Appx Package Leaves Behind DLLs on Uninstall (Pipeline vs Local Debug Build)
Hello everyone, I'm encountering an issue with my WPF application that's packaged as an appx file for sideloading. I'm new to this area, so any guidance or suggestions would be greatly appreciated. Issue Overview: Pipeline Build (Release): The appx package generated in our build pipeline (with code signing) installs and runs as expected. However, after uninstalling the app, certain DLLs remain in the Windows app folder. Local Build (Debug): When I generate the appx package locally using Visual Studio in Debug mode and perform the install/uninstall on the same device, the DLLs are cleaned up properly. I didn't changed any property in the appxmanifest.xml other than the publisher name and the certificate.
IIS Server Loads suspicious DLL
Hello, I am encountering an unusual behavior with the IIS Worker Process (w3wp.exe) and require assistance in understanding it. The process initiates with the following arguments: Application Pool: "TestApplicationAPI" CLR Version: "v4.0" Managed Pipeline Mode: Integrated Named Pipe: "\.\pipe\iisipmc[unique-id]" Configuration File: "C:\inetpub\temp\apppools\TestApplicationAPI\TestApplicationAPI.config" Other Parameters: Default settings Subsequently, a DLL is filelessly loaded into the process. The DLL has a name following the pattern "zx_[md5hash].dll", where [md5hash] represents a specific hash value. I have searched extensively but found no information regarding such fileless DLL loading in IIS, particularly with a name that seems to be dynamically generated. Can anyone provide insights into: The nature and purpose of this "zx_[md5hash].dll"? The implications of this behavior for the security and stability of the IIS environment? Any known issues or documentation related to this kind of scenario in IIS? Any help or guidance would be greatly appreciated. Thank you!
Edge crashing when accessing sites in IE compatibility mode; msedge_elf.dll
I have a single user who within last 3 days cannot access any sites we have in IE compatibility mode. They receive error Microsoft Edge has stopped working A problem caused the program to stop working correctly. Windows will close the program and notify if a solution is available. From the eventviewer logs Log Name: Application Source: Windows Error Reporting Date: 6/8/2023 2:31:34 PM Event ID: 1001 Task Category: None Level: Information Keywords: Classic User: N/A Computer: XXXXXX Description: Fault bucket , type 0 Event Name: crashpad_exp Response: Not available Cab Id: 0 Problem signature: P1: msedge.exe P2: 114.0.1823.41 P3: msedge_elf.dll P4: 114.0.1823.41 P5: 2503959 P6: utility P7: 0x517a7ed P8: 0 P9: P10: Edge is up to date v 114.0.1823.41. Tried resetting Edge but no luck. On Windows 10 x64 enterprise . IE 11 is enabled in Windows Features.
Need assistance in regards to possible zero-day printer nightmare exploit
We are all aware of the printer nightmare exploit and the threat level. I believe I have found a windows system file that is undetected by every AV solution however is not signed by microsoft and shows over 300 indicators on virustotal. The file in question is the udhisapi.dll. After a forensic investigation into printer issues, I found that a local desktop was hosting this file for download as a server. After this I looked and found 12 different versions of this dll on my desktop and 16 versions on the front register (all of which had different locations and sizes). I took the largest of the files to virustotal and found this information. Our enterprise security, bitdefender, had reported 3 printer nightmare exploits on our endpoints, which went up to 6 total exploits within the first two hours of today. The file in question references the SOAP protocol and many blacklisted strings that are whitelisted once the file itself is executed. This is the reason behind my sfc scans and dism commands not properly remediating the issue. From what it seems, there is a MITM actor that intercepts the windows order for a print, through the spooler service, and drops a malicious file instead. I have had the MRT.exe remove two variants of windows 32-bit ransomware (cerberus variant) in the past two days, found under the local microsoft edge cache (the browser which I print from). The link to the dll in question on virustotal is here:https://www.virustotal.com/gui/file/6f2ec54de75cb421f464682068e2d32e27644b3a1f3d03f8b2295760e50523cb/detection I will also include the file itself on this post, encrypted with password: malicious. My printer shows intermittent signs of this exploit, as well as being detected as affected by this exploit, regardless of it being updated daily. Signs would include: spooler showing one document pending with no document in the queue. Inability to properly disable the spooler service (before the ransomware removal) whether through powershell or windows services. Please offer any guidance on this issue as it is CURRENT. I also have other files that I believe to be related that I will submit if this issue catches traction. Thank you so much! Edit: now 8/10 endpoints are showing the printer nightmare exploit. Edit 2: Attached another file, the windows media creation tool, downloaded directly from microsoft, but showing blacklisted languages for, chinese traditional, and saudi arabia. As well related files seem to be malicious. Compiled in 1974 according to PE information. Edit 3: My security software is blocking connection to our POS server, citing data protection. Printer stopped working for about an hour but was able to get it back online for now. Edit 4: Security software blocking credit card processing machine, running android OS I believe. Owner had me disable data protection module so they could process a transaction. Logged in my notes.... Edit 5: 9/10 endpoints showing printer nightmare exploit. Edit 6: Security support team from bitdefender said the files don't relate to the printer nightmare exploit, apologies if this was tagged incorrectly. Edit 7: not at office today, just expanding contacted ips, referring files and communicating files (regarding the media creation tool) link to vt graph: https://www.virustotal.com/graph/embed/gf8aeac13b1b74d7d90f369b434226dc2a58e14b3bf604091a86b75007d19b49e nearly all files are new as of this year or last year. Edit 8: Yes I am making the claim that the main windows media creation tool for 21h1 is backdoored, I understand the implications and how unlikely this is. Reddit classified this type of malware as "polymorphic code with variable covert data exfiltration". I also have made a simplified graph on VT only containing the execution parents, and communicating files to contacted ips by the media creation tool. Link: https://www.virustotal.com/graph/gac59b3c279394c019262f6fc7cb03e6eabaf85fa7cda48de87880b180c58826b Edit 9: Here is the link to an analysis of the original officesetup.exe that started my investigation 3 months ago :https://analyze.intezer.com/analyses/be1706a9-f94f-4e34-8c55-706cbaf9ecc2 the strings referenced that concern me are the "admin tools": Teamviewer, monero, wireshark, bitcoin, injectproc, driver toolkit, and others. More malicious files being detected by msert.exe today. I will upload the office setup file here as well password: malicious. Edit 10: As well the MITRE shows a unix command/scripting interpreter utilized and references a command and control server. Edit 11: Suspicious program connecting through firewall, according to bitdefender. Uploading with password: malicious also will run a dynamic sandbox report. Edit 12: https://analyze.intezer.com/analyses/b9172ae7-26cc-45db-9dc1-183297ded4db Edit 13 : Msert found over 20 infected files, but did not remove or list any. I have seen this before and know it can be normal. Given my situation I have suspicions however. Edit 14: Home system seems to be infected still by whatever form of malware this is. Uploading more files that were dropped as a windows upgrade and scan clean, my explorer (windows ui) is crashing randomly and restarting. Password malicious, removed wildtangentservice, as it is not windows related I believe.
The code execution cannot proceed because edgegdi.dll was not found.
Can anyone able to identify why it appears when opening Task Manager from Windows 10! Its intermittent Issues. Task Manager ""The code execution cannot proceed because edgegdi.dll was not found. Please add your inputs! Note - This issue appears in random models running with Window 10 Version 2004, also seen during opening up Windows Settings, Event Viewer in machines.
DLL Hell ... Again Access 16.0.12430.20264 vs 16.0.4266.1001 Office 365 vs ACCDR RTE Project
Hi everyone first time poster long time access developer, a few years ago I had this issue, and a year or so ago I had this problem. I develop a 32bit access .accdr and distribute it via the runtime with an installer. Client has Click to Run Office 365 (32bit) 16.0.12430.20264 My version of access if Office 2016 16.0.12430.20264. When I deploy my app to their PC the run time does not install (obviously since they have 365) however when I try to run portions of my form I get errors like function is not available in expressions in query expression left([id],1) Now Other 365 users dont have this problem just this client what can I do here? Here are my references: 16.0.4266.1001 Microsoft Access 2016 - Build:16.0.4266 VBA: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL (7.1.10.48) Access: C:\Program Files (x86)\Microsoft Office\Office16\MSACC.OLB (16.0.4266.1001) DAO: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\ACEDAO.DLL (16.0.4266.1001) SHDocVw: C:\Windows\SysWOW64\ieframe.dll (11.0.18362.657) WinHttp: C:\Windows\system32\winhttpcom.dll (10.0.18362.1) ADODB: C:\Program Files (x86)\Common Files\System\ado\msado15.dll (10.0.18362.239) ADOX: C:\Program Files (x86)\Common Files\System\ado\msadox.dll (10.0.18362.175) stdole: C:\Windows\SysWOW64\stdole2.tlb (10.0.18362.1) MSXML2: C:\Windows\SysWOW64\msxml6.dll (6.30.18362.418) Office: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO.DLL (16.0.4266.1001) Here are the client references: 16.0.12430.20264 Microsoft Access 2016 - Build:16.0.12430 VBA: C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL (7.1.10.92) Access: C:\Program Files (x86)\Microsoft Office\Root\Office16\MSACC.OLB (16.0.10730.20030) DAO: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\ACEDAO.DLL (16.0.12325.20144) SHDocVw: C:\Windows\SysWOW64\ieframe.dll (11.0.18362.657) WinHttp: C:\WINDOWS\system32\winhttpcom.dll (10.0.18362.1) ADODB: C:\Program Files (x86)\Common Files\System\ado\msado15.dll (10.0.18362.239) ADOX: C:\Program Files (x86)\Common Files\System\ado\msadox.dll (10.0.18362.175) stdole: C:\Windows\SysWOW64\stdole2.tlb (10.0.18362.1) Office: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO.DLL (16.0.12430.20184) Deploying my app out to users who already have access almost always works as long as its all 32 bit but i've now encountered this type of issue twice where a CTR Office 365 gets dll errors running my app. Any thoughts?