryInterface
CStdStubBuffer_Invoke
CStdStubBuffer_AddRef
IUnknown_Release_Proxy
NdrOleAllocate
CStdStubBuffer_DebugServerRelease
IUnknown_QueryInterface_Proxy
CStdStubBuffer_IsIIDSupported
NdrOleFree

api-ms-win-core-com-midlproxystub-l1-1-0

ObjectStublessClient12
ObjectStublessClient16
ObjectStublessClient10
NdrProxyForwardingFunction3
ObjectStublessClient11
CStdStubBuffer2_CountRefs
ObjectStublessClient15
ObjectStublessClient9
ObjectStublessClient14
CStdStubBuffer2_Disconnect
ObjectStublessClient7
ObjectStublessClient13
CStdStubBuffer2_QueryInterface
ObjectStublessClient8
NdrProxyForwardingFunction4
NdrProxyForwardingFunction5
ObjectStublessClient6
CStdStubBuffer2_Connect

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-core-winrt-error-l1-1-1

RoReportFailedDelegate
RoGetMatchingRestrictedErrorInfo
IsErrorPropagationEnabled

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegSetValueExW
RegGetValueW
RegOpenKeyExW

api-ms-win-core-synch-l1-2-0

InitOnceExecuteOnce
Sleep
InitOnceComplete
InitOnceBeginInitialize

api-ms-win-core-string-l1-1-0

MultiByteToWideChar

api-ms-win-security-base-l1-1-0

RevertToSelf
GetAce
EqualSid
DuplicateTokenEx
GetTokenInformation

api-ms-win-stateseparation-helpers-l1-1-0

GetPersistedRegistryLocationW

combase

ord147

ntdll

RtlAddAccessAllowedAce
RtlAddAce
RtlGetDaclSecurityDescriptor
NtSetSecurityObject
NtQuerySecurityObject
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlGetAce
RtlCreateAcl
RtlLengthSid
RtlQueryInformationAcl

propsys

PropVariantToStringAlloc

msvcp_win

?_Xlength_error@std@@YAXPBD@Z

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Exports

Exports

DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject

Sections

.text
Size: 151KB - Virtual size: 150KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 44B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

170218471edef7d2b8a0dd916ba22848

Code Sign

33:00:00:02:66:bd:15:80:ef:a7:5c:d6:d3:00:00:00:00:02:66Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

b9:87:35:88:51:15:5e:a0:68:fa:13:e2:cd:4e:46:53:4e:68:2f:73:87:10:d4:c2:b2:36:60:e2:a9:f2:e8:36Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-private-l1-1-0

twinapi.appcore

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-winrt-l1-1-0

rpcrt4

api-ms-win-core-com-midlproxystub-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-registry-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-string-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-stateseparation-helpers-l1-1-0

combase

ntdll

propsys

msvcp_win

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-apiquery-l1-1-0

Exports

Exports

Sections

.text Size: 151KB - Virtual size: 150KB

.data Size: 512B - Virtual size: 2KB

.idata Size: 8KB - Virtual size: 8KB

.didat Size: 512B - Virtual size: 44B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 11KB - Virtual size: 10KB

33:00:00:02:66:bd:15:80:ef:a7:5c:d6:d3:00:00:00:00:02:66
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

b9:87:35:88:51:15:5e:a0:68:fa:13:e2:cd:4e:46:53:4e:68:2f:73:87:10:d4:c2:b2:36:60:e2:a9:f2:e8:36
Signer

.text
Size: 151KB - Virtual size: 150KB

.data
Size: 512B - Virtual size: 2KB

.idata
Size: 8KB - Virtual size: 8KB

.didat
Size: 512B - Virtual size: 44B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 11KB - Virtual size: 10KB