Windows[.]UI[.]Search[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

Windows.UI.Search.dll
Size

6.2MB
MD5

a2ca14f79c3d04811165580b852af378
SHA1

7d836657bf50f66874f6ee120e8ded18ce9a5574
SHA256

9b3edb0ae0baba5579a50d890be2cd13aae19a9132129a3a1806e94cc6769a87
SHA512

2aa3393763841474d71234503933d081e9a04e9040652801de60cbaf805a848958f8bd08dca49b70c5cb5f0c2d2c7df76864d627899db095b0912db7fc92eeec
SSDEEP

98304:ZplBdZVxNJuO1Ehq1spKRJvldCAlojUek9ZVqKmOrdVK:ZplBdZVxNJ1yq1sIREAlojULZVAOZ

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Windows.UI.Search.dll

Files

Windows.UI.Search.dll
.dll windows:6 windows x86 arch:x86

7ae54b8eebdfc8ce13671955b36ed80a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

Windows.UI.Search.pdb

Imports

msvcrt

_free_locale
memmove
__crtLCMapStringW
_wcsdup
localeconv
strcspn
sprintf_s
abort
memcmp
___lc_collate_cp_func
calloc
__pctype_func
___lc_handle_func
_errno
___mb_cur_max_func
setlocale
memset
wcslen
wcsncmp
iswalpha
wcschr
_wcsnicmp
iswalnum
memmove_s
_wtof
_wtoi
realloc
strchr
??0bad_cast@@QAE@PBD@Z
??1bad_cast@@UAE@XZ
??0bad_cast@@QAE@ABV0@@Z
ldiv
isspace
wcstok_s
wcsrchr
wcsstr
_set_errno
_get_errno
??_V@YAXPAX@Z
_CIpow
_ftol2
_ftol2_sse
___lc_codepage_func
__uncaught_exception
wcscpy_s
__ExceptionPtrCurrentException
_ismbblead
??1type_info@@UAE@XZ
_except_handler4_common
__crtCompareStringW
__ExceptionPtrCreate
_get_current_locale
__ExceptionPtrCopy
ceil
wcstoul
wcstod
_wcstoi64
_wcstoui64
wcstol
_onexit
__dllonexit
_unlock
_lock
?terminate@@YAXXZ
_initterm
free
_amsg_exit
_XcptFilter
_callnewh
malloc
?what@exception@@UBEPBDXZ
??0exception@@QAE@ABQBDH@Z
??0exception@@QAE@ABQBD@Z
memcpy
__CxxFrameHandler3
_CxxThrowException
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@XZ
??1exception@@UAE@XZ
??3@YAXPAX@Z
_purecall
__ExceptionPtrDestroy
floor

urlmon

ord504
IsValidURL
URLOpenBlockingStreamW
CreateIUriBuilder
CreateUri

api-ms-win-core-com-l1-1-1

CoGetStdMarshalEx
CoWaitForMultipleHandles
RoGetAgileReference
CoCreateFreeThreadedMarshaler
CoGetMalloc
CLSIDFromProgID
CoGetApartmentType
PropVariantCopy
CoEnableCallCancellation
CoDisableCallCancellation
CoGetObjectContext
CoInitializeEx
CoUninitialize
CoCreateGuid
StringFromCLSID
CoMarshalInterThreadInterfaceInStream
CoGetInterfaceAndReleaseStream
CoReleaseMarshalData
CoGetCallContext
CoCreateInstance
CoTaskMemAlloc
CoCancelCall
CoTaskMemRealloc
CoTaskMemFree
PropVariantClear

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory
RoActivateInstance

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateStringReference
WindowsSubstringWithSpecifiedLength
WindowsDeleteString
WindowsCreateString
WindowsGetStringRawBuffer
WindowsStringHasEmbeddedNull
WindowsSubstring
WindowsConcatString
WindowsGetStringLen
WindowsCompareStringOrdinal
WindowsIsStringEmpty
WindowsDuplicateString

api-ms-win-core-winrt-error-l1-1-1

RoTransformError
IsErrorPropagationEnabled
RoGetMatchingRestrictedErrorInfo
RoReportFailedDelegate
SetRestrictedErrorInfo
RoOriginateError
RoOriginateErrorW

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-synch-l1-2-0

AcquireSRWLockExclusive
WaitForSingleObjectEx
Sleep
ReleaseSRWLockExclusive
ReleaseSRWLockShared
SetEvent
AcquireSRWLockShared
InitializeCriticalSectionEx
EnterCriticalSection
DeleteCriticalSection
CreateEventExW
LeaveCriticalSection
ResetEvent
InitializeSRWLock
InitializeCriticalSection

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableFlags
RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceLoggerHandle
UnregisterTraceGuids
TraceMessage

api-ms-win-eventing-provider-l1-1-0

EventWrite
EventUnregister
EventRegister

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExW
LoadLibraryExW
DisableThreadLibraryCalls
GetProcAddress
GetModuleHandleW
LoadStringW

api-ms-win-core-processthreads-l1-1-2

TlsFree
OpenThreadToken
SetThreadToken
GetProcessId
TlsSetValue
OpenProcessToken
TlsAlloc
OpenProcess
GetCurrentThreadId
GetCurrentProcess
TerminateProcess
GetCurrentProcessId
GetCurrentThread
TlsGetValue
CreateProcessAsUserW

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-2-1

GetTickCount
GetVersionExW
GetSystemDirectoryW
GetSystemTimeAsFileTime

api-ms-win-core-errorhandling-l1-1-1

SetUnhandledExceptionFilter
GetLastError
RaiseException
UnhandledExceptionFilter

oleaut32

SafeArrayGetDim
SysFreeString

api-ms-win-core-string-l2-1-0

CharLowerBuffW
CharPrevW

api-ms-win-core-string-l1-1-0

GetStringTypeW
WideCharToMultiByte
MultiByteToWideChar
CompareStringW
CompareStringEx

ntdll

WinSqmIncrementDWORD
WinSqmIsOptedIn
WinSqmAddToStreamEx
wcscspn
_wcsicmp
_vsnwprintf
WinSqmAddToStream
RtlNtStatusToDosError
RtlPublishWnfStateData
RtlFreeHeap
RtlInitUnicodeString
RtlAllocateHeap
RtlNtStatusToDosErrorNoTeb
RtlCompareUnicodeString
NtQueryInformationToken
_chkstk
RtlFlushHeaps
RtlQueryResourcePolicy

kernel32

LCIDToLocaleName
GetSystemDefaultLangID
GetUserDefaultLangID
GetSystemPreferredUILanguages
LCMapStringW
LocaleNameToLCID
IsValidLocaleName
HeapAlloc
GetProcessHeap
RegEnumKeyExW
CreateMutexW
ReleaseMutex
RegQueryValueExW
HeapFree
GetUserGeoID
GetSystemAppDataKey
PackageIdFromFullName
GetUserDefaultUILanguage
LocalReAlloc
GetCurrentPackageInfo
ClosePackageInfo
OpenPackageInfoByFullName
GetPackageInfo
GetPackageFullName
FormatMessageW
GetSystemTime
SystemTimeToFileTime
FindStringOrdinal
ResolveLocaleName
WaitForMultipleObjectsEx
RegisterWaitForSingleObject
CreateEventW
UnregisterWait
IsThreadpoolTimerSet
LocalAlloc
LocalFree
InitOnceExecuteOnce
RegGetValueW
RegSetValueExW
RegCreateKeyExW
RegCloseKey
OutputDebugStringW
RaiseFailFastException
GetTickCount64
CreateSemaphoreW
OpenSemaphoreW
FreeLibraryAndExitThread
FreeLibraryWhenCallbackReturns
CallbackMayRunLong
CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
SetThreadpoolTimer
CreateThreadpoolTimer
WaitForSingleObject
CreateThread
FreeLibrary
TrySubmitThreadpoolCallback
DeleteTimerQueueTimer
CreateTimerQueueTimer
ReleaseSemaphore
CompareStringOrdinal
DelayLoadFailureHook
ResolveDelayLoadedAPI
CloseState
GetStateFolder
OpenStateExplicit
OpenState

ole32

CoAllowSetForegroundWindow
CoRegisterInitializeSpy
CoRevokeInitializeSpy
OleInitialize
OleUninitialize
RevokeDragDrop
RegisterDragDrop
CreateBindCtx

shlwapi

PathStripPathW
PathMatchSpecExW
ord16
ord236
ord618
ord278
ord572
ord560
ord611
ord487
ord154
ord212
ord219
ord184
ord199
UrlIsW
UrlCanonicalizeW
UrlCompareW
PathIsURLW
SHStrDupA
StrDupW
ord214
ord172
AssocCreate
SHRegGetValueW
PathFindExtensionW
ord158
ord156
SHCreateStreamOnFileEx
PathFileExistsW
HashData
PathRemoveExtensionW
StrStrIW
PathIsRootW
PathStripToRootW
SHStrDupW
AssocQueryStringW
ord12
ord615
ord174
ord176
SHSetThreadRef
SHCreateThreadRef
SHGetThreadRef
PathGetArgsW
UrlEscapeW

shell32

SHGetSpecialFolderLocation
SHCreateItemInKnownFolder
SHCreateShellItemArrayFromShellItem
ShellExecuteExW
ord921
SHCreateAssociationRegistration
SHCreateItemFromParsingName
ord102
ord88
SHGetPropertyStoreForWindow
SHGetIDListFromObject
SHCreateItemFromIDList
SHGetKnownFolderPath
ord18
ord155
SHGetPathFromIDListW
ord245
SHParseDisplayName
ord16
ord916
ord849
ord847
ord814
ord817
ord815
ord830
ord764
ord100
SHGetKnownFolderItem
ord931

propsys

PropVariantToInt32
PSGetNameFromPropertyKey
PropVariantToStringVectorAlloc
PSCreateSimplePropertyChange
PropVariantGetElementCount
PSCreatePropertyChangeArray
PSGetPropertyKeyFromName
PropVariantCompareEx
ord438
PSGetPropertyDescription
ord416
PSGetPropertyDescriptionListFromString
ord432
ord423
PropVariantToStringWithDefault
PropVariantChangeType
InitPropVariantFromPropVariantVectorElem
PSFormatForDisplay
PropVariantToStringAlloc
PSPropertyBag_WriteDWORD
PSPropertyKeyFromString
ord408
PropVariantToUInt32
PSCreateMemoryPropertyStore
InitPropVariantFromStringAsVector
ord435
ord436

wincorlib

?ToString@uint32@default@@QAAP$AAVString@Platform@@XZ
?ToString@int32@default@@QAAP$AAVString@Platform@@XZ
?ToString@Boolean@Platform@@QAAP$AAVString@2@XZ
?Equals@Object@Platform@@Q$AAA_NP$AAV12@@Z
??0InvalidCastException@Platform@@Q$AAA@XZ
?GetHashCode@Object@Platform@@Q$AAAHXZ
??0InvalidArgumentException@Platform@@Q$AAA@P$AAVString@1@@Z
?GetType@Object@Platform@@Q$AAAP$AAVType@2@XZ
??BType@Platform@@SA?AVTypeName@Interop@Xaml@UI@Windows@@P$AAV01@@Z
??0DisconnectedException@Platform@@Q$AAA@XZ
?ToString@Enum@Platform@@Q$AAAP$AAVString@2@XZ
?get@FullName@Type@Platform@@Q$AAAP$AAVString@3@XZ
??0NotImplementedException@Platform@@Q$AAA@P$AAVString@1@@Z
??0NullReferenceException@Platform@@Q$AAA@XZ
?InitializeData@Details@Platform@@YGJH@Z
?CreateValue@Details@Platform@@YGP$AAVObject@2@P$AAVType@2@PBX@Z
?__abi_make_type_id@@YGP$AAVType@Platform@@ABU__abi_type_descriptor@@@Z
?__abi_ObjectToString@__abi_details@@YGP$AAVString@Platform@@P$AAVObject@3@_N@Z
?EventSourceGetTargetArrayEvent@Details@Platform@@YGPAXPAXI@Z
?EventSourceGetTargetArraySize@Details@Platform@@YGIPAX@Z
?EventSourceGetTargetArray@Details@Platform@@YGPAXPAXPAUEventLock@12@@Z
?GetIBoxArrayVtable@Details@Platform@@YGPAXPAX@Z
?CreateException@Exception@Platform@@SAP$AAV12@HP$AAVString@2@@Z
?get@Message@Exception@Platform@@Q$AAAP$AAVString@3@XZ
?ResolveWeakReference@Details@Platform@@YGP$AAVObject@2@ABU_GUID@@PAPAU__abi_IUnknown@@@Z
??0ChangedStateException@Platform@@Q$AAA@XZ
??0FailureException@Platform@@Q$AAA@XZ
??0OutOfMemoryException@Platform@@Q$AAA@XZ
??0OutOfBoundsException@Platform@@Q$AAA@XZ
?__abi_cast_Object_to_String@__abi_details@@YGP$AAVString@Platform@@_NP$AAVObject@3@@Z
??0NotImplementedException@Platform@@Q$AAA@XZ
?AllocateException@Heap@Details@Platform@@SAPAXI@Z
?FreeException@Heap@Details@Platform@@SAXPAX@Z
??0Exception@Platform@@Q$AAA@HP$AAVString@1@@Z
?GetWeakReference@Details@Platform@@YGPAU__abi_IUnknown@@Q$ADVObject@2@@Z
?EventSourceUninitialize@Details@Platform@@YGXPAPAX@Z
?EventSourceInitialize@Details@Platform@@YGXPAPAX@Z
?EventSourceRemove@Details@Platform@@YGXPAPAXPAUEventLock@12@VEventRegistrationToken@Foundation@Windows@@@Z
?EventSourceAdd@Details@Platform@@YG?AVEventRegistrationToken@Foundation@Windows@@PAPAXPAUEventLock@12@P$AAVDelegate@2@@Z
?__abi_cast_String_to_Object@__abi_details@@YGP$AAVObject@Platform@@P$AAVString@3@@Z
?CreateException@Exception@Platform@@SAP$AAV12@H@Z
?__abi_WinRTraiseAccessDeniedException@@YGXXZ
?__abi_WinRTraiseOutOfMemoryException@@YGXXZ
?__abi_WinRTraiseCOMException@@YGXJ@Z
?__abi_WinRTraiseNullReferenceException@@YGXXZ
?__abi_WinRTraiseWrongThreadException@@YGXXZ
?__abi_WinRTraiseOutOfBoundsException@@YGXXZ
?__abi_WinRTraiseDisconnectedException@@YGXXZ
?__abi_WinRTraiseNotImplementedException@@YGXXZ
?__abi_FailFast@@YGXXZ
?__abi_WinRTraiseClassNotRegisteredException@@YGXXZ
?UninitializeData@Details@Platform@@YGXH@Z
??0Object@Platform@@Q$AAA@XZ
??0Delegate@Platform@@Q$AAA@XZ
?ReCreateFromException@Details@Platform@@YGJP$AAVException@2@@Z
?Allocate@Heap@Details@Platform@@SAPAXI@Z
?Free@Heap@Details@Platform@@SAXPAX@Z
?__abi_WinRTraiseInvalidCastException@@YGXXZ
?__abi_WinRTraiseOperationCanceledException@@YGXXZ
?__abi_WinRTraiseChangedStateException@@YGXXZ
?__abi_WinRTraiseFailureException@@YGXXZ
?__abi_WinRTraiseInvalidArgumentException@@YGXXZ
?__abi_WinRTraiseObjectDisposedException@@YGXXZ
?GetIidsFn@@YGJHPAKPBU__s_GUID@@PAPAVGuid@Platform@@@Z
?GetActivationFactoryByPCWSTR@@YGJPAXAAVGuid@Platform@@PAPAX@Z
??0InvalidArgumentException@Platform@@Q$AAA@XZ
?Intersect@Rect@Foundation@Windows@@QAAXV123@@Z
?IntersectsWith@Rect@Foundation@Windows@@QAA_NV123@@Z
??0GridLength@Xaml@UI@Windows@@QAA@NW4GridUnitType@123@@Z
??0Rect@Foundation@Windows@@QAA@VPoint@12@VSize@12@@Z
??0FailureException@Platform@@Q$AAA@P$AAVString@1@@Z
?get@Right@Rect@Foundation@Windows@@QAAMXZ
?get@Bottom@Rect@Foundation@Windows@@QAAMXZ
?GetIBoxVtable@Details@Platform@@YGPAXPAX@Z
?ReCreateException@Exception@Platform@@SAP$AAV12@H@Z

api-ms-win-core-localization-l1-2-1

GetLocaleInfoW
FindNLSString
GetSystemDefaultLCID

api-ms-win-core-path-l1-1-0

PathCchAppend
PathCchCombine
PathCchAddExtension

api-ms-win-core-file-l1-2-1

CompareFileTime
FindClose
DeleteFileW
FindFirstFileExW
FindNextFileW

api-ms-win-security-base-l1-2-0

AllocateAndInitializeSid
CreateRestrictedToken
CreateWellKnownSid
FreeSid
ImpersonateLoggedOnUser
SetTokenInformation

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-core-processenvironment-l1-2-0

ExpandEnvironmentStringsW

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegQueryInfoKeyW

sspicli

GetUserNameExW

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime

user32

SetWindowLongW
OffsetRect
IntersectRect
MapWindowPoints
GetWindowRect
DestroyMenu
GetSystemMetrics
GetKeyState
MonitorFromRect
GetMonitorInfoW
GetWindowLongW
GetPropW
GetDesktopWindow
GetPointerInfo
GetQueueStatus
IsWindowUnicode
MoveWindow
PostQuitMessage
ToUnicodeEx
SetCursor
AttachThreadInput
GetAncestor
ClientToScreen
SetRectEmpty
GetWindow
PostMessageW
GetKeyboardLayout
ActivateKeyboardLayout
SystemParametersInfoW
RegisterWindowMessageW
RemovePropW
MonitorFromWindow
IsWindowVisible
CreatePopupMenu
GetMenuDefaultItem
UnionRect
InflateRect
GetKeyboardState
GetParent
GetAsyncKeyState
GetDC
ReleaseDC
SetForegroundWindow
SetPropW
CreateWindowInBand
ShowWindow
RegisterClassExW
DefWindowProcW
GetForegroundWindow
DestroyWindow
PostThreadMessageW
DispatchMessageW
TranslateMessage
MsgWaitForMultipleObjectsEx
PeekMessageW
DefWindowProcA
ord2508
LoadCursorW
GetSysColor
ord2521
SetWindowCompositionAttribute
IsWindowInDestroy
ord2561
SetKeyboardState

bcp47langs

Bcp47FromHkl
Bcp47GetNlsForm
Bcp47GetDirectionality

shcore

ord244
CreateStreamOverRandomAccessStream
CreateRandomAccessStreamOverStream
ord246
ord245
GetScaleFactorForMonitor
ord242

combase

ord65

wsclient

GetApplicationURL

twinapi

ord11
ord9

uxtheme

ord96
ord120
ord121
ord104
ord106

uiautomationcore

UiaDisconnectAllProviders

api-ms-win-core-registry-l2-1-0

RegSetKeyValueW

Exports

Exports

DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject

Sections

.text
Size: 5.2MB - Virtual size: 5.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 422KB - Virtual size: 427KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 52KB - Virtual size: 51KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 469KB - Virtual size: 468KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7ae54b8eebdfc8ce13671955b36ed80a

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

urlmon

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-util-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-handle-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-errorhandling-l1-1-1

oleaut32

api-ms-win-core-string-l2-1-0

api-ms-win-core-string-l1-1-0

ntdll

kernel32

ole32

shlwapi

shell32

propsys

wincorlib

api-ms-win-core-localization-l1-2-1

api-ms-win-core-path-l1-1-0

api-ms-win-core-file-l1-2-1

api-ms-win-security-base-l1-2-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-registry-l1-1-0

sspicli

api-ms-win-core-timezone-l1-1-0

user32

bcp47langs

shcore

combase

wsclient

twinapi

uxtheme

uiautomationcore

api-ms-win-core-registry-l2-1-0

Exports

Exports

Sections

.text Size: 5.2MB - Virtual size: 5.2MB

.data Size: 422KB - Virtual size: 427KB

.idata Size: 20KB - Virtual size: 19KB

.didat Size: 512B - Virtual size: 152B

.rsrc Size: 52KB - Virtual size: 51KB

.reloc Size: 469KB - Virtual size: 468KB

.text
Size: 5.2MB - Virtual size: 5.2MB

.data
Size: 422KB - Virtual size: 427KB

.idata
Size: 20KB - Virtual size: 19KB

.didat
Size: 512B - Virtual size: 152B

.rsrc
Size: 52KB - Virtual size: 51KB

.reloc
Size: 469KB - Virtual size: 468KB