Windows[.]UI[.]Search[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

Windows.UI.Search.dll
Size

4.7MB
MD5

b33dd4e68b6fb6b60b37cdd98e14816f
SHA1

efc6d30bfbce4791ed7fbfb3765165f2076b8284
SHA256

6fe58c660cc21ede86a18e654d98c127b5acda5fd26baec42e828d3c520b7905
SHA512

6273c276688a44b1acb922773cae08190aed5a5457dc0aa0da986cc623b2a0f58acb1f3c3a6ee0dd7448346b1c1eb9b7facb6a51a48c123a2e212b483ce1c153
SSDEEP

98304:I7uyW5aBlsIkZniO6+IInlD8D2A9J+eT7O:xydIsImDV6Z

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Windows.UI.Search.dll

Files

Windows.UI.Search.dll
.dll windows:6 windows x86 arch:x86

8601533a359e15c8b66d203b35395ada

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

Windows.UI.Search.pdb

Imports

msvcrt

_ftol2_sse
__ExceptionPtrCurrentException
__uncaught_exception
_except_handler4_common
??1type_info@@UAE@XZ
_onexit
wcstoul
wcstol
_free_locale
_get_current_locale
__crtLCMapStringW
__dllonexit
__crtCompareStringW
_wcsdup
localeconv
strcspn
sprintf_s
abort
memcmp
___lc_collate_cp_func
calloc
__pctype_func
_ismbblead
___lc_codepage_func
___lc_handle_func
_errno
___mb_cur_max_func
setlocale
wcslen
memset
wcsncmp
iswalpha
wcschr
_wcsnicmp
iswalnum
memmove_s
_wtof
_wtoi
realloc
strchr
??0bad_cast@@QAE@PBD@Z
??1bad_cast@@UAE@XZ
??0bad_cast@@QAE@ABV0@@Z
_unlock
ldiv
isspace
wcstok_s
wcsrchr
wcsstr
_vsnwprintf
wcscspn
_set_errno
_get_errno
??_V@YAXPAX@Z
_CIpow
_ftol2
_lock
_initterm
free
_amsg_exit
_XcptFilter
_callnewh
malloc
memcpy
__CxxFrameHandler3
_CxxThrowException
??0exception@@QAE@ABQBDH@Z
__ExceptionPtrCreate
?terminate@@YAXXZ
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@ABQBD@Z
??0exception@@QAE@XZ
??1exception@@UAE@XZ
?what@exception@@UBEPBDXZ
??3@YAXPAX@Z
_purecall
__ExceptionPtrDestroy
memmove
__ExceptionPtrCopy
wcscpy_s
floor

urlmon

ord504
IsValidURL
URLOpenBlockingStreamW
CreateUri

api-ms-win-core-com-l1-1-1

CoGetApartmentType
CoGetInterfaceAndReleaseStream
CoGetObjectContext
CoMarshalInterThreadInterfaceInStream
CoCancelCall
CoDisableCallCancellation
CoCreateInstance
CoTaskMemAlloc
CoTaskMemRealloc
CoTaskMemFree
PropVariantClear
CLSIDFromProgID
CoGetMalloc
CoCreateFreeThreadedMarshaler
CoEnableCallCancellation
PropVariantCopy
CoUninitialize
CoGetStdMarshalEx
CoGetCallContext
CoReleaseMarshalData
StringFromCLSID
CoCreateGuid
RoGetAgileReference
CoInitializeEx
CoWaitForMultipleHandles

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory
RoActivateInstance

api-ms-win-core-winrt-string-l1-1-0

WindowsGetStringRawBuffer
WindowsCompareStringOrdinal
WindowsCreateString
WindowsDuplicateString
WindowsGetStringLen
WindowsConcatString
WindowsSubstring
WindowsDeleteString
WindowsSubstringWithSpecifiedLength
WindowsCreateStringReference
WindowsIsStringEmpty
WindowsStringHasEmbeddedNull

api-ms-win-core-winrt-error-l1-1-1

IsErrorPropagationEnabled
RoGetMatchingRestrictedErrorInfo
RoOriginateErrorW
RoOriginateError
RoTransformError
RoReportFailedDelegate
SetRestrictedErrorInfo

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-synch-l1-2-0

ReleaseSRWLockShared
Sleep
EnterCriticalSection
InitializeCriticalSection
AcquireSRWLockExclusive
DeleteCriticalSection
CreateEventExW
AcquireSRWLockShared
LeaveCriticalSection
ResetEvent
SetEvent
ReleaseSRWLockExclusive
InitializeSRWLock
InitializeCriticalSectionEx
WaitForSingleObjectEx

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
TraceMessage
UnregisterTraceGuids
RegisterTraceGuidsW

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventWrite
EventRegister

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
GetProcAddress
GetModuleHandleExW
LoadStringW
LoadLibraryExW
DisableThreadLibraryCalls

api-ms-win-core-processthreads-l1-1-2

GetProcessId
OpenProcessToken
TlsSetValue
OpenProcess
GetCurrentProcessId
CreateProcessAsUserW
SetThreadToken
TlsFree
GetCurrentProcess
GetCurrentThread
OpenThreadToken
TlsGetValue
TerminateProcess
TlsAlloc
GetCurrentThreadId

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-2-1

GetVersionExW
GetSystemDirectoryW
GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-errorhandling-l1-1-1

RaiseException
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError

oleaut32

SysFreeString
SafeArrayGetDim

api-ms-win-core-string-l2-1-0

CharLowerBuffW
CharPrevW

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
CompareStringEx
CompareStringW
WideCharToMultiByte
GetStringTypeW

ntdll

WinSqmIncrementDWORD
WinSqmIsOptedIn
WinSqmAddToStreamEx
WinSqmAddToStream
RtlNtStatusToDosError
RtlPublishWnfStateData
RtlFreeHeap
RtlInitUnicodeString
RtlAllocateHeap
RtlNtStatusToDosErrorNoTeb
RtlCompareUnicodeString
NtQueryInformationToken

kernel32

HeapAlloc
GetProcessHeap
RegQueryValueExW
RegEnumKeyExW
RegCreateKeyExW
CreateMutexW
ReleaseMutex
GetUserDefaultLangID
GetSystemDefaultLangID
LCIDToLocaleName
GetUserGeoID
HeapFree
IsValidLocaleName
LocaleNameToLCID
GetSystemAppDataKey
PackageIdFromFullName
GetUserDefaultUILanguage
LocalReAlloc
GetCurrentPackageInfo
ClosePackageInfo
LCMapStringW
OpenPackageInfoByFullName
GetPackageInfo
GetPackageFullName
GetSystemPreferredUILanguages
FormatMessageW
GetSystemTime
SystemTimeToFileTime
FindStringOrdinal
ResolveLocaleName
WaitForMultipleObjectsEx
RegisterWaitForSingleObject
UnregisterWait
CreateTimerQueueTimer
DeleteTimerQueueTimer
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
TrySubmitThreadpoolCallback
CallbackMayRunLong
FreeLibraryWhenCallbackReturns
CreateThread
OpenSemaphoreW
ReleaseSemaphore
CreateSemaphoreW
FreeLibraryAndExitThread
FreeLibrary
LocalAlloc
LocalFree
RaiseFailFastException
OutputDebugStringW
WaitForSingleObject
CreateEventW
CompareStringOrdinal
DelayLoadFailureHook
ResolveDelayLoadedAPI
CloseState
GetStateFolder
OpenStateExplicit
OpenState

ole32

CoAllowSetForegroundWindow
CreateBindCtx
CoRegisterInitializeSpy
CoRevokeInitializeSpy

shlwapi

HashData
PathFileExistsW
SHCreateStreamOnFileEx
ord156
StrStrIW
PathIsRootW
PathStripToRootW
SHStrDupW
AssocQueryStringW
ord12
ord615
SHCreateThreadRef
SHSetThreadRef
SHGetThreadRef
ord174
PathStripPathW
PathGetArgsW
ord176
ord611
ord487
ord219
ord199
ord16
ord236
ord618
ord278
ord572
PathRemoveExtensionW
ord158
PathFindExtensionW
PathMatchSpecExW
AssocCreate
ord172
ord214
ord154
ord212
ord184
SHStrDupA
StrDupW
UrlIsW
UrlCanonicalizeW
UrlCompareW
PathIsURLW

shell32

ord817
ord100
ord815
ord830
ord764
SHGetSpecialFolderLocation
ord16
SHParseDisplayName
SHCreateItemFromParsingName
ord245
SHGetPathFromIDListW
ord155
ord18
SHGetKnownFolderPath
SHCreateItemFromIDList
ord102
SHGetIDListFromObject
SHGetPropertyStoreForWindow
SHCreateAssociationRegistration
ShellExecuteExW
SHCreateShellItemArrayFromShellItem
SHCreateItemInKnownFolder
ord931
ord921
SHGetKnownFolderItem
ord814
ord847
ord849
ord916

propsys

PropVariantToStringAlloc
PSGetPropertyDescriptionListFromString
ord408
PSPropertyBag_WriteDWORD
ord416
PropVariantToUInt32
PSCreateMemoryPropertyStore
ord436
PSCreateSimplePropertyChange
PropVariantGetElementCount
PSGetNameFromPropertyKey
PSPropertyKeyFromString
PSGetPropertyDescription
ord438
PropVariantToStringVectorAlloc
PSCreatePropertyChangeArray
PSFormatForDisplay
PropVariantCompareEx
ord435
PSGetPropertyKeyFromName
InitPropVariantFromStringAsVector
ord432
ord423
PropVariantToStringWithDefault
PropVariantChangeType
InitPropVariantFromPropVariantVectorElem
PropVariantToInt32

wincorlib

?GetIidsFn@@YGJHPAKPBU__s_GUID@@PAPAVGuid@Platform@@@Z
?ToString@uint32@default@@QAAP$AAVString@Platform@@XZ
?ToString@int32@default@@QAAP$AAVString@Platform@@XZ
?ToString@Boolean@Platform@@QAAP$AAVString@2@XZ
?Equals@Object@Platform@@Q$AAA_NP$AAV12@@Z
??0InvalidCastException@Platform@@Q$AAA@XZ
?GetHashCode@Object@Platform@@Q$AAAHXZ
??0InvalidArgumentException@Platform@@Q$AAA@P$AAVString@1@@Z
?GetType@Object@Platform@@Q$AAAP$AAVType@2@XZ
??BType@Platform@@SA?AVTypeName@Interop@Xaml@UI@Windows@@P$AAV01@@Z
??0ChangedStateException@Platform@@Q$AAA@XZ
??0OutOfMemoryException@Platform@@Q$AAA@XZ
??0OutOfBoundsException@Platform@@Q$AAA@XZ
??0DisconnectedException@Platform@@Q$AAA@XZ
?ToString@Enum@Platform@@Q$AAAP$AAVString@2@XZ
?get@FullName@Type@Platform@@Q$AAAP$AAVString@3@XZ
??0NotImplementedException@Platform@@Q$AAA@P$AAVString@1@@Z
??0NullReferenceException@Platform@@Q$AAA@XZ
?GetIBoxVtable@Details@Platform@@YGPAXPAX@Z
?CreateValue@Details@Platform@@YGP$AAVObject@2@P$AAVType@2@PBX@Z
?GetActivationFactoryByPCWSTR@@YGJPAXAAVGuid@Platform@@PAPAX@Z
?__abi_make_type_id@@YGP$AAVType@Platform@@ABU__abi_type_descriptor@@@Z
?EventSourceGetTargetArrayEvent@Details@Platform@@YGPAXPAXI@Z
?EventSourceGetTargetArraySize@Details@Platform@@YGIPAX@Z
?EventSourceGetTargetArray@Details@Platform@@YGPAXPAXPAUEventLock@12@@Z
?CreateException@Exception@Platform@@SAP$AAV12@HP$AAVString@2@@Z
?get@Message@Exception@Platform@@Q$AAAP$AAVString@3@XZ
??0NotImplementedException@Platform@@Q$AAA@XZ
?AllocateException@Heap@Details@Platform@@SAPAXI@Z
??0Exception@Platform@@Q$AAA@HP$AAVString@1@@Z
?EventSourceUninitialize@Details@Platform@@YGXPAPAX@Z
?EventSourceInitialize@Details@Platform@@YGXPAPAX@Z
?EventSourceRemove@Details@Platform@@YGXPAPAXPAUEventLock@12@VEventRegistrationToken@Foundation@Windows@@@Z
?EventSourceAdd@Details@Platform@@YG?AVEventRegistrationToken@Foundation@Windows@@PAPAXPAUEventLock@12@P$AAVDelegate@2@@Z
?__abi_WinRTraiseAccessDeniedException@@YGXXZ
?__abi_WinRTraiseOutOfMemoryException@@YGXXZ
?__abi_WinRTraiseCOMException@@YGXJ@Z
?__abi_WinRTraiseNullReferenceException@@YGXXZ
?__abi_WinRTraiseWrongThreadException@@YGXXZ
?__abi_WinRTraiseOutOfBoundsException@@YGXXZ
?__abi_WinRTraiseDisconnectedException@@YGXXZ
??0GridLength@Xaml@UI@Windows@@QAA@NW4GridUnitType@123@@Z
?__abi_WinRTraiseNotImplementedException@@YGXXZ
?__abi_FailFast@@YGXXZ
?__abi_WinRTraiseClassNotRegisteredException@@YGXXZ
??0Object@Platform@@Q$AAA@XZ
??0Delegate@Platform@@Q$AAA@XZ
?CreateException@Exception@Platform@@SAP$AAV12@H@Z
?ReCreateException@Exception@Platform@@SAP$AAV12@H@Z
?ReCreateFromException@Details@Platform@@YGJP$AAVException@2@@Z
?GetIBoxArrayVtable@Details@Platform@@YGPAXPAX@Z
?Allocate@Heap@Details@Platform@@SAPAXI@Z
?Free@Heap@Details@Platform@@SAXPAX@Z
?FreeException@Heap@Details@Platform@@SAXPAX@Z
?__abi_WinRTraiseInvalidCastException@@YGXXZ
?__abi_WinRTraiseOperationCanceledException@@YGXXZ
?__abi_WinRTraiseChangedStateException@@YGXXZ
?__abi_WinRTraiseFailureException@@YGXXZ
?InitializeData@Details@Platform@@YGJH@Z
?__abi_ObjectToString@__abi_details@@YGP$AAVString@Platform@@P$AAVObject@3@_N@Z
?__abi_cast_String_to_Object@__abi_details@@YGP$AAVObject@Platform@@P$AAVString@3@@Z
?__abi_cast_Object_to_String@__abi_details@@YGP$AAVString@Platform@@_NP$AAVObject@3@@Z
?__abi_WinRTraiseInvalidArgumentException@@YGXXZ
?__abi_WinRTraiseObjectDisposedException@@YGXXZ
?UninitializeData@Details@Platform@@YGXH@Z
?GetWeakReference@Details@Platform@@YGPAU__abi_IUnknown@@Q$ADVObject@2@@Z
??0InvalidArgumentException@Platform@@Q$AAA@XZ
?ResolveWeakReference@Details@Platform@@YGP$AAVObject@2@ABU_GUID@@PAPAU__abi_IUnknown@@@Z
??0FailureException@Platform@@Q$AAA@P$AAVString@1@@Z
?IntersectsWith@Rect@Foundation@Windows@@QAA_NV123@@Z
?get@Right@Rect@Foundation@Windows@@QAAMXZ
??0FailureException@Platform@@Q$AAA@XZ
?get@Bottom@Rect@Foundation@Windows@@QAAMXZ

api-ms-win-core-localization-l1-2-1

GetLocaleInfoW
FindNLSString
GetSystemDefaultLCID

api-ms-win-core-path-l1-1-0

PathCchAddExtension
PathCchAppend
PathCchCombine

api-ms-win-core-file-l1-2-1

CompareFileTime
DeleteFileW
FindNextFileW
FindFirstFileExW
FindClose

api-ms-win-security-base-l1-2-0

CreateRestrictedToken
AllocateAndInitializeSid
CreateWellKnownSid
SetTokenInformation
FreeSid
ImpersonateLoggedOnUser

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-core-processenvironment-l1-2-0

ExpandEnvironmentStringsW

api-ms-win-core-registry-l1-1-0

RegQueryInfoKeyW
RegCloseKey
RegGetValueW
RegOpenKeyExW

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime

user32

TranslateMessage
GetPropW
DispatchMessageW
PostThreadMessageW
IsWindowVisible
PeekMessageW
MsgWaitForMultipleObjectsEx
ActivateKeyboardLayout
GetKeyboardLayout
SetRectEmpty
ClientToScreen
SystemParametersInfoW
GetDesktopWindow
CreateWindowInBand
ord2561
IsWindowInDestroy
SetPropW
ord2521
SetCursor
LoadCursorW
GetParent
GetAncestor
SetForegroundWindow
PostQuitMessage
DefWindowProcW
GetForegroundWindow
DestroyWindow
AttachThreadInput
MoveWindow
GetQueueStatus
PostMessageW
GetPointerInfo
RegisterWindowMessageW
ShowWindow
SetWindowCompositionAttribute
CreatePopupMenu
GetMenuDefaultItem
UnionRect
InflateRect
IsWindowUnicode
DefWindowProcA
SetKeyboardState
GetKeyboardState
ToUnicodeEx
GetDC
GetMonitorInfoW
MonitorFromRect
SetWindowLongW
ReleaseDC
OffsetRect
IntersectRect
MapWindowPoints
GetWindowRect
GetWindowLongW
RegisterClassExW
GetAsyncKeyState
RemovePropW
DestroyMenu
GetSystemMetrics
GetKeyState

bcp47langs

Bcp47FromHkl
Bcp47GetNlsForm
Bcp47GetDirectionality

shcore

ord242
ord245
ord246
CreateRandomAccessStreamOverStream
CreateStreamOverRandomAccessStream
GetScaleFactorForMonitor
ord244

combase

ord65

wsclient

GetApplicationURL

twinapi

ord9
ord11

uxtheme

ord104
ord120
ord121
ord96
ord106

uiautomationcore

UiaDisconnectAllProviders

api-ms-win-core-registry-l2-1-0

RegSetKeyValueW

Exports

Exports

DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject

Sections

.text
Size: 3.8MB - Virtual size: 3.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 332KB - Virtual size: 335KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

minATL
Size: 512B - Virtual size: 504B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 35KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 541KB - Virtual size: 540KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

8601533a359e15c8b66d203b35395ada

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

urlmon

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-util-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-handle-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-errorhandling-l1-1-1

oleaut32

api-ms-win-core-string-l2-1-0

api-ms-win-core-string-l1-1-0

ntdll

kernel32

ole32

shlwapi

shell32

propsys

wincorlib

api-ms-win-core-localization-l1-2-1

api-ms-win-core-path-l1-1-0

api-ms-win-core-file-l1-2-1

api-ms-win-security-base-l1-2-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-timezone-l1-1-0

user32

bcp47langs

shcore

combase

wsclient

twinapi

uxtheme

uiautomationcore

api-ms-win-core-registry-l2-1-0

Exports

Exports

Sections

.text Size: 3.8MB - Virtual size: 3.8MB

.data Size: 332KB - Virtual size: 335KB

.idata Size: 19KB - Virtual size: 18KB

minATL Size: 512B - Virtual size: 504B

.rsrc Size: 35KB - Virtual size: 35KB

.reloc Size: 541KB - Virtual size: 540KB

.text
Size: 3.8MB - Virtual size: 3.8MB

.data
Size: 332KB - Virtual size: 335KB

.idata
Size: 19KB - Virtual size: 18KB

minATL
Size: 512B - Virtual size: 504B

.rsrc
Size: 35KB - Virtual size: 35KB

.reloc
Size: 541KB - Virtual size: 540KB