ExecModelClient[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

ExecModelClient.dll
Size

234KB
MD5

141a6a0327e3fa9f499211b907269e04
SHA1

e97338750aa9b9c59a81e7dd7c052434a0795842
SHA256

5a467fc06687ee743aa66a6144da7c867dd96b151b12e2193e72298f65e08b21
SHA512

c108ca82fe1fe8793deac748017144e2263479cec2466c4aea4f2b2e7736fb606ff922603b5beeb08dc6f8802f0dfce06f3868e9e4953f2a1bc9ad2878652787
SSDEEP

6144:XHLAhuVVGSlR2u582phnohlkGP4an1+mscH:XHLAhuVVGjUhnohlkGga1+m7H

Score

1^/10

Malware Config

Signatures

Files

ExecModelClient.dll
.dll windows:10 windows x86 arch:x86

f247848d61b64959689378fbc0689840

Code Sign

33:00:00:01:c4:22:b2:f7:9b:79:3d:ac:b2:00:00:00:00:01:c4
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/07/2018, 20:45

Not After

26/07/2019, 20:45

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

4f:07:f7:84:7d:9d:c3:7f:ac:ef:22:78:27:5f:5e:f4:b9:c5:a9:f5:bb:76:e7:1a:5c:b7:95:37:09:05:a2:57
Signer

Actual PE Digest

4f:07:f7:84:7d:9d:c3:7f:ac:ef:22:78:27:5f:5e:f4:b9:c5:a9:f5:bb:76:e7:1a:5c:b7:95:37:09:05:a2:57

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

ExecModelClient.pdb

Imports

msvcrt

memmove_s
wcstok_s
wcscpy_s
realloc
_CxxThrowException
memcpy
memmove
??1exception@@UAE@XZ
??1type_info@@UAE@XZ
??0exception@@QAE@ABQBD@Z
memcmp
??0exception@@QAE@ABQBDH@Z
__CxxFrameHandler3
_callnewh
_onexit
??0exception@@QAE@XZ
_vsnwprintf
__dllonexit
?terminate@@YAXXZ
??0exception@@QAE@ABV0@@Z
_unlock
_lock
_initterm
?what@exception@@UBEPBDXZ
malloc
free
_amsg_exit
_XcptFilter
_purecall
??3@YAXPAX@Z
_except_handler4_common
toupper
memcpy_s
_vsnprintf_s
memset

api-ms-win-core-libraryloader-l1-2-0

FindResourceExW
GetModuleHandleW
GetModuleHandleExW
DisableThreadLibraryCalls
GetModuleFileNameA
LockResource
LoadResource
GetProcAddress
LoadLibraryExW

api-ms-win-core-synch-l1-1-0

ReleaseMutex
ReleaseSemaphore
WaitForSingleObjectEx
OpenSemaphoreW
InitializeCriticalSectionEx
CreateMutexExW
CreateEventW
InitializeSRWLock
LeaveCriticalSection
EnterCriticalSection
CreateSemaphoreExW
ReleaseSRWLockExclusive
WaitForSingleObject
AcquireSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockShared
DeleteCriticalSection
CreateEventExW
SetEvent
WaitForMultipleObjectsEx
InitializeCriticalSection

api-ms-win-core-heap-l1-1-0

HeapFree
GetProcessHeap
HeapAlloc

api-ms-win-core-errorhandling-l1-1-0

SetLastError
GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
RaiseException

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
GetProcessId
TerminateProcess
CreateThread
OpenProcessToken
GetCurrentThreadId
GetCurrentProcessId
GetThreadId

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

CloseHandle

rpcrt4

NdrClientCall4
RpcStringFreeW
RpcBindingFree
RpcBindingFromStringBindingW
RpcBindingCreateW
RpcBindingBind
I_RpcMapWin32Status
I_RpcExceptionFilter
RpcStringBindingComposeW

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventSetInformation
EventUnregister
EventRegister
EventProviderEnabled

api-ms-win-core-winrt-error-l1-1-0

RoOriginateErrorW
GetRestrictedErrorInfo
RoTransformError
RoOriginateError
SetRestrictedErrorInfo

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-winrt-string-l1-1-0

WindowsGetStringLen
WindowsCreateStringReference
WindowsStringHasEmbeddedNull
WindowsDeleteString
WindowsDuplicateString
WindowsIsStringEmpty
WindowsCreateString
WindowsGetStringRawBuffer
WindowsConcatString

api-ms-win-core-com-l1-1-0

CoInitializeEx
CoMarshalInterface
CoUninitialize
CoCreateInstance
StringFromGUID2
CreateStreamOnHGlobal
CoTaskMemRealloc
CoGetClassObject
CoCreateGuid
CoGetCallContext
CoTaskMemFree
CoCreateFreeThreadedMarshaler
CoWaitForMultipleHandles
CoTaskMemAlloc
CoReleaseMarshalData
CoGetApartmentType
CoGetCallerTID

api-ms-win-core-synch-l1-2-0

InitializeConditionVariable
Sleep
WakeConditionVariable
InitOnceExecuteOnce
InitOnceInitialize
WakeAllConditionVariable
SleepConditionVariableSRW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree
LocalReAlloc

api-ms-win-security-sddl-l1-1-0

ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-security-accesshlpr-l1-1-0

BuildSecurityDescriptorForSharingAccess
QueryTransientObjectSecurityDescriptor
FreeTransientObjectSecurityDescriptor

api-ms-win-shcore-taskpool-l1-1-0

SHTaskPoolAllowThreadReuse
SHTaskPoolQueueTask

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo
RoReportFailedDelegate
IsErrorPropagationEnabled

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-core-winrt-l1-1-0

RoActivateInstance
RoGetActivationFactory

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-security-base-l1-1-0

EqualSid
GetTokenInformation

ntdll

RtlQueryUnbiasedInterruptTime
RtlSleepConditionVariableSRW
RtlAcquireSRWLockShared
RtlAcquireSRWLockExclusive
RtlReleaseSRWLockExclusive
RtlReleaseSRWLockShared
RtlInitializeSRWLock
RtlFreeHeap
RtlAllocateHeap
RtlLengthSid
RtlCopySid
NtQueryInformationToken
RtlValidSid
NtQuerySystemInformation
RtlDeriveCapabilitySidsFromName
RtlGetDeviceFamilyInfoEnum
RtlRunOnceExecuteOnce

api-ms-win-core-psm-key-l1-1-0

PsmGetPackageFullNameFromKey
PsmCreateKey
PsmGetKeyFromProcess
PsmGetApplicationNameFromKey

api-ms-win-core-quirks-l1-1-0

QuirkIsEnabledForPackage

api-ms-win-core-string-l1-1-0

CompareStringOrdinal

propsys

ord435

api-ms-win-core-registry-l1-1-0

RegGetValueW

coremessaging

CoreUICreate

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-service-private-l1-1-0

UnsubscribeServiceChangeNotifications
SubscribeServiceChangeNotifications

api-ms-win-service-management-l1-1-0

OpenServiceW
OpenSCManagerW
CloseServiceHandle

api-ms-win-service-winsvc-l1-1-0

QueryServiceStatus

Exports

Exports

CreateForegroundTaskManager
CreateModernVoipPolicy
DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject
PlmGetHostIdForDesktopAppxProcess
PlmGetHostIdForDynamicProcess
PlmGetHostIdForMixedHost
PlmGetHostIdForPple
TestHook_CancelShutdown

Sections

.text
Size: 197KB - Virtual size: 197KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 180B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f247848d61b64959689378fbc0689840

Code Sign

33:00:00:01:c4:22:b2:f7:9b:79:3d:ac:b2:00:00:00:00:01:c4Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

4f:07:f7:84:7d:9d:c3:7f:ac:ef:22:78:27:5f:5e:f4:b9:c5:a9:f5:bb:76:e7:1a:5c:b7:95:37:09:05:a2:57Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

rpcrt4

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-security-accesshlpr-l1-1-0

api-ms-win-shcore-taskpool-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-security-base-l1-1-0

ntdll

api-ms-win-core-psm-key-l1-1-0

api-ms-win-core-quirks-l1-1-0

api-ms-win-core-string-l1-1-0

propsys

api-ms-win-core-registry-l1-1-0

coremessaging

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-service-private-l1-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-service-winsvc-l1-1-0

Exports

Exports

Sections

.text Size: 197KB - Virtual size: 197KB

.data Size: 512B - Virtual size: 1KB

.idata Size: 8KB - Virtual size: 8KB

.didat Size: 512B - Virtual size: 180B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 14KB - Virtual size: 13KB

33:00:00:01:c4:22:b2:f7:9b:79:3d:ac:b2:00:00:00:00:01:c4
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

4f:07:f7:84:7d:9d:c3:7f:ac:ef:22:78:27:5f:5e:f4:b9:c5:a9:f5:bb:76:e7:1a:5c:b7:95:37:09:05:a2:57
Signer

.text
Size: 197KB - Virtual size: 197KB

.data
Size: 512B - Virtual size: 1KB

.idata
Size: 8KB - Virtual size: 8KB

.didat
Size: 512B - Virtual size: 180B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 14KB - Virtual size: 13KB