AppXDeploymentServer[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

AppXDeploymentServer.dll
Size

1.3MB
MD5

77d080f2698d92fd66272f4f8852bcf8
SHA1

371b2e5955a271cd34108852d7bdaf6823bdbffb
SHA256

07dc317252511c2a590335aee92e9fcc7e77365d17aabbac6530cda19d6b9eec
SHA512

ad64550120a10856ab2d5441042240719077632ba8bdd69e9ae92e4c56d39c7f1ef14ee14ed857c8ee2b1e2647dc96e7a856840f859acfded45814a3bffa0f06
SSDEEP

24576:F7stkM5dleu9tGvgU5bOqMx8wxE4moZKaMaaWEKeO2FSw1OW7X8EmRX:F7stkMtX9tLU5bOqNwxcoZXM/WEjhFSH

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
AppXDeploymentServer.dll

Files

AppXDeploymentServer.dll
.dll windows:6 windows x64 arch:x64

886607ebca144a5e9826da428707b71d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

AppxDeploymentServer.pdb

Imports

ntdll

RtlFreeUnicodeString
RtlValidSid
RtlLengthSid
NtQueryInformationToken
RtlReportException
NtQuerySystemInformation
wcschr
RtlFindAceByType
RtlGetAppContainerNamedObjectPath
NtOpenDirectoryObject
RtlConvertSidToUnicodeString
NtQuerySecurityObject
_vsnwprintf
NtGetCachedSigningLevel
RtlCreateSecurityDescriptor
NtSetSecurityObject
RtlAddProcessTrustLabelAce
wcscmp
strcmp
memset
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlDeleteFunctionTable
RtlAddFunctionTable
RtlNtStatusToDosError
NtCreateWnfStateName
RtlWaitForWnfMetaNotification
RtlInitializeCriticalSection
RtlDeleteCriticalSection
_wcsicmp
qsort
RtlFreeSid
WinSqmIsOptedIn
RtlDeleteSecurityObject
NtAccessCheck
RtlCreateAndSetSD
RtlEqualSid
RtlAllocateAndInitializeSid
RtlReAllocateHeap
RtlAllocateHeap
RtlFreeHeap
_wtoi
wcsrchr
wcsncmp
NtUnmapViewOfSection
NtMapViewOfSection
RtlNtStatusToDosErrorNoTeb
NtCreateSection
EtwEventUnregister
EtwEventWrite
EtwEventRegister
memcpy
memcmp
__chkstk
RtlSetSaclSecurityDescriptor
RtlCreateAcl
NtClose
RtlLookupElementGenericTableAvl
NtDeleteWnfStateName
RtlNumberGenericTableElementsAvl
WinSqmIncrementDWORD
RtlInitUnicodeString
NtSetInformationVirtualMemory
NtQueryInformationThread
wcsstr
NtOpenThreadToken
NtOpenProcessToken
_wcsnicmp
RtlDowncaseUnicodeString
RtlGetLastWin32Error
NtSetInformationFile
RtlDosPathNameToRelativeNtPathName_U_WithStatus
RtlReleaseRelativeName
NtOpenFile
RtlExpandEnvironmentStrings_U
RtlEnumerateGenericTableAvl
NtSetInformationThread
RtlIsCriticalSectionLockedByThread
RtlPublishWnfStateData
RtlLeaveCriticalSection
RtlEnterCriticalSection
wcscpy_s
__C_specific_handler
_vsnwprintf_s
WinSqmSetString
memmove
RtlDeleteElementGenericTableAvl
RtlEnumerateGenericTableWithoutSplayingAvl
WinSqmAddToStreamEx
WinSqmAddToStream
WinSqmEndSession
RtlInsertElementGenericTableAvl
ZwFlushBuffersFileEx
WinSqmStartSession
memcpy_s
RtlInitializeGenericTableAvl
WinSqmSetDWORD

api-ms-win-core-file-l1-2-1

GetFileAttributesExW
GetTempPathW
FindFirstFileW
SetFilePointer
CreateDirectoryW
GetTempFileNameW
CreateFileW
SetEndOfFile
FindClose
GetFileSizeEx
FindNextFileW
FlushFileBuffers
WriteFile
DeleteFileW
SetFileAttributesW
GetVolumeInformationByHandleW
CompareFileTime
RemoveDirectoryW
SetFileInformationByHandle
GetDriveTypeW
GetFullPathNameW
GetDiskFreeSpaceW
GetFileAttributesW
ReadFile

api-ms-win-core-errorhandling-l1-1-1

SetUnhandledExceptionFilter
SetLastError
RaiseException
UnhandledExceptionFilter
GetLastError

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableLevel
TraceMessage
GetTraceLoggerHandle
RegisterTraceGuidsW
GetTraceEnableFlags
UnregisterTraceGuids

api-ms-win-eventing-provider-l1-1-0

EventWrite
EventRegister
EventUnregister
EventActivityIdControl

api-ms-win-core-string-l1-1-0

CompareStringEx
CompareStringW
CompareStringOrdinal

api-ms-win-core-synch-l1-2-0

CreateWaitableTimerExW
CreateEventW
SetWaitableTimer
InitializeCriticalSectionEx
InitializeCriticalSection
DeleteCriticalSection
CancelWaitableTimer
WaitForSingleObject
Sleep
EnterCriticalSection
SetEvent
InitOnceExecuteOnce
LeaveCriticalSection

api-ms-win-core-sysinfo-l1-2-1

GetSystemTimeAsFileTime
GetOsSafeBootMode
GetTickCount
GetWindowsDirectoryW
GetSystemInfo
GetVersionExW
GetTickCount64
GetSystemDirectoryW

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-security-base-l1-2-0

DuplicateToken
GetLengthSid
GetSidSubAuthority
AdjustTokenPrivileges
CheckTokenMembership
AddAccessAllowedAce
GetSecurityDescriptorGroup
GetSidSubAuthorityCount
IsWellKnownSid
SetSecurityAccessMask
IsValidSid
AllocateAndInitializeSid
GetAce
MakeSelfRelativeSD
CreateRestrictedToken
SetSecurityDescriptorOwner
SetSecurityDescriptorDacl
SetTokenInformation
AddAccessAllowedAceEx
InitializeAcl
DeleteAce
FreeSid
EqualSid
CreateWellKnownSid
InitializeSecurityDescriptor
GetTokenInformation
GetSecurityDescriptorOwner
RevertToSelf
ImpersonateLoggedOnUser
CopySid
GetSecurityDescriptorDacl

api-ms-win-core-threadpool-l1-2-0

CloseThreadpool
SetThreadpoolThreadMaximum
CreateThreadpoolCleanupGroup
CreateThreadpool
SetThreadpoolThreadMinimum
CloseThreadpoolWork
CloseThreadpoolCleanupGroup
CloseThreadpoolCleanupGroupMembers
SubmitThreadpoolWork
CreateThreadpoolWork
TrySubmitThreadpoolCallback

api-ms-win-core-registry-l1-1-0

RegFlushKey
RegGetValueW
RegQueryValueExW
RegDeleteValueW
RegSetValueExW
RegCreateKeyExW
RegGetKeySecurity
RegOpenCurrentUser
RegCloseKey
RegOpenKeyExW
RegEnumValueW
RegDeleteTreeW
RegQueryInfoKeyW
RegOpenUserClassesRoot
RegCopyTreeW
RegEnumKeyExW

api-ms-win-core-processthreads-l1-1-2

OpenThreadToken
GetCurrentThread
GetCurrentProcessId
ResumeThread
UpdateProcThreadAttribute
SetThreadToken
ExitProcess
TerminateProcess
CreateProcessAsUserW
GetExitCodeProcess
GetThreadPriority
CreateThread
OpenProcess
SetThreadPriority
OpenProcessToken
GetCurrentThreadId
TlsSetValue
TlsGetValue
OpenThread
GetCurrentProcess
TlsFree
TlsAlloc
InitializeProcThreadAttributeList

api-ms-win-core-realtime-l1-1-0

QueryUnbiasedInterruptTime

api-ms-win-core-io-l1-1-1

CancelSynchronousIo

rpcrt4

RpcServerInqCallAttributesW
RpcRevertToSelf
RpcImpersonateClient
RpcServerUseProtseqW
RpcServerInqBindings
RpcServerRegisterIfEx
RpcServerRegisterIf3
RpcStringFreeW
RpcEpRegisterW
RpcEpUnregister
RpcServerUnregisterIf
Ndr64AsyncServerCallAll
UuidToStringW
RpcBindingSetAuthInfoExW
RpcStringBindingComposeW
RpcBindingFromStringBindingW
RpcAsyncCompleteCall
RpcRaiseException
NdrServerCallAll
RpcBindingVectorFree
NdrServerCall2
NdrAsyncServerCall
UuidCreate
NdrClientCall3
RpcBindingBind
RpcBindingCreateW
RpcBindingFree

oleaut32

SysStringLen
GetErrorInfo
SysFreeString
SysAllocString
SysAllocStringLen
VariantClear

api-ms-win-core-com-l1-1-1

CoCreateGuid
StringFromGUID2
CoCreateInstance
CoDisconnectContext
CoTaskMemFree
CoTaskMemAlloc
CoTaskMemRealloc
CLSIDFromString
RoGetAgileReference
CoInitializeEx
CoUninitialize

api-ms-win-core-winrt-l1-1-0

RoInitialize
RoUninitialize

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW
ConvertStringSidToSidW

api-ms-win-security-lsalookup-l2-1-1

LookupAccountSidW
LookupPrivilegeValueW

api-ms-win-service-core-l1-1-1

SetServiceStatus

api-ms-win-service-winsvc-l1-2-0

QueryServiceStatus
RegisterServiceCtrlHandlerW

api-ms-win-core-processenvironment-l1-2-0

ExpandEnvironmentStringsW

api-ms-win-core-memory-l1-1-2

VirtualAlloc
VirtualQuery
VirtualProtect
MapViewOfFile
UnmapViewOfFile
CreateFileMappingW
VirtualFree

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW
lstrcmpiW

api-ms-win-core-heap-obsolete-l1-1-0

LocalAlloc
LocalFree

api-ms-win-core-url-l1-1-0

PathCreateFromUrlW

api-ms-win-core-kernel32-legacy-l1-1-1

GetSystemWow64DirectoryW
MoveFileW
CopyFileW
RaiseFailFastException
WaitForMultipleObjects

api-ms-win-core-crt-l2-1-0

_initterm
_initterm_e
_onexit
__dllonexit3

shcore

ord130
IsOS

api-ms-win-core-heap-l1-2-0

HeapFree
HeapAlloc
GetProcessHeap

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-localization-l1-2-1

FormatMessageW
LCMapStringW

api-ms-win-core-libraryloader-l1-2-0

FreeLibrary
LoadLibraryExA
GetProcAddress
GetModuleHandleW
LoadLibraryExW
GetModuleHandleExW

api-ms-win-core-winrt-error-l1-1-1

RoOriginateErrorW

api-ms-win-core-debug-l1-1-1

DebugBreak

api-ms-win-core-path-l1-1-0

PathCchAppend
PathAllocCombine

userenv

GetProfileType
DeleteAppContainerProfile
DeriveAppContainerSidFromAppContainerName
CreateAppContainerProfile

api-ms-win-core-version-l1-1-0

GetFileVersionInfoExW
GetFileVersionInfoSizeExW
VerQueryValueW

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW
K32EnumProcesses

api-ms-win-core-file-l2-1-1

MoveFileExW
CreateHardLinkW

api-ms-win-service-management-l1-1-0

CloseServiceHandle
OpenServiceW
OpenSCManagerW

crypt32

CertGetEnhancedKeyUsage
CertGetCertificateChain
CertVerifyCertificateChainPolicy
CryptMsgGetParam
CertFreeCertificateChain
CertFreeCertificateContext
CryptMsgClose
CertCloseStore
CertGetSubjectCertificateFromStore
CryptQueryObject

api-ms-win-core-shlwapi-obsolete-l1-1-0

StrStrIW
StrRChrW

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

profapi

ord104
ord111

esent

JetSetSystemParameterW
JetCreateInstanceW
JetInit
JetTerm
JetDelete
JetUpdate
JetPrepareUpdate
JetSetColumn
JetRetrieveColumn
JetMove
JetSetIndexRange
JetSeek
JetMakeKey
JetSetCurrentIndexW
JetAddColumnW
JetIndexRecordCount
JetCreateIndex2W
JetCreateTableW
JetEndSession
JetOpenTableW
JetCloseTable
JetCloseDatabase
JetDetachDatabase2W
JetAttachDatabaseW
JetOpenDatabaseW
JetCreateDatabaseW
JetRollback
JetCommitTransaction
JetBeginTransaction
JetBeginSessionW
JetGetTableColumnInfoW

tdh

TdhGetEventMapInformation
TdhGetEventInformation
TdhEnumerateProviderFieldInformation

api-ms-win-appmodel-runtime-internal-l1-1-0

GetAppModelVersion

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFindFileNameW

api-ms-win-core-registry-l2-1-0

RegOpenKeyW
RegDeleteKeyW

api-ms-win-core-interlocked-l1-2-0

InitializeSListHead
InterlockedPopEntrySList
InterlockedPushEntrySList

Exports

Exports

AddToPurgeList
AppXSetTrustLabelOnPackage
CancelDeploymentImplementation
CreateWnfStateNameImplementation
EnumPackagesByUserSidInternal
EnumPackagesByUserSidNamePublisherInternal
EnumPackagesByUserSidPackageFamilyNameInternal
EnumVisibilityByPackageFullNameInternal
FindPackageByUserSidPackageFullNameInternal
FixStagedPackagesImplementation
GenerateBytecodeForPackageImplementation
GenerateBytecodeForPackagesImplementation
GetApplicabilityImplementation
GetDeploymentError
GetPackageFilesDiskUsageImplementation
GetPackageTypeImplementation
GetSortedRegisterPackageListImplementation
IsPackageInstalledInternal
PackageRepositoryAllocate
PackageRepositoryFree
RDSRecoverRequestsImplementation
RequestPackageOperationImplementation
ServiceMain
SetDeploymentError
SetPackageStateImplementation
StartDeploymentImplementation
SvchostPushServiceGlobals

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 576B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 164KB - Virtual size: 163KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

886607ebca144a5e9826da428707b71d

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

api-ms-win-core-file-l1-2-1

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-handle-l1-1-0

api-ms-win-security-base-l1-2-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-realtime-l1-1-0

api-ms-win-core-io-l1-1-1

rpcrt4

oleaut32

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-security-lsalookup-l2-1-1

api-ms-win-service-core-l1-1-1

api-ms-win-service-winsvc-l1-2-0

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-memory-l1-1-2

api-ms-win-core-profile-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-url-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-crt-l2-1-0

shcore

api-ms-win-core-heap-l1-2-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-localization-l1-2-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-debug-l1-1-1

api-ms-win-core-path-l1-1-0

userenv

api-ms-win-core-version-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-file-l2-1-1

api-ms-win-service-management-l1-1-0

crypt32

api-ms-win-core-shlwapi-obsolete-l1-1-0

api-ms-win-core-apiquery-l1-1-0

profapi

esent

tdh

api-ms-win-appmodel-runtime-internal-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-registry-l2-1-0

api-ms-win-core-interlocked-l1-2-0

Exports

Exports

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.data Size: 1024B - Virtual size: 4KB

.pdata Size: 17KB - Virtual size: 16KB

.idata Size: 18KB - Virtual size: 18KB

.didat Size: 1024B - Virtual size: 576B

.rsrc Size: 164KB - Virtual size: 163KB

.reloc Size: 3KB - Virtual size: 2KB

.text
Size: 1.1MB - Virtual size: 1.1MB

.data
Size: 1024B - Virtual size: 4KB

.pdata
Size: 17KB - Virtual size: 16KB

.idata
Size: 18KB - Virtual size: 18KB

.didat
Size: 1024B - Virtual size: 576B

.rsrc
Size: 164KB - Virtual size: 163KB

.reloc
Size: 3KB - Virtual size: 2KB