AppXDeploymentExtensions[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

AppXDeploymentExtensions.dll
Size

933KB
MD5

8d0f2fcf67e43d279e11b540eae52d24
SHA1

bf170e6b8bff2c419761ca65eeca31160b6cfffe
SHA256

30cbb6bf5d5c2dcbf8ce416c9bad720ff2a07a73dbf9a5405849ca56fd2e6df2
SHA512

3a3f3eeb457719c1485d5b40642d7ce21ed2d58adbdd215b9b34f6b95b4da1ead1f5d1991c15803c056503e063c8b742a066297e2b457d8afde928adfd042c28
SSDEEP

12288:w4T7iRx28I/zTS9PUzL4g/DsskHhP+bHCXX0+Humdz:wAiS8SP6KM+Dsxt+rAHum

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
AppXDeploymentExtensions.dll

Files

AppXDeploymentExtensions.dll
.dll windows:6 windows x64 arch:x64

f358b8200642d307118b641901d16885

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

AppxDeploymentExtensions.pdb

Imports

msvcrt

wcscmp
iswalnum
iswspace
wcslen
__CxxFrameHandler3
realloc
_purecall
memcpy_s
_vsnwprintf
_wcsicmp
wcschr
qsort
_wtoi
wcscpy_s
_wcsnicmp
memcmp
memcpy
_onexit
__dllonexit
_unlock
_lock
__C_specific_handler
_initterm
malloc
free
_amsg_exit
_XcptFilter
_vsnwprintf_s
memmove
memmove_s
memset

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegDeleteValueW
RegOpenCurrentUser
RegCopyTreeW
RegCreateKeyExW
RegLoadAppKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegDeleteKeyExW
RegGetValueW
RegDeleteTreeW
RegQueryValueExW
RegSetValueExW
RegCloseKey
RegEnumValueW
RegGetKeySecurity
RegSetKeySecurity

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventRegister
EventWrite

api-ms-win-core-errorhandling-l1-1-1

GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
RaiseException

api-ms-win-core-localization-l1-2-1

FormatMessageW
LCMapStringEx

api-ms-win-core-string-l1-1-0

CompareStringEx
CompareStringW
CompareStringOrdinal

oleaut32

VariantClear
SysAllocStringLen
SysAllocString
SysFreeString

api-ms-win-core-synch-l1-2-0

LeaveCriticalSection
InitializeCriticalSectionEx
EnterCriticalSection
DeleteCriticalSection
Sleep
ReleaseSRWLockExclusive
InitializeCriticalSection
ReleaseSRWLockShared
AcquireSRWLockShared
AcquireSRWLockExclusive
InitializeSRWLock
WaitForSingleObject
InitOnceExecuteOnce

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-2

CreateProcessAsUserW
TlsGetValue
OpenProcess
TerminateProcess
GetCurrentThreadId
ProcessIdToSessionId
SetThreadToken
GetCurrentThread
GetCurrentProcessId
OpenThreadToken
OpenProcessToken
TlsSetValue
TlsAlloc
GetCurrentProcess

api-ms-win-core-sysinfo-l1-2-1

GetSystemDirectoryW
GetSystemTimeAsFileTime
GetTickCount
GetOsSafeBootMode
GetSystemInfo
GetVersionExW

api-ms-win-core-rtlsupport-l1-2-0

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind

ntdll

RtlDeleteElementGenericTableAvl
RtlEnumerateGenericTableWithoutSplayingAvl
RtlPublishWnfStateData
WinSqmAddToStreamEx
NtCreateLowBoxToken
RtlUpcaseUnicodeChar
RtlEqualUnicodeString
RtlGetDaclSecurityDescriptor
NtQueryInformationFile
ZwFlushBuffersFileEx
RtlLengthSid
NtUnmapViewOfSection
NtMapViewOfSection
NtCreateSection
NtClose
RtlExpandEnvironmentStrings_U
RtlInitUnicodeString
RtlFreeSid
RtlLeaveCriticalSection
RtlEnterCriticalSection
RtlDeleteCriticalSection
RtlInitializeCriticalSection
NtQuerySystemInformation
RtlReportException
RtlFreeHeap
RtlReAllocateHeap
RtlAllocateHeap
RtlInsertElementGenericTableAvl
RtlLookupElementGenericTableAvl
RtlInitializeGenericTableAvl
RtlConvertSidToUnicodeString
RtlFreeUnicodeString
RtlValidSid
NtQueryInformationToken
RtlGetLastWin32Error
RtlDowncaseUnicodeString
RtlAllocateAndInitializeSid
NtQueryKey
NtOpenKey
NtCreateKey
RtlDeleteNoSplay
RtlValidRelativeSecurityDescriptor
RtlNtStatusToDosError
NtQueryValueKey
RtlRealPredecessor
RtlSplay
NtSetInformationVirtualMemory
NtOpenThreadToken
NtOpenProcessToken
RtlGetAce
EtwEventWrite
RtlNtStatusToDosErrorNoTeb
EtwEventUnregister
EtwEventRegister

kernel32

GlobalFree
ResolveDelayLoadedAPI
GetStateFolder
CreateTimerQueueTimer
GetSystemWow64DirectoryW
LocalAlloc
GlobalAlloc
GetSystemAppDataKey
CopyFileW
DeleteTimerQueueTimer
OpenStateExplicit
CloseState
DelayLoadFailureHook
LocalFree

shlwapi

StrStrIW
ord615
StrRChrW
ord632
PathRemoveBlanksW
PathFindFileNameW
SHDeleteKeyW
ord270
PathFileExistsW
SHStrDupW

tdh

TdhEnumerateProviderFieldInformation
TdhGetEventInformation
TdhGetEventMapInformation

appxdeploymentserver

AppXSetTrustLabelOnPackage
RequestPackageOperationImplementation
PackageRepositoryFree
PackageRepositoryAllocate

wtsapi32

WTSEnumerateSessionsW
WTSFreeMemory
WTSQueryUserToken

winsta

WinStationQueryInformationW

api-ms-win-appmodel-runtime-l1-1-1

GetApplicationUserModelId
PackageFamilyNameFromId
PackageFamilyNameFromFullName
GetPackageFullName
FormatApplicationUserModelId

api-ms-win-core-debug-l1-1-1

DebugBreak

api-ms-win-core-interlocked-l1-2-0

InitializeSListHead
InterlockedPopEntrySList
InterlockedPushEntrySList

api-ms-win-security-base-l1-2-0

InitializeAcl
GetAce
FreeSid
GetSidSubAuthority
GetSidSubAuthorityCount
GetSecurityDescriptorSacl
AddAce
GetSecurityDescriptorDacl
CreateWellKnownSid
AddAccessAllowedAceEx
GetSecurityDescriptorOwner
GetAclInformation
SetSecurityDescriptorControl
DuplicateTokenEx
GetTokenInformation
EqualSid
CreatePrivateObjectSecurityEx
MakeSelfRelativeSD
RevertToSelf
CopySid
GetLengthSid
IsValidSid
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
ImpersonateLoggedOnUser
SetSecurityDescriptorDacl
DestroyPrivateObjectSecurity
IsValidSecurityDescriptor
ImpersonateSelf
InitializeSecurityDescriptor
AllocateAndInitializeSid

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
FreeLibrary
GetModuleHandleExW
LoadLibraryExW

api-ms-win-core-winrt-error-l1-1-1

RoOriginateError
RoTransformError
RoOriginateErrorW

api-ms-win-core-com-l1-1-1

CoGetApartmentType
CoCreateGuid
CoGetMalloc
CLSIDFromString
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
PropVariantClear
CoSetProxyBlanket
CoEnableCallCancellation
CoCancelCall
CoTaskMemRealloc
CoTaskMemAlloc
StringFromCLSID
CoTaskMemFree
CoDisableCallCancellation
CoCreateInstance

api-ms-win-core-file-l1-2-1

FindClose
FindNextFileW
CreateDirectoryW
DeleteFileW
WriteFile
SetFileAttributesW
FindFirstFileW
CompareFileTime
GetFileAttributesW
RemoveDirectoryW
GetFileSizeEx
CreateFileW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-winrt-string-l1-1-0

WindowsGetStringLen
WindowsCreateString
WindowsDeleteString
WindowsCreateStringReference
WindowsDuplicateString
WindowsDeleteStringBuffer
WindowsIsStringEmpty
WindowsStringHasEmbeddedNull
WindowsCompareStringOrdinal
WindowsReplaceString
WindowsConcatString
WindowsPromoteStringBuffer
WindowsPreallocateStringBuffer
WindowsGetStringRawBuffer

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-security-lsalookup-l2-1-1

LookupAccountSidW

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW

api-ms-win-core-path-l1-1-0

PathAllocCombine
PathCchAppend
PathCchCombine
PathCchCanonicalize

api-ms-win-core-processenvironment-l1-2-0

ExpandEnvironmentStringsW

rpcrt4

UuidToStringW
RpcStringFreeW
RpcStringBindingComposeW
RpcBindingFromStringBindingW
I_RpcExceptionFilter
NdrClientCall3
RpcBindingSetAuthInfoExW
UuidFromStringW
RpcBindingFree
UuidCreate

userenv

ord213
GetAppContainerFolderPath
ord210
ord212
GetProfileType

bcrypt

BCryptOpenAlgorithmProvider
BCryptGetProperty
BCryptCreateHash
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptHashData
BCryptFinishHash

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory
RoActivateInstance

crypt32

CryptQueryObject
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertFindCertificateInStore
CertEnumCertificatesInStore
CertFreeCertificateContext
CertDeleteCertificateFromStore

api-ms-win-service-management-l1-1-0

OpenServiceW
CloseServiceHandle
OpenSCManagerW

api-ms-win-service-management-l2-1-0

QueryServiceStatusEx

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

profapi

ord104
ord107
ord114

cryptsp

CryptCreateHash
CryptHashData
CryptGetHashParam
CryptAcquireContextW
CryptReleaseContext
CryptDestroyHash

advapi32

RegSetKeyValueW
SetNamedSecurityInfoW
SetEntriesInAclW
RegDeleteKeyW

ole32

CoGetObject
CreateBindCtx

api-ms-win-appmodel-identity-l1-1-0

AppXFreeMemory
AppXGetPackageCapabilities
AppContainerDeriveSidFromMoniker
AppXGetPackageState

mrmcorer

ResourceManagerQueueGetCurrentDepth
GetInternalReferenceBlobForManifestValue
MergeResourcePackPri
ResourceManagerQueueReset

ntmarta

AccTreeResetNamedSecurityInfo

api-ms-win-appmodel-state-l1-1-1

ReleaseStateLock
GetSystemAppDataFolder
GetStateSettingsFolder
GetHivePath
RegisterStateLock
UnregisterStateChangeNotification
CheckIfStateChangeNotificationExists
GetStateRootFolder
CreateStateLock
GetStateVersion
CloseStateLock
AcquireStateLock
UnregisterStateLock
RegisterStateChangeNotification

wsclient

WSLicenseClose
WSLicenseOpen
WSNotifyPackageInstalled

api-ms-win-net-isolation-l1-1-1

NetworkIsolationSetupAppContainerBinaries

bcp47langs

SetApplicationManifestLanguages
ClearApplicationManifestLanguages
GetApplicationLanguages
GetApplicationManifestLanguages
Bcp47IsValid
LanguageListAsMuiForm

appxalluserstore

IsPackageInUpgradeKey
IsNonInboxAllUserPackage
DidAppSurviveOSUpgradeForUser

api-ms-win-core-heap-l1-2-0

GetProcessHeap
HeapFree
HeapAlloc

api-ms-win-core-memory-l1-1-2

MapViewOfFile
UnmapViewOfFile
CreateFileMappingW

propsys

PropVariantToStringVectorAlloc
PSCreateMemoryPropertyStore

Exports

Exports

LoadCategoryNameTable
LoadExtensionRegistrationTable
ShellRefresh

Sections

.text
Size: 713KB - Virtual size: 712KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 224B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 164KB - Virtual size: 163KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f358b8200642d307118b641901d16885

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-registry-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-localization-l1-2-1

api-ms-win-core-string-l1-1-0

oleaut32

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-rtlsupport-l1-2-0

ntdll

kernel32

shlwapi

tdh

appxdeploymentserver

wtsapi32

winsta

api-ms-win-appmodel-runtime-l1-1-1

api-ms-win-core-debug-l1-1-1

api-ms-win-core-interlocked-l1-2-0

api-ms-win-security-base-l1-2-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-com-l1-1-1

api-ms-win-core-file-l1-2-1

api-ms-win-core-handle-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-security-lsalookup-l2-1-1

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-path-l1-1-0

api-ms-win-core-processenvironment-l1-2-0

rpcrt4

userenv

bcrypt

api-ms-win-core-winrt-l1-1-0

crypt32

api-ms-win-service-management-l1-1-0

api-ms-win-service-management-l2-1-0

api-ms-win-core-apiquery-l1-1-0

profapi

cryptsp

advapi32

ole32

api-ms-win-appmodel-identity-l1-1-0

mrmcorer

ntmarta

api-ms-win-appmodel-state-l1-1-1

wsclient

api-ms-win-net-isolation-l1-1-1

bcp47langs

appxalluserstore

api-ms-win-core-heap-l1-2-0

api-ms-win-core-memory-l1-1-2

propsys

Exports

Exports

Sections

.text Size: 713KB - Virtual size: 712KB

.data Size: 4KB - Virtual size: 6KB

.pdata Size: 23KB - Virtual size: 23KB

.idata Size: 18KB - Virtual size: 17KB

.didat Size: 512B - Virtual size: 224B

.rsrc Size: 164KB - Virtual size: 163KB

.reloc Size: 9KB - Virtual size: 9KB

.text
Size: 713KB - Virtual size: 712KB

.data
Size: 4KB - Virtual size: 6KB

.pdata
Size: 23KB - Virtual size: 23KB

.idata
Size: 18KB - Virtual size: 17KB

.didat
Size: 512B - Virtual size: 224B

.rsrc
Size: 164KB - Virtual size: 163KB

.reloc
Size: 9KB - Virtual size: 9KB