ExecModelClient[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

ExecModelClient.dll
Size

234KB
MD5

2dd4365101f30ea454907737d5bbfe3e
SHA1

57b74f993dcd21150338a6ad50a0c83057b81aae
SHA256

e88ff384650a974b2c16cb09bc7fd14b654c98066fcd9a40668079a3017029aa
SHA512

657f6ac7a9fca15880f994a295e972d94d252810912c9008432d9d92eab9f11d448247623f506686c2c3a056eb6e7715334dae5d9cec7c7135e02f40b6b16fb5
SSDEEP

6144:m7tnAZJ3J9WS3V0Hk5zsh6ObBzJ9IuV3gBYhtiWohms95VE:AevZOLh6ObBz9V3gBmtxohmC5VE

Score

1^/10

Malware Config

Signatures

Files

ExecModelClient.dll
.dll windows:10 windows x86 arch:x86

f247848d61b64959689378fbc0689840

Code Sign

33:00:00:02:66:bd:15:80:ef:a7:5c:d6:d3:00:00:00:00:02:66
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/03/2020, 18:30

Not After

03/03/2021, 18:30

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

09:ef:12:75:73:18:f1:aa:38:98:66:25:34:99:e1:b4:06:9d:eb:00:69:f8:7a:c0:9e:0e:38:17:37:bb:7e:52
Signer

Actual PE Digest

09:ef:12:75:73:18:f1:aa:38:98:66:25:34:99:e1:b4:06:9d:eb:00:69:f8:7a:c0:9e:0e:38:17:37:bb:7e:52

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

ExecModelClient.pdb

Imports

msvcrt

memmove_s
wcstok_s
wcscpy_s
realloc
_CxxThrowException
memcpy
memmove
??1exception@@UAE@XZ
??1type_info@@UAE@XZ
??0exception@@QAE@ABQBD@Z
memcmp
??0exception@@QAE@ABQBDH@Z
__CxxFrameHandler3
_callnewh
_onexit
??0exception@@QAE@XZ
_vsnwprintf
__dllonexit
?terminate@@YAXXZ
??0exception@@QAE@ABV0@@Z
_unlock
_lock
_initterm
?what@exception@@UBEPBDXZ
malloc
free
_amsg_exit
_XcptFilter
_purecall
??3@YAXPAX@Z
_except_handler4_common
toupper
memcpy_s
_vsnprintf_s
memset

api-ms-win-core-libraryloader-l1-2-0

FindResourceExW
GetModuleHandleW
GetModuleHandleExW
DisableThreadLibraryCalls
GetModuleFileNameA
LockResource
LoadResource
GetProcAddress
LoadLibraryExW

api-ms-win-core-synch-l1-1-0

ReleaseMutex
ReleaseSemaphore
WaitForSingleObjectEx
OpenSemaphoreW
InitializeCriticalSectionEx
CreateMutexExW
CreateEventW
InitializeSRWLock
LeaveCriticalSection
EnterCriticalSection
CreateSemaphoreExW
ReleaseSRWLockExclusive
WaitForSingleObject
AcquireSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockShared
DeleteCriticalSection
CreateEventExW
SetEvent
WaitForMultipleObjectsEx
InitializeCriticalSection

api-ms-win-core-heap-l1-1-0

HeapFree
GetProcessHeap
HeapAlloc

api-ms-win-core-errorhandling-l1-1-0

SetLastError
GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
RaiseException

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
GetProcessId
TerminateProcess
CreateThread
OpenProcessToken
GetCurrentThreadId
GetCurrentProcessId
GetThreadId

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

CloseHandle

rpcrt4

NdrClientCall4
RpcStringFreeW
RpcBindingFree
RpcBindingFromStringBindingW
RpcBindingCreateW
RpcBindingBind
I_RpcMapWin32Status
I_RpcExceptionFilter
RpcStringBindingComposeW

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventSetInformation
EventUnregister
EventRegister
EventProviderEnabled

api-ms-win-core-winrt-error-l1-1-0

RoOriginateErrorW
GetRestrictedErrorInfo
RoTransformError
RoOriginateError
SetRestrictedErrorInfo

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-winrt-string-l1-1-0

WindowsGetStringLen
WindowsCreateStringReference
WindowsStringHasEmbeddedNull
WindowsDeleteString
WindowsDuplicateString
WindowsIsStringEmpty
WindowsCreateString
WindowsGetStringRawBuffer
WindowsConcatString

api-ms-win-core-com-l1-1-0

CoInitializeEx
CoMarshalInterface
CoUninitialize
CoCreateInstance
StringFromGUID2
CreateStreamOnHGlobal
CoTaskMemRealloc
CoGetClassObject
CoCreateGuid
CoGetCallContext
CoTaskMemFree
CoCreateFreeThreadedMarshaler
CoWaitForMultipleHandles
CoTaskMemAlloc
CoReleaseMarshalData
CoGetApartmentType
CoGetCallerTID

api-ms-win-core-synch-l1-2-0

InitializeConditionVariable
Sleep
WakeConditionVariable
InitOnceExecuteOnce
InitOnceInitialize
WakeAllConditionVariable
SleepConditionVariableSRW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree
LocalReAlloc

api-ms-win-security-sddl-l1-1-0

ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-security-accesshlpr-l1-1-0

BuildSecurityDescriptorForSharingAccess
QueryTransientObjectSecurityDescriptor
FreeTransientObjectSecurityDescriptor

api-ms-win-shcore-taskpool-l1-1-0

SHTaskPoolAllowThreadReuse
SHTaskPoolQueueTask

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo
RoReportFailedDelegate
IsErrorPropagationEnabled

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-core-winrt-l1-1-0

RoActivateInstance
RoGetActivationFactory

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-security-base-l1-1-0

EqualSid
GetTokenInformation

ntdll

RtlQueryUnbiasedInterruptTime
RtlSleepConditionVariableSRW
RtlAcquireSRWLockShared
RtlAcquireSRWLockExclusive
RtlReleaseSRWLockExclusive
RtlReleaseSRWLockShared
RtlInitializeSRWLock
RtlFreeHeap
RtlAllocateHeap
RtlLengthSid
RtlCopySid
NtQueryInformationToken
RtlValidSid
NtQuerySystemInformation
RtlDeriveCapabilitySidsFromName
RtlGetDeviceFamilyInfoEnum
RtlRunOnceExecuteOnce

api-ms-win-core-psm-key-l1-1-0

PsmGetPackageFullNameFromKey
PsmCreateKey
PsmGetKeyFromProcess
PsmGetApplicationNameFromKey

api-ms-win-core-quirks-l1-1-0

QuirkIsEnabledForPackage

api-ms-win-core-string-l1-1-0

CompareStringOrdinal

propsys

ord435

api-ms-win-core-registry-l1-1-0

RegGetValueW

coremessaging

CoreUICreate

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-service-private-l1-1-0

UnsubscribeServiceChangeNotifications
SubscribeServiceChangeNotifications

api-ms-win-service-management-l1-1-0

OpenServiceW
OpenSCManagerW
CloseServiceHandle

api-ms-win-service-winsvc-l1-1-0

QueryServiceStatus

Exports

Exports

CreateForegroundTaskManager
CreateModernVoipPolicy
DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject
PlmGetHostIdForDesktopAppxProcess
PlmGetHostIdForDynamicProcess
PlmGetHostIdForMixedHost
PlmGetHostIdForPple
TestHook_CancelShutdown

Sections

.text
Size: 197KB - Virtual size: 197KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 180B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f247848d61b64959689378fbc0689840

Code Sign

33:00:00:02:66:bd:15:80:ef:a7:5c:d6:d3:00:00:00:00:02:66Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

09:ef:12:75:73:18:f1:aa:38:98:66:25:34:99:e1:b4:06:9d:eb:00:69:f8:7a:c0:9e:0e:38:17:37:bb:7e:52Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

rpcrt4

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-security-accesshlpr-l1-1-0

api-ms-win-shcore-taskpool-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-security-base-l1-1-0

ntdll

api-ms-win-core-psm-key-l1-1-0

api-ms-win-core-quirks-l1-1-0

api-ms-win-core-string-l1-1-0

propsys

api-ms-win-core-registry-l1-1-0

coremessaging

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-service-private-l1-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-service-winsvc-l1-1-0

Exports

Exports

Sections

.text Size: 197KB - Virtual size: 197KB

.data Size: 512B - Virtual size: 1KB

.idata Size: 8KB - Virtual size: 8KB

.didat Size: 512B - Virtual size: 180B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 14KB - Virtual size: 13KB

33:00:00:02:66:bd:15:80:ef:a7:5c:d6:d3:00:00:00:00:02:66
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

09:ef:12:75:73:18:f1:aa:38:98:66:25:34:99:e1:b4:06:9d:eb:00:69:f8:7a:c0:9e:0e:38:17:37:bb:7e:52
Signer

.text
Size: 197KB - Virtual size: 197KB

.data
Size: 512B - Virtual size: 1KB

.idata
Size: 8KB - Virtual size: 8KB

.didat
Size: 512B - Virtual size: 180B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 14KB - Virtual size: 13KB