CloudExperienceHostUser[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

CloudExperienceHostUser.dll
Size

133KB
MD5

99d898da4d44dc2ec145eedab3dad928
SHA1

37acbb396ccd49b14d34e9e3ca5a7d94aa70b6c4
SHA256

9bd2faaedae553ff0520f40f5d0a511c86fc615603501c72d66d81a85f2426e1
SHA512

1e1691a8f2dbcef1c635c6fc011fdb9ba763f4fbd85f1ee7231bf60c09f895218c44bf012956b207dca67f9f86d8f9fe28d95fc0c2362cd9de6d5dcd41f9a884
SSDEEP

3072:XQQ7zPvBQM6spEDoYaQ1LufS/wbAcDVwR8ff6WVRvTwuVOXc:gK5QMHpEkP1BdVF

Score

1^/10

Malware Config

Signatures

Files

CloudExperienceHostUser.dll
.dll windows:10 windows x86 arch:x86

a6c75ec4073c9ae35f5922d56b909e42

Code Sign

33:00:00:02:66:bd:15:80:ef:a7:5c:d6:d3:00:00:00:00:02:66
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/03/2020, 18:30

Not After

03/03/2021, 18:30

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

67:e2:77:5d:d3:9f:13:b7:08:47:9f:d8:e9:9d:27:fa:5b:5b:c7:5d:c5:9b:49:b2:00:f3:60:aa:08:22:21:6f
Signer

Actual PE Digest

67:e2:77:5d:d3:9f:13:b7:08:47:9f:d8:e9:9d:27:fa:5b:5b:c7:5d:c5:9b:49:b2:00:f3:60:aa:08:22:21:6f

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

CloudExperienceHostUser.pdb

Imports

msvcrt

_vsnprintf_s
??0exception@@QAE@ABV0@@Z
_initterm
_lock
_unlock
__dllonexit
_amsg_exit
_onexit
??1type_info@@UAE@XZ
_except_handler4_common
memcpy
free
_XcptFilter
??0exception@@QAE@ABQBDH@Z
??0exception@@QAE@ABQBD@Z
memmove
_callnewh
??0exception@@QAE@XZ
??1exception@@UAE@XZ
_CxxThrowException
?what@exception@@UBEPBDXZ
??3@YAXPAX@Z
memcpy_s
_purecall
wcschr
__CxxFrameHandler3
_vsnwprintf
malloc
memset

twinapi.appcore

ord3
ord2

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameA
LoadLibraryExW
GetModuleHandleExW
DisableThreadLibraryCalls
GetProcAddress
FreeLibraryAndExitThread
FreeLibrary

api-ms-win-core-synch-l1-2-0

InitOnceExecuteOnce
CreateMutexExW
ReleaseSemaphore
CreateEventExW
Sleep
CreateSemaphoreExW
ReleaseSRWLockExclusive
ReleaseMutex
AcquireSRWLockShared
ReleaseSRWLockShared
OpenSemaphoreW
SetEvent
AcquireSRWLockExclusive
WaitForSingleObjectEx
WaitForSingleObject

api-ms-win-core-heap-l1-2-0

HeapFree
GetProcessHeap
HeapAlloc

api-ms-win-core-errorhandling-l1-1-1

SetLastError
RaiseException
GetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-winrt-string-l1-1-0

HSTRING_UserSize
HSTRING_UserMarshal
WindowsCreateString
WindowsDeleteString
WindowsIsStringEmpty
WindowsCreateStringReference
HSTRING_UserUnmarshal
HSTRING_UserFree
WindowsStringHasEmbeddedNull
WindowsGetStringRawBuffer
WindowsDuplicateString

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-processthreads-l1-1-2

OpenProcess
OpenProcessToken
TlsAlloc
CreateThread
GetCurrentProcessId
TlsGetValue
TlsSetValue
GetCurrentThreadId
TlsFree
TerminateProcess
GetProcessId
GetCurrentProcess

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo
SetRestrictedErrorInfo
RoTransformError
RoReportFailedDelegate
GetRestrictedErrorInfo
IsErrorPropagationEnabled
RoOriginateError
RoOriginateErrorW

api-ms-win-core-localization-l1-2-1

FormatMessageW

api-ms-win-core-debug-l1-1-1

OutputDebugStringW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-2-1

GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-com-l1-1-1

CoReleaseMarshalData
CoInitializeEx
CoWaitForMultipleHandles
CoUninitialize
CreateStreamOnHGlobal
PropVariantClear
CoCreateFreeThreadedMarshaler
CoCreateInstance
CoMarshalInterface
CoGetCallerTID
CoGetCallContext
CoGetMalloc
CoTaskMemAlloc
StringFromCLSID
RoGetAgileReference
CoGetApartmentType
CoTaskMemFree

api-ms-win-core-winrt-l1-1-0

RoActivateInstance
RoGetActivationFactory

rpcrt4

CStdStubBuffer_DebugServerQueryInterface
NdrStubCall2
NdrOleFree
NdrStubForwardingFunction
CStdStubBuffer_AddRef
IUnknown_Release_Proxy
CStdStubBuffer_Invoke
NdrDllCanUnloadNow
NdrDllGetClassObject
NdrCStdStubBuffer2_Release
NdrOleAllocate
CStdStubBuffer_DebugServerRelease
IUnknown_QueryInterface_Proxy
CStdStubBuffer_IsIIDSupported
IUnknown_AddRef_Proxy

api-ms-win-core-com-midlproxystub-l1-1-0

ObjectStublessClient15
CStdStubBuffer2_Disconnect
ObjectStublessClient7
CStdStubBuffer2_CountRefs
ObjectStublessClient11
ObjectStublessClient14
ObjectStublessClient12
ObjectStublessClient13
CStdStubBuffer2_QueryInterface
NdrProxyForwardingFunction4
NdrProxyForwardingFunction5
ObjectStublessClient6
ObjectStublessClient9
ObjectStublessClient10
ObjectStublessClient16
CStdStubBuffer2_Connect
ObjectStublessClient8
NdrProxyForwardingFunction3

api-ms-win-core-threadpool-l1-2-0

CallbackMayRunLong
FreeLibraryWhenCallbackReturns
CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
SetThreadpoolTimer
CreateThreadpoolTimer
TrySubmitThreadpoolCallback

api-ms-win-core-synch-l1-2-1

CreateSemaphoreW

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegCloseKey
RegGetValueW

api-ms-win-core-string-l1-1-0

CompareStringOrdinal

api-ms-win-security-base-l1-2-0

GetTokenInformation

api-ms-win-core-processenvironment-l1-2-0

ExpandEnvironmentStringsW

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-rtcore-ntuser-synch-l1-1-0

MsgWaitForMultipleObjectsEx

ntdll

RtlFreeHeap
NtQueryInformationToken
RtlInitUnicodeString
RtlAllocateHeap
RtlNtStatusToDosErrorNoTeb
RtlCompareUnicodeString

propsys

PropVariantToStringAlloc

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI
DelayLoadFailureHook

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Exports

Exports

DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject

Sections

.text
Size: 104KB - Virtual size: 103KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 44B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a6c75ec4073c9ae35f5922d56b909e42

Code Sign

33:00:00:02:66:bd:15:80:ef:a7:5c:d6:d3:00:00:00:00:02:66Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

67:e2:77:5d:d3:9f:13:b7:08:47:9f:d8:e9:9d:27:fa:5b:5b:c7:5d:c5:9b:49:b2:00:f3:60:aa:08:22:21:6fSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

twinapi.appcore

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-heap-l1-2-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-localization-l1-2-1

api-ms-win-core-debug-l1-1-1

api-ms-win-core-handle-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-l1-1-0

rpcrt4

api-ms-win-core-com-midlproxystub-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-registry-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-security-base-l1-2-0

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-rtcore-ntuser-synch-l1-1-0

ntdll

propsys

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-apiquery-l1-1-0

Exports

Exports

Sections

.text Size: 104KB - Virtual size: 103KB

.data Size: 512B - Virtual size: 1KB

.idata Size: 7KB - Virtual size: 7KB

.didat Size: 512B - Virtual size: 44B

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 10KB - Virtual size: 9KB

33:00:00:02:66:bd:15:80:ef:a7:5c:d6:d3:00:00:00:00:02:66
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

67:e2:77:5d:d3:9f:13:b7:08:47:9f:d8:e9:9d:27:fa:5b:5b:c7:5d:c5:9b:49:b2:00:f3:60:aa:08:22:21:6f
Signer

.text
Size: 104KB - Virtual size: 103KB

.data
Size: 512B - Virtual size: 1KB

.idata
Size: 7KB - Virtual size: 7KB

.didat
Size: 512B - Virtual size: 44B

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 10KB - Virtual size: 9KB