Windows 10: Microsoft Store malicious app - Dropping malware into C:\program files\windowsapps

Discus and support Microsoft Store malicious app - Dropping malware into C:\program files\windowsapps in Microsoft Windows 10 Store to solve the problem; Hi, My antivirus flagged this file as malware, it is part of an app offered on the Microsoft Store called Cool File Viewer, I want to report it to... Discussion in 'Microsoft Windows 10 Store' started by Diviney, Feb 20, 2020.

  1. DIVINEY
    Diviney Win User

    Microsoft Store malicious app - Dropping malware into C:\program files\windowsapps


    Hi,


    My antivirus flagged this file as malware, it is part of an app offered on the Microsoft Store called Cool File Viewer, I want to report it to microsoft but I can't figure out how I already tried reporting it through the app store by viewing the app and going to Review tab, no option is there I also can't find vendor information for this program at all. Very strange.


    File info:

    c:\program files\windowsapps\20815shootingapp.airfileviewer_1.4.3.0_x86__xcg28tkrsnqww\fvapp\apps\office\program\soffice.bin

    Name:

    soffice.bin

    SHA256:

    f52fe82928b3828c8653542ef0e624b4479d4ef922027cf34c64eab1b276247c


    The file was deleted before I could get to the machine, so I cannot submit the file to my AV company for analysis. All AV scans have returned clean results since this detection. I have a root cause analysis available that shows svchost.exe invoked that file soffice.bin which then invoked this executable: c:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.12430.20280.0_x64__8wekyb3d8bbwe\hxtsr.exe which is just microsoft outlook communictions.


    It seems like most of the apps in this directory C:\program files\windowsapps are legitimate apps but I'm concerned that this app in particular is trying to send malware to our machines disguised as an app update.


    Another KB I found helpful, I was able to run the takeown & icacls commands to get ownership of the files so that I could modify them: https://answers.microsoft.com/en-us...52a-0445-4878-9ce3-8b7a4f45fe6a?page=2&auth=1


    Any help or resources would be appreciated. I don't want to block the Microsoft store from being accessed but it's starting to look like that is what needs to be done.


    Thanks, Alex

    :)
     
    Diviney, Feb 20, 2020
    #1
  2. RUBPA
    rubpa Win User

    Unnecessary apps in C:\Program Files\WindowsApps

    I see a lots of versions of the same app in C:\Program Files\WindowsApps. These are apps that I don't even have installed. Overall they are taking up about 10GB.

    1. How can I remove these apps completely?
    2. Or can I keep only the most recent version?

    The storage sense
    suggested here     or disk cleanup of system files has not helped.

    Here is the log of some of the unnecessary apps with sizes in MB

    Code:
    1M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.24.2401.0_neutral_~_ytsefhwckbdv6

86M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.24.2401.0_x86__ytsefhwckbdv6

1M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.24.2401.1000_neutral_~_ytsefhwckbdv6

54M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.24.2401.1000_x86__ytsefhwckbdv6

1M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.25.2500.0_neutral_~_ytsefhwckbdv6

83M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.25.2500.0_x86__ytsefhwckbdv6

1M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.25.2503.0_neutral_~_ytsefhwckbdv6

84M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.25.2503.0_x86__ytsefhwckbdv6

1M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.25.2504.0_neutral_~_ytsefhwckbdv6

84M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.25.2504.0_x86__ytsefhwckbdv6

1M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.25.2505.0_neutral_~_ytsefhwckbdv6

84M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.25.2505.0_x86__ytsefhwckbdv6

1M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.26.2600.0_neutral_~_ytsefhwckbdv6

85M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.26.2600.0_x86__ytsefhwckbdv6

1M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.26.2601.0_neutral_~_ytsefhwckbdv6

85M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.26.2601.0_x86__ytsefhwckbdv6

1M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.26.2603.0_neutral_~_ytsefhwckbdv6

85M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.26.2603.0_x86__ytsefhwckbdv6

1M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.27.2700.0_neutral_~_ytsefhwckbdv6

84M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.27.2700.0_x86__ytsefhwckbdv6

1M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.27.2701.0_neutral_split.scale-125_ytsefhwckbdv6

1M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.27.2701.0_neutral_~_ytsefhwckbdv6

84M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.27.2701.0_x86__ytsefhwckbdv6

1M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.27.2702.0_neutral_~_ytsefhwckbdv6

236M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.27.2702.0_x86__ytsefhwckbdv6

1M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.27.2703.0_neutral_split.scale-100_ytsefhwckbdv6

1M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.27.2703.0_neutral_split.scale-125_ytsefhwckbdv6

1M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.27.2703.0_neutral_~_ytsefhwckbdv6

234M    ./Program Files/WindowsApps/828B5831.HiddenCityMysteryofShadows_1.27.2703.0_x86__ytsefhwckbdv6

67M    ./Program Files/WindowsApps/89006A2E.AutodeskSketchBook_1.8.5.0_x64__tf1gferkr813w

559M    ./Program Files/WindowsApps/A278AB0D.DisneyMagicKingdoms_3.3.0.7_x86__h6adky7gbf63m

532M    ./Program Files/WindowsApps/A278AB0D.DisneyMagicKingdoms_3.4.0.12_x86__h6adky7gbf63m

531M    ./Program Files/WindowsApps/A278AB0D.DisneyMagicKingdoms_3.4.1.1_x86__h6adky7gbf63m

531M    ./Program Files/WindowsApps/A278AB0D.DisneyMagicKingdoms_3.4.2.1_x86__h6adky7gbf63m

562M    ./Program Files/WindowsApps/A278AB0D.DisneyMagicKingdoms_3.5.0.8_x86__h6adky7gbf63m

563M    ./Program Files/WindowsApps/A278AB0D.DisneyMagicKingdoms_3.5.1.2_x86__h6adky7gbf63m

570M    ./Program Files/WindowsApps/A278AB0D.DisneyMagicKingdoms_3.6.0.9_x86__h6adky7gbf63m

569M    ./Program Files/WindowsApps/A278AB0D.DisneyMagicKingdoms_3.6.1.1_x86__h6adky7gbf63m

583M    ./Program Files/WindowsApps/A278AB0D.DisneyMagicKingdoms_3.7.0.8_x86__h6adky7gbf63m

15M    ./Program Files/WindowsApps/A278AB0D.DisneyMagicKingdoms_3.7.1.1_x86__h6adky7gbf63m

185M    ./Program Files/WindowsApps/A278AB0D.MarchofEmpires_3.5.0.11_x86__h6adky7gbf63m

142M    ./Program Files/WindowsApps/A278AB0D.MarchofEmpires_3.6.0.11_x86__h6adky7gbf63m

141M    ./Program Files/WindowsApps/A278AB0D.MarchofEmpires_3.6.1.1_x86__h6adky7gbf63m

142M    ./Program Files/WindowsApps/A278AB0D.MarchofEmpires_3.6.2.3_x86__h6adky7gbf63m

143M    ./Program Files/WindowsApps/A278AB0D.MarchofEmpires_3.7.0.7_x86__h6adky7gbf63m

150M    ./Program Files/WindowsApps/A278AB0D.MarchofEmpires_3.8.0.13_x86__h6adky7gbf63m

185M    ./Program Files/WindowsApps/king.com.CandyCrushSaga_1.1340.3.0_x86__kgqvnymyfvs32

167M    ./Program Files/WindowsApps/king.com.CandyCrushSaga_1.1340.5.0_x86__kgqvnymyfvs32

167M    ./Program Files/WindowsApps/king.com.CandyCrushSaga_1.1341.1.0_x86__kgqvnymyfvs32

170M    ./Program Files/WindowsApps/king.com.CandyCrushSaga_1.1360.3.0_x86__kgqvnymyfvs32

173M    ./Program Files/WindowsApps/king.com.CandyCrushSaga_1.1371.1.0_x86__kgqvnymyfvs32

181M    ./Program Files/WindowsApps/king.com.CandyCrushSaga_1.1380.6.0_x86__kgqvnymyfvs32

178M    ./Program Files/WindowsApps/king.com.CandyCrushSaga_1.1390.3.0_x86__kgqvnymyfvs32

181M    ./Program Files/WindowsApps/king.com.CandyCrushSaga_1.1400.5.0_x86__kgqvnymyfvs32

186M    ./Program Files/WindowsApps/king.com.CandyCrushSaga_1.1410.4.0_x86__kgqvnymyfvs32

186M    ./Program Files/WindowsApps/king.com.CandyCrushSaga_1.1411.1.0_x86__kgqvnymyfvs32

186M    ./Program Files/WindowsApps/king.com.CandyCrushSaga_1.1420.4.0_x86__kgqvnymyfvs32

189M    ./Program Files/WindowsApps/king.com.CandyCrushSaga_1.1430.6.0_x86__kgqvnymyfvs32

191M    ./Program Files/WindowsApps/king.com.CandyCrushSaga_1.1440.2.0_x86__kgqvnymyfvs32

191M    ./Program Files/WindowsApps/king.com.CandyCrushSaga_1.1440.3.0_x86__kgqvnymyfvs32

137M    ./Program Files/WindowsApps/king.com.CandyCrushSaga_1.1440.4.0_x86__kgqvnymyfvs32

189M    ./Program Files/WindowsApps/king.com.CandyCrushSaga_1.1450.4.0_x86__kgqvnymyfvs32

189M    ./Program Files/WindowsApps/king.com.CandyCrushSaga_1.1450.5.0_x86__kgqvnymyfvs32

192M    ./Program Files/WindowsApps/king.com.CandyCrushSaga_1.1461.3.0_x86__kgqvnymyfvs32

192M    ./Program Files/WindowsApps/king.com.CandyCrushSaga_1.1461.4.0_x86__kgqvnymyfvs32
     
    rubpa, Feb 20, 2020
    #2
  3. ATHMAN8
    athman8 Win User
    Why I can not open C:\Program Files\WindowsApps ?

    WindowsApp is a folder where all the program files are stored that installed from the Windows / Microsoft Store. Apps installed from the Microsoft Store like Photos, Paint 3D, Movies & TV, People, Windows Camera and more. All the files related to these Store applications are installed in the WindowsApp folder. WindowsApp folder location is “C:\Program Files” folder and restricted to access by default.
     
    athman8, Feb 20, 2020
    #3
  4. CAMELIA
    camelia Win User

    Microsoft Store malicious app - Dropping malware into C:\program files\windowsapps

    Why I can not open C:\Program Files\WindowsApps ?

    @Steve C , Thanks *Smile I will try TreeSize


    @athman8 , I know but since I am uninstalling some of them, I want to see my progress inside this folder

    Came
     
    camelia, Feb 20, 2020
    #4
Thema:

Microsoft Store malicious app - Dropping malware into C:\program files\windowsapps

Loading...

  1. Microsoft Store malicious app - Dropping malware into C:\program files\windowsapps - Similar Threads - Microsoft Store malicious

  2. Microsoft C++ programs

    in Windows 10 Network and Sharing
    Microsoft C++ programs: I have several Microsoft C++ programs ranging from2008 to 2015-2022. Are they all necessary or are they updates to a single program? https://answers.microsoft.com/en-us/windows/forum/all/microsoft-c-programs/e7aaf73c-6d86-4dea-ad18-ce6fe52efcbd

  3. I purchased a fake app, malicious program off the store. No refunds available on app...

    in Microsoft Windows 10 Store
    I purchased a fake app, malicious program off the store. No refunds available on app...: Hello,Lifelong user here, never had an issue with the microsoft store for windows til today. I purchased a program called PrintScreen - Fast Screen Grabber. Was supposed to be a program that let you capture screens as a .png with a single key press. Price was $2.00 USD. It...

  4. I purchased a fake app, malicious program off the store. No refunds available on app...

    in Windows 10 Gaming
    I purchased a fake app, malicious program off the store. No refunds available on app...: Hello,Lifelong user here, never had an issue with the microsoft store for windows til today. I purchased a program called PrintScreen - Fast Screen Grabber. Was supposed to be a program that let you capture screens as a .png with a single key press. Price was $2.00 USD. It...

  5. I purchased a fake app, malicious program off the store. No refunds available on app...

    in Windows 10 Software and Apps
    I purchased a fake app, malicious program off the store. No refunds available on app...: Hello,Lifelong user here, never had an issue with the microsoft store for windows til today. I purchased a program called PrintScreen - Fast Screen Grabber. Was supposed to be a program that let you capture screens as a .png with a single key press. Price was $2.00 USD. It...

  6. Unable to launch any Store Apps C:\Program...

    in Microsoft Windows 10 Store
    Unable to launch any Store Apps C:\Program...: Hi Folks, I'm unable to launch any store apps. For example when I try to run Notepad I get C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2103.6.0_x64__8wekyb3d8bbwe\Notepad\Note\Notepad.exe for Paint C:\Program...

  7. Malicious malware

    in Windows 10 Ask Insider
    Malicious malware: i have been getting a bunch of malicious malware or exploits on my windows 10 and i dont know what to do i have had at least 6 exploits today submitted by /u/leperchuan05 [link] [comments] https://www.reddit.com/r/Windows10/comments/m63e8b/malicious_malware/

  8. Microsoft App Detect as Malicious

    in AntiVirus, Firewalls and System Security
    Microsoft App Detect as Malicious: Why was a Microsoft app flagged by defender? [Original Title: flag] https://answers.microsoft.com/en-us/protect/forum/all/microsoft-app-detect-as-malicious/ff35f1be-606d-43d2-b42e-6b572021ad28

  9. Microsoft Malicious Malware Removal Tool needed ?

    in AntiVirus, Firewalls and System Security
    Microsoft Malicious Malware Removal Tool needed ?: There seems to be a difference of opinion amongst Moderators over the need for The Malicious Malware Removal Tool. We know Free Malwarebytes is good but it is only a call upon Scanner when needed, usually to remove PUPs. Although Windows Security can be set now to do that....

  10. Malicious Malware Program shuts down before Finishing

    in AntiVirus, Firewalls and System Security
    Malicious Malware Program shuts down before Finishing: When I start to use the malicious malware remover my computer turns off after approximately 30 minutes despite the fact that the setting on the computer is set to never sleep and the program is not finished. I have windows 10. Any remedies?...