AppXDeploymentClient[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

AppXDeploymentClient.dll
Size

637KB
MD5

f9fe2d6fad60743f285ca2844ee94531
SHA1

a5e8792c143642a270a127f004ce2e862e32eb56
SHA256

49c27b1e5a0d8894aea8ab1417ce43149114549a65c1850a1c57608125b79058
SHA512

0aa781fde2c45a3d87382ae82a2e346ef6f3d93c24dacadbca96a0d37c43d38e255aa321fb73f41abd14029ad6cd4dc48d11de750ac91d2fe7be6becffd52ac0
SSDEEP

12288:15KFZPS6yM4mvLvgfQfNUJ148ulszDmUM0Uw/VQhoa:10Zmmjo11AlszDdNUmVQH

Score

1^/10

Malware Config

Signatures

Files

AppXDeploymentClient.dll
.dll windows:10 windows x86 arch:x86

cc89570f36e42e831c418ea50f92c692

Code Sign

33:00:00:01:c4:22:b2:f7:9b:79:3d:ac:b2:00:00:00:00:01:c4
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/07/2018, 20:45

Not After

26/07/2019, 20:45

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7d:52:ed:8c:c2:18:be:f8:dc:70:4c:8f:69:32:66:8e:c3:8a:d3:41:19:b2:3d:f8:16:23:fe:ee:a3:d5:38:d8
Signer

Actual PE Digest

7d:52:ed:8c:c2:18:be:f8:dc:70:4c:8f:69:32:66:8e:c3:8a:d3:41:19:b2:3d:f8:16:23:fe:ee:a3:d5:38:d8

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

AppXDeploymentClient.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

_initterm
_initterm_e

api-ms-win-crt-string-l1-1-0

memset

ntdll

RtlReportException
NtQuerySystemInformation
RtlInitializeCriticalSection
RtlDeleteCriticalSection
RtlAllocateAndInitializeSid
RtlFreeHeap
NtQueryInformationFile
NtQueryInformationProcess
RtlFreeSid
RtlAllocateHeap
NtSetInformationVirtualMemory
RtlIsMultiUsersInSessionSku
RtlInitializeSRWLock
RtlLeaveCriticalSection
RtlEnterCriticalSection
NtUnmapViewOfSection
NtMapViewOfSection
RtlNtStatusToDosErrorNoTeb
NtClose
NtCreateSection
EtwEventUnregister
EtwEventWrite
EtwEventRegister
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
RtlLookupElementGenericTableAvl
RtlInsertElementGenericTableAvl
RtlAllocateWnfSerializationGroup
RtlSubscribeWnfStateChangeNotification
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlUnsubscribeWnfStateChangeNotification
RtlDeleteElementGenericTableAvl
RtlEnumerateGenericTableWithoutSplayingAvl
RtlInitializeGenericTableAvl
RtlQueryPackageClaims
RtlCompareUnicodeString
RtlInitUnicodeString
RtlReleaseSRWLockShared
RtlAcquireSRWLockShared
RtlNtStatusToDosError
NtQueryInformationThread
RtlFreeUnicodeString
RtlDowncaseUnicodeString
RtlConvertSidToUnicodeString
RtlDetermineDosPathNameType_U

api-ms-win-core-libraryloader-l1-2-0

LoadStringW
GetProcAddress
LoadLibraryExA
GetModuleHandleExW
GetModuleFileNameA
FreeLibrary
GetModuleFileNameW
GetModuleHandleW
LoadLibraryExW

api-ms-win-core-synch-l1-1-0

InitializeSRWLock
OpenSemaphoreW
ReleaseSemaphore
CreateEventW
CreateSemaphoreExW
SetEvent
WaitForSingleObjectEx
ReleaseMutex
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
AcquireSRWLockShared
ReleaseSRWLockShared
SleepEx
CreateEventExW
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
WaitForSingleObject
CreateMutexExW
InitializeCriticalSectionEx
ResetEvent

api-ms-win-core-heap-l1-1-0

HeapAlloc
GetProcessHeap
HeapFree

api-ms-win-core-errorhandling-l1-1-0

GetLastError
RaiseException
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-0

GetProcessId
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
TlsSetValue
TlsAlloc
GetCurrentProcess
ProcessIdToSessionId
SetThreadToken
TlsGetValue
CreateThread
TerminateProcess
OpenProcessToken
OpenThreadToken

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
OutputDebugStringW
DebugBreak

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

rpcrt4

RpcStringFreeW
UuidToStringW
UuidCreate
NdrAsyncClientCall2
NdrClientCall4
NdrDllGetClassObject
RpcBindingUnbind
RpcBindingFree
RpcBindingCreateW
NdrCStdStubBuffer2_Release
NdrCStdStubBuffer_Release
CStdStubBuffer_Connect
CStdStubBuffer_IsIIDSupported
IUnknown_QueryInterface_Proxy
CStdStubBuffer_Disconnect
CStdStubBuffer_DebugServerRelease
NdrOleAllocate
CStdStubBuffer_QueryInterface
CStdStubBuffer_CountRefs
IUnknown_Release_Proxy
CStdStubBuffer_AddRef
NdrOleFree
RpcServerInqCallAttributesW
CStdStubBuffer_DebugServerQueryInterface
IUnknown_AddRef_Proxy
I_RpcExceptionFilter
NdrStubCall2
NdrStubForwardingFunction
CStdStubBuffer_Invoke
NdrDllCanUnloadNow
RpcAsyncInitializeHandle
RpcAsyncCancelCall
RpcAsyncCompleteCall
RpcBindingBind

api-ms-win-core-com-midlproxystub-l1-1-0

ObjectStublessClient19
ObjectStublessClient7
NdrProxyForwardingFunction4
CStdStubBuffer2_Disconnect
ObjectStublessClient23
ObjectStublessClient15
ObjectStublessClient20
ObjectStublessClient18
ObjectStublessClient3
ObjectStublessClient13
NdrProxyForwardingFunction5
CStdStubBuffer2_CountRefs
ObjectStublessClient11
ObjectStublessClient14
ObjectStublessClient12
ObjectStublessClient6
ObjectStublessClient8
ObjectStublessClient9
ObjectStublessClient17
ObjectStublessClient25
ObjectStublessClient10
ObjectStublessClient22
ObjectStublessClient16
ObjectStublessClient21
NdrProxyForwardingFunction3
CStdStubBuffer2_Connect
ObjectStublessClient24
CStdStubBuffer2_QueryInterface

api-ms-win-core-com-l1-1-0

CoReleaseMarshalData
CoTaskMemFree
CoMarshalInterface
CoGetApartmentType
StringFromGUID2
CoIncrementMTAUsage
CreateStreamOnHGlobal
CoDecrementMTAUsage
CoGetCallerTID
CoRevertToSelf
CoCreateFreeThreadedMarshaler
CoWaitForMultipleHandles
CoUninitialize
CoTaskMemAlloc
CoGetCallContext
CoInitializeEx
CoCreateInstance
CoImpersonateClient

api-ms-win-core-threadpool-l1-2-0

SetThreadpoolTimer
CloseThreadpoolWork
SubmitThreadpoolWork
FreeLibraryWhenCallbackReturns
CloseThreadpoolTimer
WaitForThreadpoolWorkCallbacks
CreateThreadpoolWork
WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer

api-ms-win-core-winrt-error-l1-1-0

RoTransformError
RoOriginateErrorW
SetRestrictedErrorInfo
GetRestrictedErrorInfo
RoOriginateError
RoSetErrorReportingFlags

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent
OpenProcess

api-ms-win-security-sddl-l1-1-0

ConvertSidToStringSidW
ConvertStringSidToSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-eventing-provider-l1-1-0

EventProviderEnabled
EventActivityIdControl
EventUnregister
EventWriteTransfer
EventRegister
EventSetInformation

api-ms-win-core-file-l1-1-0

CreateDirectoryW
DeleteFileW
WriteFile
GetVolumeInformationW
GetVolumePathNameW
GetFileAttributesW
FindClose
CreateFileW
GetFullPathNameW
GetDiskFreeSpaceExW
GetFileSizeEx
FindFirstFileW
FindNextFileW
GetDriveTypeW
SetFileAttributesW
CompareFileTime
GetDiskFreeSpaceW

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
CompareStringEx
CompareStringOrdinal

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo
IsErrorPropagationEnabled
RoReportFailedDelegate

api-ms-win-core-synch-l1-2-0

InitOnceBeginInitialize
InitOnceComplete
InitOnceExecuteOnce
Sleep

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory
RoUninitialize
RoInitialize
RoActivateInstance

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableLevel
GetTraceLoggerHandle
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
TraceMessage

api-ms-win-security-lsalookup-l1-1-0

LsaLookupGetDomainInfo
LsaLookupClose
LsaLookupOpenLocalPolicy
LsaLookupFreeMemory

api-ms-win-core-sysinfo-l1-1-0

GetLocalTime
GetSystemTimeAsFileTime
GetVersionExW
GetWindowsDirectoryW
GetSystemInfo
GetTickCount

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureStackBackTrace

api-ms-win-core-file-l1-2-0

GetVolumePathNamesForVolumeNameW
GetVolumeNameForVolumeMountPointW
GetTempPathW

api-ms-win-core-realtime-l1-1-0

QueryUnbiasedInterruptTime

api-ms-win-core-windowserrorreporting-l1-1-1

WerRegisterCustomMetadata

api-ms-win-core-file-l2-1-2

CopyFileW

api-ms-win-core-path-l1-1-0

PathCchCombine
PathCchSkipRoot
PathCchRemoveBackslash
PathAllocCanonicalize

api-ms-win-service-management-l2-1-0

QueryServiceStatusEx
NotifyServiceStatusChangeW

api-ms-win-service-management-l1-1-0

StartServiceW
OpenServiceW
OpenSCManagerW
CloseServiceHandle

api-ms-win-core-memory-l1-1-0

CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
VirtualProtect
VirtualQuery

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

staterepository.core

sqlite3_errcode
sqlite3_config
sqlite3_snprintf
sqlite3_prepare_v2
sqlite3_db_filename
sqlite3_db_handle
sqlite3_sql
sqlite3_next_stmt
sqlite3_stmt_busy
sqlite3_exec
sqlite3_clear_bindings
sqlite3_bind_int
sqlite3_expanded_sql
sqlite3_free
sqlite3_bind_int64
sqlite3_log
sqlite3_close
sqlite3_errmsg
sqlite3_bind_text16
sqlite3_bind_blob
sqlite3_column_int
sqlite3_get_autocommit
sqlite3_column_int64
sqlite3_changes
sqlite3_column_bytes
sqlite3_last_insert_rowid
sqlite3_column_text16
sqlite3_column_blob
sqlite3_finalize
sqlite3_reset
sqlite3_step

Exports

Exports

AppInstallerUpdateAllTask
AppxAddPackageToAllUserStoreForPbr
AppxCleanupOrphanPackages
AppxCleanupSystemAppsMigratedToFOD
AppxCleanupWCIReparsePoints
AppxCreateSharedLocalFolder
AppxCreateSharedLocalFolderForFamilyName
AppxDeletePackageFiles
AppxDestagePackage
AppxDoesSharedLocalFolderExistForFamilyName
AppxGetPackageInstalledLocation
AppxGetPackageType
AppxGetStagedPackageFullNameFromFamilyName
AppxIsStagedPackageStoreSigned
AppxPackageRepositoryRecoverStagedPackages
AppxPackageRepositoryRecoverUserInstalls
AppxPreRegisterAllInboxPackages
AppxPreRegisterPackage
AppxPreStageCleanupRunTask
AppxRecoverUserInstallsForUpgrade
AppxRegisterPackage
AppxRemovePackageForAllUsers
AppxRemovePackageForUserSid
AppxRequestRemovePackageForUser
AppxStagePackage
AppxValidatePackages
AppxValidatePackagesWithOptions
CheckAppInstallerUpdateAvailability
CheckComCallerHasCapabilities
CheckForUpdatesAndWaitForInstallerIfNeeded
ClientDeleteAllPackagesFromMainPackageArray
ClientGetAllPackagesToBeInstalledForUser
CreateCanonicalPriFile
DeleteApplicabilityInfoArray
DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject
EnsurePackageFamilyIsRegisteredBeforeActivation
FixJunctionsForAppsIfNecessary
GeneratePreInstalledPriFiles
GetApplicability
GetApplicability2
GetApplicability4
GetApplicability5
GetBundleApplicablePackages
GetMetadataRootForPackage
GetNotificationPayload
GetNotificationPayloadForUser
GetPackageApplicabilityForUserLogon
GetPackageRegistrationStatusForUser
GetPackageRegistrationStatusForUserAndDefaultAccount
IsPackageInstalled
IsPackageMetadataUnderSystemMetadata
IsSharedAppsEnabled
NotifyPackageStatusChanged
PopulateProtocolAndFTA
RDSRecoverRequests
ReArmAppxPreStageCleanupTask
RegisterNotification
RegisterNotificationForUser
RepairPackageFileAcls
RequestContentGroups
RequestContentGroupsForFullTrust
UnregisterNotification
UnregisterNotificationForUser
UpdateAgentCancelAllDownloads
UpdateAgentCreateDownload
UpdateAgentFreeDownloadRanges
UpdateAgentGetDownloadRanges
UpdateAgentGetDownloadingPackageCount
UpdateDataSourceAddRange
UpdateDataSourceCancelRun
UpdateDataSourceRegister
UpdateDataSourceRun
VerifyPackage

Sections

.text
Size: 557KB - Virtual size: 557KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 712B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 34KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

cc89570f36e42e831c418ea50f92c692

Code Sign

33:00:00:01:c4:22:b2:f7:9b:79:3d:ac:b2:00:00:00:00:01:c4Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

7d:52:ed:8c:c2:18:be:f8:dc:70:4c:8f:69:32:66:8e:c3:8a:d3:41:19:b2:3d:f8:16:23:fe:ee:a3:d5:38:d8Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

ntdll

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

rpcrt4

api-ms-win-core-com-midlproxystub-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-synch-l1-2-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-security-lsalookup-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-realtime-l1-1-0

api-ms-win-core-windowserrorreporting-l1-1-1

api-ms-win-core-file-l2-1-2

api-ms-win-core-path-l1-1-0

api-ms-win-service-management-l2-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-apiquery-l1-1-0

staterepository.core

Exports

Exports

Sections

.text Size: 557KB - Virtual size: 557KB

.data Size: 1KB - Virtual size: 4KB

.idata Size: 12KB - Virtual size: 12KB

.didat Size: 1024B - Virtual size: 712B

.rsrc Size: 16KB - Virtual size: 15KB

.reloc Size: 34KB - Virtual size: 33KB

33:00:00:01:c4:22:b2:f7:9b:79:3d:ac:b2:00:00:00:00:01:c4
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

7d:52:ed:8c:c2:18:be:f8:dc:70:4c:8f:69:32:66:8e:c3:8a:d3:41:19:b2:3d:f8:16:23:fe:ee:a3:d5:38:d8
Signer

.text
Size: 557KB - Virtual size: 557KB

.data
Size: 1KB - Virtual size: 4KB

.idata
Size: 12KB - Virtual size: 12KB

.didat
Size: 1024B - Virtual size: 712B

.rsrc
Size: 16KB - Virtual size: 15KB

.reloc
Size: 34KB - Virtual size: 33KB