Windows Analysis Report
kOiaWLNKXpjayWeM.dll

Overview

General Information

Sample Name:	kOiaWLNKXpjayWeM.dll
Analysis ID:	750456
MD5:	b7d93d2b47d14264b8b986b2d8fc7a49
SHA1:	9310b16c2d7f9195c65cdbecf8c5648525cb80e5
SHA256:	139c1faa496ae6c7d7c5140b9f4ac4e34f153bf40cd080c856b96bbd7ae716d2
Infos:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Snort IDS alert for network traffic

Creates an autostart registry key pointing to binary in C:\Windows

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to communicate with device drivers

Uses the system / local time for branch decision (may execute only at specific dates)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Connects to several IPs in different countries

Registers a DLL

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: kOiaWLNKXpjayWeM.dll	ReversingLabs: Detection: 88%
Source: kOiaWLNKXpjayWeM.dll	Virustotal: Detection: 73%			Perma Link

Antivirus detection for URL or domain

Source: https://218.38.121.17/$

Avira URL Cloud: Label: malware

Source: 00000008.00000002.767607073.0000000000F14000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["218.38.121.17:443", "186.250.48.5:443", "80.211.107.116:8080", "174.138.33.49:7080", "165.22.254.236:8080", "185.148.169.10:8080", "62.171.178.147:8080", "128.199.217.206:443", "210.57.209.142:8080", "36.67.23.59:443", "160.16.143.191:8080", "128.199.242.164:8080", "178.238.225.252:8080", "118.98.72.86:443", "202.134.4.210:7080", "82.98.180.154:7080", "54.37.228.122:443", "64.227.55.231:8080", "195.77.239.39:8080", "103.254.12.236:7080", "103.85.95.4:8080", "178.62.112.199:8080", "83.229.80.93:8080", "114.79.130.68:443", "51.75.33.122:443", "139.196.72.155:8080", "188.165.79.151:443", "190.145.8.4:443", "196.44.98.190:8080", "198.199.70.22:8080", "103.56.149.105:8080", "104.244.79.94:443", "87.106.97.83:7080", "103.71.99.57:8080", "46.101.98.60:8080", "103.126.216.86:443", "103.224.241.74:8080", "37.44.244.177:8080", "85.214.67.203:8080", "202.28.34.99:8080", "175.126.176.79:8080", "85.25.120.45:8080", "93.104.209.107:8080", "103.41.204.169:8080", "78.47.204.80:443", "139.59.80.108:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0Hbtn0QADAJI=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCWGLt60QACAIg="]}

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800017A0 CryptStringToBinaryA,CryptStringToBinaryA,		3_2_00000001800017A0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800017A0 CryptStringToBinaryA,CryptStringToBinaryA,		4_2_00000001800017A0

Source: unknown

HTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.3:49714 version: TLS 1.2

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000E504 GetSystemTime,SystemTimeToFileTime,FindFirstFileW,swprintf,swprintf,CloseHandle,swprintf,FindNextFileW,FindClose,	3_2_000000018000E504
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000E504 GetSystemTime,SystemTimeToFileTime,FindFirstFileW,swprintf,swprintf,CloseHandle,swprintf,FindNextFileW,FindClose,	4_2_000000018000E504
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_029D32FC FindNextFileW,FindFirstFileW,FindClose,	8_2_029D32FC

Source: C:\Windows\System32\regsvr32.exe

Code function: 3_2_000000018000DCA0 RegCreateKeyExW,RegQueryValueExW,RegCloseKey,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,

3_2_000000018000DCA0

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 218.38.121.17 443

Source: Malware configuration extractor	IPs: 218.38.121.17:443
Source: Malware configuration extractor	IPs: 186.250.48.5:443
Source: Malware configuration extractor	IPs: 80.211.107.116:8080
Source: Malware configuration extractor	IPs: 174.138.33.49:7080
Source: Malware configuration extractor	IPs: 165.22.254.236:8080
Source: Malware configuration extractor	IPs: 185.148.169.10:8080
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 128.199.217.206:443
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 36.67.23.59:443
Source: Malware configuration extractor	IPs: 160.16.143.191:8080
Source: Malware configuration extractor	IPs: 128.199.242.164:8080
Source: Malware configuration extractor	IPs: 178.238.225.252:8080
Source: Malware configuration extractor	IPs: 118.98.72.86:443
Source: Malware configuration extractor	IPs: 202.134.4.210:7080
Source: Malware configuration extractor	IPs: 82.98.180.154:7080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 64.227.55.231:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 103.254.12.236:7080
Source: Malware configuration extractor	IPs: 103.85.95.4:8080
Source: Malware configuration extractor	IPs: 178.62.112.199:8080
Source: Malware configuration extractor	IPs: 83.229.80.93:8080
Source: Malware configuration extractor	IPs: 114.79.130.68:443
Source: Malware configuration extractor	IPs: 51.75.33.122:443
Source: Malware configuration extractor	IPs: 139.196.72.155:8080
Source: Malware configuration extractor	IPs: 188.165.79.151:443
Source: Malware configuration extractor	IPs: 190.145.8.4:443
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 198.199.70.22:8080
Source: Malware configuration extractor	IPs: 103.56.149.105:8080
Source: Malware configuration extractor	IPs: 104.244.79.94:443
Source: Malware configuration extractor	IPs: 87.106.97.83:7080
Source: Malware configuration extractor	IPs: 103.71.99.57:8080
Source: Malware configuration extractor	IPs: 46.101.98.60:8080
Source: Malware configuration extractor	IPs: 103.126.216.86:443
Source: Malware configuration extractor	IPs: 103.224.241.74:8080
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 202.28.34.99:8080
Source: Malware configuration extractor	IPs: 175.126.176.79:8080
Source: Malware configuration extractor	IPs: 85.25.120.45:8080
Source: Malware configuration extractor	IPs: 93.104.209.107:8080
Source: Malware configuration extractor	IPs: 103.41.204.169:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 139.59.80.108:8080

Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: EcobandGH EcobandGH

Source: Joe Sandbox View	IP Address: 188.165.79.151 188.165.79.151
Source: Joe Sandbox View	IP Address: 196.44.98.190 196.44.98.190

Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17

Source: regsvr32.exe, 00000008.00000003.339955681.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.768245490.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000008.00000003.468907128.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.767607073.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.468748774.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.768041150.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.339924936.0000000000F78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://218.38.121.17/
Source: regsvr32.exe, 00000008.00000002.767607073.0000000000F14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://218.38.121.17/$

Source: Yara match	File source: 00000008.00000002.767607073.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.rundll32.exe.21ce8590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.21ce8590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.b00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.rundll32.exe.21ce8590000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.22ab0780000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.22ab0780000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.regsvr32.exe.2a00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.22ab0780000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.22ab0780000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.rundll32.exe.21ce8590000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.2990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.22ab0780000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.rundll32.exe.21ce8590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.22ab0780000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.regsvr32.exe.2a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.rundll32.exe.21ce8590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.2990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.253014513.0000022AB0991000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.254435708.0000000002401000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.253546936.0000021CE85C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.371644938.0000000002A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.254242832.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.371681565.0000000002A31000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.768911804.00000000029C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.287369701.0000022AB0780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.254193655.0000022AB0991000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.253580195.0000022AB0780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.287814441.0000022AB0991000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.255111695.0000021CE8590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.287467703.0000021CE8590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.768771937.0000000002990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.255327053.0000021CE85C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.253497739.0000021CE8590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.287612874.0000021CE85C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.251796872.0000022AB0780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180004968 appears 32 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 0000000180004968 appears 32 times

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll,?AddArrayString@JKDefragLib@@QEAAPEAPEA_WPEAPEA_WPEA_W@Z
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WVVZhuligM\KuLiEStglluewHbC.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll,?CallShowStatus@JKDefragLib@@QEAAXPEAUDefragDataStruct@@HH@Z
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6128 -s 480
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2424 -s 472
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll,?ColorizeItem@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAUItemStruct@@_K2H@Z
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\WVVZhuligM\KuLiEStglluewHbC.dll
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\WrWLj\BwssvzQrG.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll,?AddArrayString@JKDefragLib@@QEAAPEAPEA_WPEAPEA_WPEA_W@Z	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll,?CallShowStatus@JKDefragLib@@QEAAXPEAUDefragDataStruct@@HH@Z	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll,?ColorizeItem@JKDefragLib@@QEAAXPEAUDefragDataStruct@@PEAUItemStruct@@_K2H@Z	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\kOiaWLNKXpjayWeM.dll",#1	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WVVZhuligM\KuLiEStglluewHbC.dll"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\WrWLj\BwssvzQrG.dll"	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180007ABC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVolumePathNameW,swprintf,GetVolumeNameForVolumeMountPointW,GetLastError,swprintf,swprintf,_fread_nolock,CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle,GetDiskFreeSpaceExW,DeviceIoControl,swprintf,swprintf,FlushFileBuffers,CloseHandle,FlushFileBuffers,CloseHandle,CloseHandle,		3_2_0000000180007ABC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180007ABC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetVolumePathNameW,swprintf,GetVolumeNameForVolumeMountPointW,GetLastError,swprintf,swprintf,_fread_nolock,CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle,GetDiskFreeSpaceExW,DeviceIoControl,swprintf,swprintf,FlushFileBuffers,CloseHandle,FlushFileBuffers,CloseHandle,CloseHandle,		4_2_0000000180007ABC

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6128
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2424

Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\regsvr32.exe	Automated click: OK

Source: kOiaWLNKXpjayWeM.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: kOiaWLNKXpjayWeM.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: kOiaWLNKXpjayWeM.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: kOiaWLNKXpjayWeM.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: kOiaWLNKXpjayWeM.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: kOiaWLNKXpjayWeM.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: kOiaWLNKXpjayWeM.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: kOiaWLNKXpjayWeM.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: kOiaWLNKXpjayWeM.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: kOiaWLNKXpjayWeM.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: kOiaWLNKXpjayWeM.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_02408A56 push ebp; iretd	3_2_02408A57
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_02406212 push ebp; iretd	3_2_02406213
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_02405A82 push ebp; iretd	3_2_02405A83
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_02406870 push ebp; iretd	3_2_024068C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_024230F3 push ebp; iretd	3_2_024230F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_02409097 push ebp; iretd	3_2_02409098
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_02406957 push ebp; iretd	3_2_02406958
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_02408E30 push ebp; iretd	3_2_02408E31
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_02406633 push ebp; retf	3_2_02406634
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_02408F44 push ebp; iretd	3_2_02408F45
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_02406738 push 45C7D274h; iretd	3_2_0240673E
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_02406415 push ebp; retf	3_2_02406416
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_024224FA push ebp; ret	3_2_024224FB
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_02408D61 push ebp; iretd	3_2_02408D62
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0240658C push ebp; iretd	3_2_0240658D
Source: C:\Windows\System32\regsvr32.exe	Code function: 22_2_02A35A82 push ebp; iretd	22_2_02A35A83
Source: C:\Windows\System32\regsvr32.exe	Code function: 22_2_02A36633 push ebp; retf	22_2_02A36634
Source: C:\Windows\System32\regsvr32.exe	Code function: 22_2_02A38E30 push ebp; iretd	22_2_02A38E31
Source: C:\Windows\System32\regsvr32.exe	Code function: 22_2_02A36212 push ebp; iretd	22_2_02A36213
Source: C:\Windows\System32\regsvr32.exe	Code function: 22_2_02A38A56 push ebp; iretd	22_2_02A38A57
Source: C:\Windows\System32\regsvr32.exe	Code function: 22_2_02A36738 push 45C7D274h; iretd	22_2_02A3673E
Source: C:\Windows\System32\regsvr32.exe	Code function: 22_2_02A38F44 push ebp; iretd	22_2_02A38F45
Source: C:\Windows\System32\regsvr32.exe	Code function: 22_2_02A39097 push ebp; iretd	22_2_02A39098
Source: C:\Windows\System32\regsvr32.exe	Code function: 22_2_02A530F3 push ebp; iretd	22_2_02A530F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 22_2_02A524FA push ebp; ret	22_2_02A524FB
Source: C:\Windows\System32\regsvr32.exe	Code function: 22_2_02A36415 push ebp; retf	22_2_02A36416
Source: C:\Windows\System32\regsvr32.exe	Code function: 22_2_02A36870 push ebp; iretd	22_2_02A368C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 22_2_02A3658C push ebp; iretd	22_2_02A3658D
Source: C:\Windows\System32\regsvr32.exe	Code function: 22_2_02A38D61 push ebp; iretd	22_2_02A38D62
Source: C:\Windows\System32\regsvr32.exe	Code function: 22_2_02A36957 push ebp; iretd	22_2_02A36958

Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KuLiEStglluewHbC.dll			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KuLiEStglluewHbC.dll			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Windows\system32\WVVZhuligM\KuLiEStglluewHbC.dll:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Users\user\AppData\Local\WrWLj\BwssvzQrG.dll:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Windows Analysis Report kOiaWLNKXpjayWeM.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

Windows Analysis Report
kOiaWLNKXpjayWeM.dll

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000B6FC GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [rax+7ch], 01h and CTI: je 000000018000B7A2h	3_2_000000018000B6FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000B6FC GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [rax+00000080h], 01h and CTI: je 000000018000B7A2h	3_2_000000018000B6FC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000B6FC GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [rax+7ch], 01h and CTI: je 000000018000B7A2h	4_2_000000018000B6FC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000B6FC GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [rax+00000080h], 01h and CTI: je 000000018000B7A2h	4_2_000000018000B6FC

Source: C:\Windows\System32\regsvr32.exe	API coverage: 5.8 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 5.5 %

Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: regsvr32.exe, 00000008.00000002.768165460.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.768182445.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.468875093.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.468641649.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.468687202.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.339812172.0000000000F95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000008.00000003.468708556.0000000000F61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.767971584.0000000000F61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Windows\System32\loaddll64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180025630 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0000000180025630
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001579C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_000000018001579C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180015984 SetUnhandledExceptionFilter,	3_2_0000000180015984
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180014A60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0000000180014A60
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180025630 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0000000180025630
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001579C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_000000018001579C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180015984 SetUnhandledExceptionFilter,	4_2_0000000180015984
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180014A60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0000000180014A60

IP	Domain	Country	ASN	ASN Name	Malicious
188.165.79.151	unknown	France	16276	OVHFR	true
196.44.98.190	unknown	Ghana	327814	EcobandGH	true
174.138.33.49	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
160.16.143.191	unknown	Japan	9370	SAKURA-BSAKURAInternetIncJP	true
36.67.23.59	unknown	Indonesia	17974	TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID	true
103.41.204.169	unknown	Indonesia	58397	INFINYS-AS-IDPTInfinysSystemIndonesiaID	true
103.56.149.105	unknown	Indonesia	55688	BEON-AS-IDPTBeonIntermediaID	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
83.229.80.93	unknown	United Kingdom	8513	SKYVISIONGB	true
85.25.120.45	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
198.199.70.22	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
93.104.209.107	unknown	Germany	8767	MNET-ASGermanyDE	true
186.250.48.5	unknown	Brazil	262807	RedfoxTelecomunicacoesLtdaBR	true
175.126.176.79	unknown	Korea Republic of	9523	MOKWON-AS-KRMokwonUniversityKR	true
139.196.72.155	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true
128.199.242.164	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true
103.126.216.86	unknown	Bangladesh	138482	SKYVIEW-AS-APSKYVIEWONLINELTDBD	true
178.238.225.252	unknown	Germany	51167	CONTABODE	true
128.199.217.206	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true
190.145.8.4	unknown	Colombia	14080	TelmexColombiaSACO	true
46.101.98.60	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true
82.98.180.154	unknown	Spain	42612	DINAHOSTING-ASES	true
114.79.130.68	unknown	India	45769	DVOIS-IND-VoisBroadbandPvtLtdIN	true
103.71.99.57	unknown	India	135682	AWDHPL-AS-INAdvikaWebDevelopmentsHostingPvtLtdIN	true
103.224.241.74	unknown	India	133296	WEBWERKS-AS-INWebWerksIndiaPvtLtdIN	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
202.28.34.99	unknown	Thailand	9562	MSU-TH-APMahasarakhamUniversityTH	true
87.106.97.83	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
103.254.12.236	unknown	Viet Nam	56151	DIGISTAR-VNDigiStarCompanyLimitedVN	true
103.85.95.4	unknown	Indonesia	136077	IDNIC-UNSRAT-AS-IDUniversitasIslamNegeriMataramID	true
80.211.107.116	unknown	Italy	31034	ARUBA-ASNIT	true
54.37.228.122	unknown	France	16276	OVHFR	true
202.134.4.210	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
218.38.121.17	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
185.148.169.10	unknown	Germany	44780	EVERSCALE-ASDE	true
165.22.254.236	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
118.98.72.86	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
139.59.80.108	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
178.62.112.199	unknown	European Union	14061	DIGITALOCEAN-ASNUS	true
104.244.79.94	unknown	United States	53667	PONYNETUS	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
62.171.178.147	unknown	United Kingdom	51167	CONTABODE	true
51.75.33.122	unknown	France	16276	OVHFR	true
64.227.55.231	unknown	United States	14061	DIGITALOCEAN-ASNUS	true

ID:	750456
Product:	CloudBasic
Start time:	03:31:51
Start date:	21.11.2022
Sample:	kOiaWLNKXpjayWeM.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	b7d93d2b47d14264b8b986b2d8fc7a49
SHA1:	9310b16c2d7f9195c65cdbecf8c5648525cb80e5
SHA256:	139c1faa496ae6c7d7c5140b9f4ac4e34f153bf40cd080c856b96bbd7ae716d2
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_kOi_a748228d1b9ab9a1bb94dae9e0fac923745_f2877757_0d5857e4\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	0B151449235445704F036E71D0B36121	B9532A6B689DBBD101DB151FAEEBB0146969F3EC	1854F3636E6C08507C14FB1D5A4FAE2F3B84C51F775B761F17A1FAB51DB52C4E
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_kOi_a748228d1b9ab9a1bb94dae9e0fac923745_f2877757_14085813\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	89FB0C3122C98458BC77F378EE060B78	5608AFA8320715CB8CECB3D19B4DBED117EE9D3D	1FB6A0DB37151B85B9A3886768CC49824A9089ACA1126845D28AD56E56B4C8E1
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F6F.tmp.dmp	Mini DuMP crash report, 15 streams, Mon Nov 21 11:32:49 2022, 0x1205a4 type	6FDB4190A9D1E0E7993BEF4AC6CF4903	709D61049D6C6D2E333A046DC248625624F7AF3B	78FB31A09D0A60E4A2684787E690065C7663FC5172BE2078F42074678A6B3CA7
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2173.tmp.dmp	Mini DuMP crash report, 15 streams, Mon Nov 21 11:32:50 2022, 0x1205a4 type	E2BEE3284D5782BF1CD920884AA0DDC0	3ABFC6B1801276310175546F05106E4DCF0B051A	3435E6312400AD0F6341025145BA005652C7F38DE3F1833F0584D4378F3258CB
C:\ProgramData\Microsoft\Windows\WER\Temp\WER222F.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	BE46A1CF0D47BF92350C02FBB7BC6DCE	752B0D5513D543E34D6156EE78ECB3AA2CB7F583	2847471816764542AAD97F3B098092F28B49B4CFC309CD1A7B52518DAF3CFECE
C:\ProgramData\Microsoft\Windows\WER\Temp\WER232A.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	1AD542F6150D682107751BA46FFBB1CF	44F9DB01B37E1BAE1E3B8A74C67D2549D16E51A3	147687BCE9BB3A5FE3746E68606ED2BBE919299D7D41FB7CEBADD846F879A66C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2452.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	E5D5B3EE48668176FF7610C85F71B56F	B901413E9C393AA46786DC36773BA7031D16921A	0989754C096D226569827F2C2BFBC6403C77B962534771CC1868E29BBA1B3631
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24EF.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	0D9B86BE737702FE9B1E0C59F154EA73	D5FCD44963ADAC173C1B34308CF6F2C5EF1ADBCC	388A076160B1FD20113D856E8A9B2F9DFC64034E371B4FE06831AD9A63672DA5