Windows[.]UI[.]Search[.]dll

Sharing

Copy URL

Twitter E-mail

General

Target

Windows.UI.Search.dll
Size

4.7MB
MD5

62cabe5995ce3272be70b0950c81745b
SHA1

2194532a44de5bf0487fe88d211b5363817da557
SHA256

4796795fa85b08edbaea6212cb7e9e360826f5c449f696117b5591deecbc088b
SHA512

ea9b9537f7bb220699259218f612664cec5d03b627c784a5b578b82e597af2b8825f0ba9f9b251aa63d53f889da8a9cc776ff8e6d21b216e0ca629774d42e93f
SSDEEP

98304:BymkBMko7+1moAN3xSTPMhEFj/IXHRef:BymF5xoPR9

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Windows.UI.Search.dll

Files

Windows.UI.Search.dll
.dll windows:6 windows x86 arch:x86

3b47a49e73f344ba2e1c2ffb595e9fdb

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

Windows.UI.Search.pdb

Imports

msvcrt

__crtLCMapStringW
__crtCompareStringW
_wcsdup
localeconv
strcspn
sprintf_s
abort
memcmp
___lc_collate_cp_func
__pctype_func
_ismbblead
___lc_codepage_func
___lc_handle_func
_errno
___mb_cur_max_func
setlocale
wcslen
memset
wcsncmp
iswalpha
wcschr
_get_current_locale
iswalnum
memmove_s
_wtof
_wtoi
realloc
strchr
??0bad_cast@@QAE@PBD@Z
??1bad_cast@@UAE@XZ
??0bad_cast@@QAE@ABV0@@Z
ldiv
isspace
wcstok_s
wcsrchr
wcsstr
_vsnwprintf
wcscspn
_set_errno
_get_errno
??_V@YAXPAX@Z
_free_locale
_unlock
__dllonexit
wcscpy_s
__ExceptionPtrCurrentException
_ftol2_sse
_wcsnicmp
calloc
_CIpow
_ftol2
_except_handler4_common
??1type_info@@UAE@XZ
_onexit
wcstoul
wcstol
_lock
_initterm
free
_amsg_exit
_XcptFilter
_callnewh
malloc
memcpy
__CxxFrameHandler3
_CxxThrowException
??0exception@@QAE@ABQBDH@Z
__ExceptionPtrCreate
?terminate@@YAXXZ
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@ABQBD@Z
??0exception@@QAE@XZ
??1exception@@UAE@XZ
?what@exception@@UBEPBDXZ
??3@YAXPAX@Z
_purecall
__ExceptionPtrDestroy
memmove
__ExceptionPtrCopy
__uncaught_exception
floor

urlmon

ord504
IsValidURL
URLOpenBlockingStreamW
CreateUri

api-ms-win-core-com-l1-1-1

CoTaskMemAlloc
CoCreateInstance
CoTaskMemRealloc
CoGetInterfaceAndReleaseStream
CoGetObjectContext
CoMarshalInterThreadInterfaceInStream
CoTaskMemFree
PropVariantClear
CLSIDFromProgID
CoGetMalloc
CoCreateFreeThreadedMarshaler
CoDisableCallCancellation
CoCancelCall
CoEnableCallCancellation
PropVariantCopy
CoGetStdMarshalEx
CoGetApartmentType
CoWaitForMultipleHandles
CoUninitialize
CoInitializeEx
RoGetAgileReference
CoCreateGuid
CoGetCallContext
StringFromCLSID
CoReleaseMarshalData

api-ms-win-core-winrt-l1-1-0

RoActivateInstance
RoGetActivationFactory

api-ms-win-core-winrt-string-l1-1-0

WindowsSubstring
WindowsConcatString
WindowsCreateStringReference
WindowsGetStringRawBuffer
WindowsDeleteString
WindowsDuplicateString
WindowsCreateString
WindowsIsStringEmpty
WindowsSubstringWithSpecifiedLength
WindowsGetStringLen
WindowsCompareStringOrdinal
WindowsStringHasEmbeddedNull

api-ms-win-core-winrt-error-l1-1-1

IsErrorPropagationEnabled
RoReportFailedDelegate
RoOriginateError
RoTransformError
SetRestrictedErrorInfo
RoOriginateErrorW
RoGetMatchingRestrictedErrorInfo

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-synch-l1-2-0

InitializeSRWLock
EnterCriticalSection
InitializeCriticalSectionEx
ReleaseSRWLockShared
Sleep
AcquireSRWLockExclusive
ResetEvent
WaitForSingleObjectEx
ReleaseSRWLockExclusive
SetEvent
CreateEventExW
AcquireSRWLockShared
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSection

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
TraceMessage
RegisterTraceGuidsW
UnregisterTraceGuids

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventRegister
EventWrite

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
LoadStringW
DisableThreadLibraryCalls
LoadLibraryExW
GetModuleHandleExW
GetModuleHandleW

api-ms-win-core-processthreads-l1-1-2

CreateProcessAsUserW
SetThreadToken
OpenThreadToken
GetCurrentProcessId
GetCurrentProcess
TlsSetValue
TlsAlloc
TlsGetValue
GetProcessId
TerminateProcess
OpenProcess
TlsFree
GetCurrentThreadId
GetCurrentThread
OpenProcessToken

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-2-1

GetVersionExW
GetTickCount
GetSystemTimeAsFileTime
GetSystemDirectoryW

api-ms-win-core-errorhandling-l1-1-1

UnhandledExceptionFilter
GetLastError
RaiseException
SetUnhandledExceptionFilter

oleaut32

SysFreeString
SafeArrayGetDim

api-ms-win-core-string-l2-1-0

CharLowerBuffW
CharPrevW

api-ms-win-core-string-l1-1-0

CompareStringEx
MultiByteToWideChar
WideCharToMultiByte
CompareStringW
GetStringTypeW

ntdll

WinSqmIncrementDWORD
WinSqmIsOptedIn
WinSqmAddToStreamEx
WinSqmAddToStream
RtlNtStatusToDosError
RtlPublishWnfStateData
RtlFreeHeap
RtlInitUnicodeString
RtlAllocateHeap
RtlNtStatusToDosErrorNoTeb
RtlCompareUnicodeString
NtQueryInformationToken

kernel32

HeapAlloc
GetProcessHeap
RegQueryValueExW
RegEnumKeyExW
RegCreateKeyExW
CreateMutexW
ReleaseMutex
GetUserDefaultLangID
GetSystemDefaultLangID
LCIDToLocaleName
GetUserGeoID
HeapFree
IsValidLocaleName
LocaleNameToLCID
GetSystemAppDataKey
PackageIdFromFullName
GetUserDefaultUILanguage
LocalReAlloc
GetCurrentPackageInfo
ClosePackageInfo
LCMapStringW
OpenPackageInfoByFullName
GetPackageInfo
GetPackageFullName
GetSystemPreferredUILanguages
FormatMessageW
GetSystemTime
SystemTimeToFileTime
FindStringOrdinal
ResolveLocaleName
WaitForMultipleObjectsEx
RegisterWaitForSingleObject
UnregisterWait
CreateTimerQueueTimer
DeleteTimerQueueTimer
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
TrySubmitThreadpoolCallback
CallbackMayRunLong
FreeLibraryWhenCallbackReturns
CreateThread
OpenSemaphoreW
ReleaseSemaphore
CreateSemaphoreW
FreeLibraryAndExitThread
FreeLibrary
LocalAlloc
LocalFree
RaiseFailFastException
OutputDebugStringW
WaitForSingleObject
CreateEventW
CompareStringOrdinal
DelayLoadFailureHook
ResolveDelayLoadedAPI
CloseState
GetStateFolder
OpenStateExplicit
OpenState

ole32

CoAllowSetForegroundWindow
CreateBindCtx
CoRegisterInitializeSpy
CoRevokeInitializeSpy

shlwapi

ord16
ord236
ord618
ord278
ord572
HashData
PathFileExistsW
SHCreateStreamOnFileEx
ord156
StrDupW
PathMatchSpecExW
PathStripPathW
ord158
ord611
PathFindExtensionW
ord487
ord219
ord199
PathIsURLW
UrlCompareW
ord212
UrlCanonicalizeW
UrlIsW
ord154
PathGetArgsW
AssocCreate
ord172
PathRemoveExtensionW
StrStrIW
PathIsRootW
PathStripToRootW
SHStrDupW
AssocQueryStringW
ord12
SHStrDupA
ord214
ord615
SHCreateThreadRef
SHSetThreadRef
ord184
SHGetThreadRef
ord174
ord176

shell32

ord155
SHCreateItemInKnownFolder
SHCreateShellItemArrayFromShellItem
ord18
SHGetSpecialFolderLocation
ord16
SHParseDisplayName
ShellExecuteExW
SHGetPathFromIDListW
SHCreateAssociationRegistration
SHGetPropertyStoreForWindow
SHCreateItemFromParsingName
ord921
SHGetIDListFromObject
ord102
SHCreateItemFromIDList
SHGetKnownFolderPath
ord100
ord916
ord849
SHGetKnownFolderItem
ord931
ord764
ord830
ord815
ord817
ord814
ord847

propsys

PSGetPropertyKeyFromName
PropVariantCompareEx
PSCreateSimplePropertyChange
PropVariantGetElementCount
PSFormatForDisplay
ord438
PropVariantToStringVectorAlloc
PSGetNameFromPropertyKey
PSCreatePropertyChangeArray
PropVariantToInt32
PSGetPropertyDescription
PSPropertyKeyFromString
ord416
InitPropVariantFromStringAsVector
ord432
ord423
PropVariantToStringWithDefault
PropVariantChangeType
PSGetPropertyDescriptionListFromString
PropVariantToStringAlloc
ord408
PSPropertyBag_WriteDWORD
PropVariantToUInt32
PSCreateMemoryPropertyStore
ord436
ord435
InitPropVariantFromPropVariantVectorElem

wincorlib

?GetIidsFn@@YGJHPAKPBU__s_GUID@@PAPAVGuid@Platform@@@Z
?ToString@uint32@default@@QAAP$AAVString@Platform@@XZ
?ToString@int32@default@@QAAP$AAVString@Platform@@XZ
?ToString@Boolean@Platform@@QAAP$AAVString@2@XZ
?Equals@Object@Platform@@Q$AAA_NP$AAV12@@Z
??0InvalidCastException@Platform@@Q$AAA@XZ
?GetHashCode@Object@Platform@@Q$AAAHXZ
??0InvalidArgumentException@Platform@@Q$AAA@P$AAVString@1@@Z
?GetType@Object@Platform@@Q$AAAP$AAVType@2@XZ
??BType@Platform@@SA?AVTypeName@Interop@Xaml@UI@Windows@@P$AAV01@@Z
??0ChangedStateException@Platform@@Q$AAA@XZ
??0OutOfMemoryException@Platform@@Q$AAA@XZ
??0OutOfBoundsException@Platform@@Q$AAA@XZ
??0DisconnectedException@Platform@@Q$AAA@XZ
?ToString@Enum@Platform@@Q$AAAP$AAVString@2@XZ
?get@FullName@Type@Platform@@Q$AAAP$AAVString@3@XZ
??0NotImplementedException@Platform@@Q$AAA@P$AAVString@1@@Z
??0NullReferenceException@Platform@@Q$AAA@XZ
?GetIBoxVtable@Details@Platform@@YGPAXPAX@Z
?CreateValue@Details@Platform@@YGP$AAVObject@2@P$AAVType@2@PBX@Z
?GetActivationFactoryByPCWSTR@@YGJPAXAAVGuid@Platform@@PAPAX@Z
?__abi_make_type_id@@YGP$AAVType@Platform@@ABU__abi_type_descriptor@@@Z
?EventSourceGetTargetArrayEvent@Details@Platform@@YGPAXPAXI@Z
?EventSourceGetTargetArraySize@Details@Platform@@YGIPAX@Z
?EventSourceGetTargetArray@Details@Platform@@YGPAXPAXPAUEventLock@12@@Z
?CreateException@Exception@Platform@@SAP$AAV12@HP$AAVString@2@@Z
?get@Message@Exception@Platform@@Q$AAAP$AAVString@3@XZ
??0NotImplementedException@Platform@@Q$AAA@XZ
?AllocateException@Heap@Details@Platform@@SAPAXI@Z
??0Exception@Platform@@Q$AAA@HP$AAVString@1@@Z
?EventSourceUninitialize@Details@Platform@@YGXPAPAX@Z
?EventSourceInitialize@Details@Platform@@YGXPAPAX@Z
?EventSourceRemove@Details@Platform@@YGXPAPAXPAUEventLock@12@VEventRegistrationToken@Foundation@Windows@@@Z
?EventSourceAdd@Details@Platform@@YG?AVEventRegistrationToken@Foundation@Windows@@PAPAXPAUEventLock@12@P$AAVDelegate@2@@Z
?__abi_WinRTraiseAccessDeniedException@@YGXXZ
?__abi_WinRTraiseOutOfMemoryException@@YGXXZ
?__abi_WinRTraiseCOMException@@YGXJ@Z
?__abi_WinRTraiseNullReferenceException@@YGXXZ
?__abi_WinRTraiseWrongThreadException@@YGXXZ
?__abi_WinRTraiseOutOfBoundsException@@YGXXZ
?__abi_WinRTraiseDisconnectedException@@YGXXZ
??0GridLength@Xaml@UI@Windows@@QAA@NW4GridUnitType@123@@Z
?__abi_WinRTraiseNotImplementedException@@YGXXZ
?__abi_FailFast@@YGXXZ
?__abi_WinRTraiseClassNotRegisteredException@@YGXXZ
??0Object@Platform@@Q$AAA@XZ
??0Delegate@Platform@@Q$AAA@XZ
?CreateException@Exception@Platform@@SAP$AAV12@H@Z
?ReCreateException@Exception@Platform@@SAP$AAV12@H@Z
?ReCreateFromException@Details@Platform@@YGJP$AAVException@2@@Z
?GetIBoxArrayVtable@Details@Platform@@YGPAXPAX@Z
?Allocate@Heap@Details@Platform@@SAPAXI@Z
?Free@Heap@Details@Platform@@SAXPAX@Z
?FreeException@Heap@Details@Platform@@SAXPAX@Z
?__abi_WinRTraiseInvalidCastException@@YGXXZ
?__abi_WinRTraiseOperationCanceledException@@YGXXZ
?__abi_WinRTraiseChangedStateException@@YGXXZ
?__abi_WinRTraiseFailureException@@YGXXZ
?InitializeData@Details@Platform@@YGJH@Z
?__abi_ObjectToString@__abi_details@@YGP$AAVString@Platform@@P$AAVObject@3@_N@Z
?__abi_cast_String_to_Object@__abi_details@@YGP$AAVObject@Platform@@P$AAVString@3@@Z
?__abi_cast_Object_to_String@__abi_details@@YGP$AAVString@Platform@@_NP$AAVObject@3@@Z
?__abi_WinRTraiseInvalidArgumentException@@YGXXZ
?__abi_WinRTraiseObjectDisposedException@@YGXXZ
?UninitializeData@Details@Platform@@YGXH@Z
?GetWeakReference@Details@Platform@@YGPAU__abi_IUnknown@@Q$ADVObject@2@@Z
??0InvalidArgumentException@Platform@@Q$AAA@XZ
?ResolveWeakReference@Details@Platform@@YGP$AAVObject@2@ABU_GUID@@PAPAU__abi_IUnknown@@@Z
??0FailureException@Platform@@Q$AAA@P$AAVString@1@@Z
?IntersectsWith@Rect@Foundation@Windows@@QAA_NV123@@Z
?get@Right@Rect@Foundation@Windows@@QAAMXZ
??0FailureException@Platform@@Q$AAA@XZ
?get@Bottom@Rect@Foundation@Windows@@QAAMXZ

api-ms-win-core-localization-l1-2-1

GetLocaleInfoW
GetSystemDefaultLCID
FindNLSString

api-ms-win-core-path-l1-1-0

PathCchAddExtension
PathCchAppend
PathCchCombine

api-ms-win-core-file-l1-2-1

FindClose
FindNextFileW
DeleteFileW
FindFirstFileExW
CompareFileTime

api-ms-win-security-base-l1-2-0

FreeSid
CreateWellKnownSid
AllocateAndInitializeSid
ImpersonateLoggedOnUser
SetTokenInformation
CreateRestrictedToken

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-core-processenvironment-l1-2-0

ExpandEnvironmentStringsW

api-ms-win-core-registry-l1-1-0

RegGetValueW
RegQueryInfoKeyW
RegOpenKeyExW
RegCloseKey

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime

user32

TranslateMessage
PeekMessageW
MsgWaitForMultipleObjectsEx
RemovePropW
IsWindowUnicode
DefWindowProcA
ActivateKeyboardLayout
SetKeyboardState
GetKeyboardState
ToUnicodeEx
GetMonitorInfoW
MonitorFromRect
SetWindowLongW
GetKeyboardLayout
SetRectEmpty
ClientToScreen
GetAncestor
SetCursor
LoadCursorW
PostQuitMessage
AttachThreadInput
OffsetRect
MoveWindow
ShowWindow
RegisterClassExW
DefWindowProcW
GetForegroundWindow
DestroyWindow
SetPropW
PostMessageW
GetPointerInfo
RegisterWindowMessageW
CreateWindowInBand
ord2561
IsWindowInDestroy
SetWindowCompositionAttribute
GetDesktopWindow
SetForegroundWindow
GetParent
ord2521
GetPropW
IntersectRect
CreatePopupMenu
MapWindowPoints
GetMenuDefaultItem
UnionRect
GetWindowRect
InflateRect
GetDC
ReleaseDC
GetAsyncKeyState
SystemParametersInfoW
GetWindowLongW
IsWindowVisible
DispatchMessageW
GetQueueStatus
GetKeyState
GetSystemMetrics
DestroyMenu
PostThreadMessageW

bcp47langs

Bcp47FromHkl
Bcp47GetNlsForm
Bcp47GetDirectionality

shcore

ord245
ord246
CreateRandomAccessStreamOverStream
CreateStreamOverRandomAccessStream
GetScaleFactorForMonitor
ord244
ord242

combase

ord65

wsclient

GetApplicationURL

twinapi

ord9
ord11

uxtheme

ord104
ord106
ord96
ord120
ord121

api-ms-win-core-registry-l2-1-0

RegSetKeyValueW

Exports

Exports

DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject

Sections

.text
Size: 3.8MB - Virtual size: 3.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 332KB - Virtual size: 335KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

minATL
Size: 512B - Virtual size: 504B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 35KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 540KB - Virtual size: 539KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3b47a49e73f344ba2e1c2ffb595e9fdb

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

urlmon

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-util-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-handle-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-errorhandling-l1-1-1

oleaut32

api-ms-win-core-string-l2-1-0

api-ms-win-core-string-l1-1-0

ntdll

kernel32

ole32

shlwapi

shell32

propsys

wincorlib

api-ms-win-core-localization-l1-2-1

api-ms-win-core-path-l1-1-0

api-ms-win-core-file-l1-2-1

api-ms-win-security-base-l1-2-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-timezone-l1-1-0

user32

bcp47langs

shcore

combase

wsclient

twinapi

uxtheme

api-ms-win-core-registry-l2-1-0

Exports

Exports

Sections

.text Size: 3.8MB - Virtual size: 3.8MB

.data Size: 332KB - Virtual size: 335KB

.idata Size: 19KB - Virtual size: 18KB

minATL Size: 512B - Virtual size: 504B

.rsrc Size: 35KB - Virtual size: 35KB

.reloc Size: 540KB - Virtual size: 539KB

.text
Size: 3.8MB - Virtual size: 3.8MB

.data
Size: 332KB - Virtual size: 335KB

.idata
Size: 19KB - Virtual size: 18KB

minATL
Size: 512B - Virtual size: 504B

.rsrc
Size: 35KB - Virtual size: 35KB

.reloc
Size: 540KB - Virtual size: 539KB