AppxAllUserStore[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

AppxAllUserStore.dll
Size

269KB
MD5

22d73e54db9e1e4110172ee54acc6b05
SHA1

f95f216dd7df5032df9c41fa905840490e7bcbed
SHA256

f445d2c0d99e2415c20dd61a1f5df902bb674cfd8bce29c5df429994a562647c
SHA512

5ff41591623b9350c2e4bdf20da17958311348ddb752f478b547703e12c8cbab434268230cfe88521db03d9682fce7ea0f6bffac994b9660b2719d35986e6728
SSDEEP

6144:UUPLM5yIDrcCs5x6O2JWe83lLcSkchUIN21S:IRDAC6sWe8VLc/wUINoS

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
AppxAllUserStore.dll

Files

AppxAllUserStore.dll
.dll windows:10 windows x86 arch:x86

c37fc79fcfb38082c6d2d8e115713122

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

AppxAllUserStore.pdb

Imports

msvcrt

memmove
memcpy
memcmp
__dllonexit
_unlock
_lock
_initterm
malloc
_onexit
_amsg_exit
_XcptFilter
wcschr
_wcsnicmp
wcstok_s
memmove_s
wcsstr
_wcslwr
free
_wcsicmp
_vsnwprintf_s
memcpy_s
_except_handler4_common
memset

ntdll

RtlAllocateAndInitializeSid
RtlDeleteCriticalSection
RtlDowncaseUnicodeString
RtlValidSid
RtlFreeUnicodeString
RtlConvertSidToUnicodeString
RtlReleaseSRWLockExclusive
RtlReleaseSRWLockShared
RtlAddAce
RtlAcquireSRWLockExclusive
NtQuerySystemInformation
RtlReportException
RtlFreeHeap
RtlNtStatusToDosErrorNoTeb
RtlReAllocateHeap
RtlAllocateHeap
RtlLookupElementGenericTableAvl
RtlDeleteElementGenericTableAvl
RtlEnumerateGenericTableWithoutSplayingAvl
RtlInitializeGenericTableAvl
RtlInsertElementGenericTableAvl
RtlInitUnicodeString
RtlCompareUnicodeString
RtlSystemTimeToLocalTime
NtQuerySystemTime
RtlFreeSid
RtlAcquireSRWLockShared

api-ms-win-core-libraryloader-l1-1-0

LoadLibraryExW
GetModuleFileNameA
LoadLibraryExA
GetProcAddress
FreeLibrary
GetModuleHandleW
GetModuleHandleExW

api-ms-win-core-synch-l1-1-0

CreateSemaphoreExW
ReleaseSemaphore
AcquireSRWLockExclusive
AcquireSRWLockShared
ReleaseSRWLockShared
ReleaseSRWLockExclusive
WaitForSingleObject
ReleaseMutex
WaitForSingleObjectEx
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
OpenSemaphoreW
InitializeCriticalSectionEx
CreateMutexExW

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapFree
HeapAlloc

api-ms-win-core-errorhandling-l1-1-0

RaiseException
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
GetLastError

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetCurrentThreadId
OpenThreadToken
GetCurrentProcess
GetCurrentThread
GetCurrentProcessId

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableFlags
GetTraceLoggerHandle
TraceMessage
GetTraceEnableLevel
UnregisterTraceGuids
RegisterTraceGuidsW

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventUnregister
EventActivityIdControl
EventRegister

api-ms-win-core-synch-l1-2-0

Sleep
InitOnceBeginInitialize
InitOnceComplete

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime
GetWindowsDirectoryW

api-ms-win-core-string-l1-1-0

CompareStringOrdinal

api-ms-win-core-registry-l1-1-0

RegCopyTreeW
RegDeleteKeyExW
RegSetValueExW
RegQueryValueExW
RegQueryInfoKeyW
RegUnLoadKeyW
RegOpenKeyExW
RegFlushKey
RegDeleteValueW
RegLoadAppKeyW
RegCloseKey
RegLoadKeyW
RegDeleteTreeW
RegGetValueW
RegEnumKeyExW
RegCreateKeyExW

api-ms-win-core-registry-l2-1-0

RegOpenKeyW

api-ms-win-core-file-l1-1-0

RemoveDirectoryW
SetFileAttributesW
FindNextFileW
FindFirstFileW
FindClose
CreateFileW
WriteFile
GetFileAttributesW
CreateDirectoryW
DeleteFileW

api-ms-win-security-base-l1-1-0

ImpersonateSelf
CreateWellKnownSid
GetTokenInformation
GetLengthSid
ImpersonateLoggedOnUser
RevertToSelf
AdjustTokenPrivileges
GetSidSubAuthority
GetSidSubAuthorityCount
GetAce
CheckTokenMembership
CopySid

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime

api-ms-win-core-heap-obsolete-l1-1-0

LocalAlloc
LocalFree

api-ms-win-core-file-l2-1-0

MoveFileExW
CreateHardLinkW

api-ms-win-core-threadpool-l1-2-0

SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolTimer

api-ms-win-core-com-l1-1-0

CoUninitialize
CoInitializeEx
CoTaskMemFree
CoTaskMemAlloc
CoCreateInstance

api-ms-win-core-kernel32-legacy-l1-1-0

CopyFileW
MoveFileW

api-ms-win-core-sysinfo-l1-2-0

GetProductInfo

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

oleaut32

SysStringLen
SysFreeString
SysAllocString
VariantClear
GetErrorInfo
SysAllocStringLen

api-ms-win-core-winrt-string-l1-1-0

WindowsDeleteString
WindowsCreateStringReference
WindowsGetStringRawBuffer

api-ms-win-core-winrt-l1-1-0

RoActivateInstance

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

AddDeprovisionedPackageMarking
AddDownlevelInstalledPackageToRegistryStore
AddEndOfLifePackageMarking
AddEndOfLifePackageMarkingForAllUsers
AddPackageToPreinstalledAppsVolume
AddPackageToRegistryStore
AddStagedPackageToPreinstalledAppsVolume
AddStagedPackageToRegistryStore
AddUpgradePackageToPreinstalledVolume
AddUpgradePackageToRegistryStore
ApplyFrameworkPackageRootFolderACLs
ApplyPackageRootFolderACLs
ApplySharedFileACLs
CheckPackagePreinstallPolicy
CommitTakeOwnershipSession
DeleteAllPackagesFromMainPackageArray
DeleteAllPackagesFromPackageArray
DeletePackageInfo
DeleteUpdatedPackageKey
DeleteUserRegistryKeyFromAllUserStore
DidAppSurviveOSUpgradeForUser
DoesPerUserStoreExist
FamilyMonikerStringToSid
FindExistingVersionInRegistryStore
FindFullNameForFamilyNameInAppxAllUserStore
GetAllInboxPackages
GetAllNonInboxPackagesFromRegistryStore
GetAllPackagesToBeInstalledForSetupPhase
GetAllPackagesToBeInstalledForUser
GetAllStagedPackagesForMainPackageFromRegistryStore
GetAllUpdatedPackages
GetAppxProvisionFactory
GetFoldersToKeepForPBR
GetOptionalPackageInfoForPackage
GetPackageOverrideSetupPhase
GetPackageSetupPhase
GetPackagesThatMayNeedPreinstallPackageStatusMarked
GetUpgradePackageVolumeKey
HasCentennial
HasStagedPackages
IsCleanupTaskComplete
IsEnterprisePolicyEnabled
IsInboxPackage
IsInboxPackageAndPath
IsNonInboxAllUserPackage
IsNonInboxAllUserPackageSpecificPackage
IsPackageEndOfLife
IsPackageFamilyInUninstallBlocklist
IsPackageFamilyInUninstallBlocklistByPackageFullName
IsPackageInDownlevelInstalledKey
IsPackageInEndOfLifeKey
IsPackageInStagedKey
IsPackageInUpgradeKey
IsPackageInUsersUpgradeKey
IsPackageOnPreinstalledVolume
IsSystemInAuditBoot
MarkStatusOfMainPackageForUser
PackageFamilyNameFromId
PackageIdBasicFromFullName
PackageSidToPackageCapabilitySid
RemoveDeprovisionedPackageMarking
RemoveDownlevelInstalledPackagesFromRegistryStore
RemoveEndOfLifePackageMarkingForAllUsers
RemoveInboxInstalledStatusOfPackageForUser
RemovePackageFromRegistryStore
RemovePackageFromRegistryStoreConfigIfExists
RemoveStagedPackageFromRegistryStore
RemoveStatusOfMainPackageForAllUsers
RemoveUpgradePackagesFromRegistryStore
RestoreDownlevelAllUserStore
RollbackTakeOwnershipSession
SetAllUserStorePathForTest
SetPackageOverrideSetupPhase
SetTargetOsVersionOnPreinstalledVolume
TakeOwnershipOnFolder
TryGetDownlevelInstalledPackageFullName
TryGetEndOfLifePackageFullName
UpdateFrameworkPackageInRegistryStore
UpdatePackageInRegistryStore
UpdatePackageSetupPhase
UpdateUpgradePackageInRegistryStore

Sections

.text
Size: 247KB - Virtual size: 246KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c37fc79fcfb38082c6d2d8e115713122

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-core-libraryloader-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-registry-l2-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-profile-l1-1-0

oleaut32

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-delayload-l1-1-0

Exports

Exports

Sections

.text Size: 247KB - Virtual size: 246KB

.data Size: 512B - Virtual size: 1KB

.idata Size: 7KB - Virtual size: 6KB

.didat Size: 512B - Virtual size: 32B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 11KB - Virtual size: 11KB

.text
Size: 247KB - Virtual size: 246KB

.data
Size: 512B - Virtual size: 1KB

.idata
Size: 7KB - Virtual size: 6KB

.didat
Size: 512B - Virtual size: 32B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 11KB - Virtual size: 11KB