Windows Analysis Report
pcre2-16.dll

Overview

General Information

Sample name:	pcre2-16.dll
Analysis ID:	1448101
MD5:	36185746a613bdc3e52906e4c053ab89
SHA1:	fa0ee487b8b311d26b51cca2c83eb12441a0d4d5
SHA256:	b1adadb919f6fb08fa87b4a7bae069ead20f48f3e5779d9b3b4f2e4e1ba0f189
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Classification

Signatures

Source: pcre2-16.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\DISQO-Dev\vcpkg\buildtrees\pcre2\x64-windows-rel\pcre2-16.pdb source: loaddll64.exe, 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1748628092.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1771745285.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1748710356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1754823653.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1714157625.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.1717569155.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1716011101.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1719718381.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.1719416153.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.1720597750.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.1720555307.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1719012220.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1722153325.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001C.00000002.1720518666.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001D.00000002.1720656916.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001E.00000002.1722112566.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001F.00000002.1720560199.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.1721926443.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000022.00000002.1721999203.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000023.00000002.1719436452.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000025.00000002.1720751694.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000026.00000002.1721201356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000029.00000002.1722036837.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, pcre2-16.dll
Source:	Binary string: C:\DISQO-Dev\vcpkg\buildtrees\pcre2\x64-windows-rel\pcre2-16.pdb// source: loaddll64.exe, 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1748628092.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1771745285.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1748710356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1754823653.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1714157625.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.1717569155.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1716011101.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1719718381.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.1719416153.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.1720597750.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.1720555307.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1719012220.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1722153325.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001C.00000002.1720518666.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001D.00000002.1720656916.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001E.00000002.1722112566.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001F.00000002.1720560199.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.1721926443.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000022.00000002.1721999203.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000023.00000002.1719436452.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000025.00000002.1720751694.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000026.00000002.1721201356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000029.00000002.1722036837.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, pcre2-16.dll

Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pcr_1731c9291b48156d38e2b4f8fc44dc6afe3fb_76fbbc46_037511ff-28df-4739-9281-9d59950f9335\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pcr_a85d3f61e282c6ab111541d23626a541f6483d_76fbbc46_27c8a652-5e23-4709-baa0-ace937338ba4\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior

Source: Amcache.hve.8.dr

String found in binary or memory: http://upx.sf.net

Detected potential crypto function

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0052B8B0	0_2_00007FFE0052B8B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE005240B0	0_2_00007FFE005240B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00512890	0_2_00007FFE00512890
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00541870	0_2_00007FFE00541870
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00508070	0_2_00007FFE00508070
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00515922	0_2_00007FFE00515922
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051593D	0_2_00007FFE0051593D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0050F100	0_2_00007FFE0050F100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00515902	0_2_00007FFE00515902
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00515912	0_2_00007FFE00515912
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE005170F0	0_2_00007FFE005170F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051E8F0	0_2_00007FFE0051E8F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE005170C9	0_2_00007FFE005170C9
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0052A980	0_2_00007FFE0052A980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00521960	0_2_00007FFE00521960
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00524960	0_2_00007FFE00524960
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0052A170	0_2_00007FFE0052A170
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051594D	0_2_00007FFE0051594D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051B14F	0_2_00007FFE0051B14F
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0052C1E0	0_2_00007FFE0052C1E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE005159D5	0_2_00007FFE005159D5
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00515AA2	0_2_00007FFE00515AA2
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051FAB0	0_2_00007FFE0051FAB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00515AB4	0_2_00007FFE00515AB4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051AA7E	0_2_00007FFE0051AA7E
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00520290	0_2_00007FFE00520290
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00511292	0_2_00007FFE00511292
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051F240	0_2_00007FFE0051F240
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00519240	0_2_00007FFE00519240
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00510BBB	0_2_00007FFE00510BBB
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00515B8C	0_2_00007FFE00515B8C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051B38F	0_2_00007FFE0051B38F
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051DB70	0_2_00007FFE0051DB70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00515B4C	0_2_00007FFE00515B4C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0050A3F0	0_2_00007FFE0050A3F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE004F3C40	0_2_00007FFE004F3C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00526D35	0_2_00007FFE00526D35
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051AD0E	0_2_00007FFE0051AD0E
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0052BCE0	0_2_00007FFE0052BCE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE005214E0	0_2_00007FFE005214E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051F4C0	0_2_00007FFE0051F4C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE004FD4EA	0_2_00007FFE004FD4EA
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051DDA0	0_2_00007FFE0051DDA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00524DB0	0_2_00007FFE00524DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051B5B5	0_2_00007FFE0051B5B5
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0050FD80	0_2_00007FFE0050FD80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00516590	0_2_00007FFE00516590
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0052ED60	0_2_00007FFE0052ED60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051054D	0_2_00007FFE0051054D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00500D60	0_2_00007FFE00500D60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051EE20	0_2_00007FFE0051EE20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0052A610	0_2_00007FFE0052A610
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00522E10	0_2_00007FFE00522E10
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0052B5C0	0_2_00007FFE0052B5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE005095C0	0_2_00007FFE005095C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0052C5D0	0_2_00007FFE0052C5D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE005115D0	0_2_00007FFE005115D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051669E	0_2_00007FFE0051669E
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0050D6B0	0_2_00007FFE0050D6B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051667F	0_2_00007FFE0051667F
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00516687	0_2_00007FFE00516687
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00516692	0_2_00007FFE00516692
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051BE97	0_2_00007FFE0051BE97
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0053169C	0_2_00007FFE0053169C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00518672	0_2_00007FFE00518672
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00512E75	0_2_00007FFE00512E75
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0053BF20	0_2_00007FFE0053BF20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0050BF3D	0_2_00007FFE0050BF3D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00530710	0_2_00007FFE00530710
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00506ECA	0_2_00007FFE00506ECA
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0052DEC0	0_2_00007FFE0052DEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00509FA0	0_2_00007FFE00509FA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00511FA9	0_2_00007FFE00511FA9
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00514FB0	0_2_00007FFE00514FB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051AF9D	0_2_00007FFE0051AF9D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00517F73	0_2_00007FFE00517F73
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00528F40	0_2_00007FFE00528F40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0050BF40	0_2_00007FFE0050BF40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00515747	0_2_00007FFE00515747
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00523820	0_2_00007FFE00523820
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00508830	0_2_00007FFE00508830
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051B830	0_2_00007FFE0051B830
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00515805	0_2_00007FFE00515805
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051581A	0_2_00007FFE0051581A
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051F7E0	0_2_00007FFE0051F7E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE005157F5	0_2_00007FFE005157F5
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE004FAFE8	0_2_00007FFE004FAFE8

One or more processes crash

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7336 -s 332

Source: classification engine

Classification label: clean4.winDLL@108/17@0/0

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7596
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7320
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7336
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7756

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\9a540079-8a23-46e2-b9c0-b272d37860c0

Jump to behavior

Source: pcre2-16.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_callout_enumerate_16

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\pcre2-16.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_callout_enumerate_16
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7336 -s 332
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7320 -s 332
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_code_copy_16
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7596 -s 324
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_code_copy_with_tables_16
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7756 -s 324
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_callout_enumerate_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_code_copy_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_code_copy_with_tables_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_number_from_name_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_nametable_scan_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_list_get_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_list_free_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_length_bynumber_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_length_byname_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_get_bynumber_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_get_byname_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_free_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_copy_bynumber_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_copy_byname_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substitute_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_substitute_callout_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_recursion_memory_management_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_recursion_limit_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_parens_nest_limit_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_offset_limit_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_callout_enumerate_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_code_copy_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_code_copy_with_tables_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_callout_enumerate_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_code_copy_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_code_copy_with_tables_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_number_from_name_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_nametable_scan_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_list_get_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_list_free_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_length_bynumber_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_length_byname_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_get_bynumber_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_get_byname_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_free_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_copy_bynumber_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_copy_byname_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substitute_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_substitute_callout_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_recursion_memory_management_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_recursion_limit_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_parens_nest_limit_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_offset_limit_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: vcruntime140.dll			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: pcre2-16.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: pcre2-16.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: pcre2-16.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: pcre2-16.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: pcre2-16.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: pcre2-16.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: pcre2-16.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: pcre2-16.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: pcre2-16.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\DISQO-Dev\vcpkg\buildtrees\pcre2\x64-windows-rel\pcre2-16.pdb source: loaddll64.exe, 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1748628092.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1771745285.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1748710356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1754823653.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1714157625.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.1717569155.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1716011101.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1719718381.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.1719416153.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.1720597750.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.1720555307.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1719012220.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1722153325.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001C.00000002.1720518666.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001D.00000002.1720656916.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001E.00000002.1722112566.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001F.00000002.1720560199.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.1721926443.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000022.00000002.1721999203.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000023.00000002.1719436452.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000025.00000002.1720751694.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000026.00000002.1721201356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000029.00000002.1722036837.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, pcre2-16.dll
Source:	Binary string: C:\DISQO-Dev\vcpkg\buildtrees\pcre2\x64-windows-rel\pcre2-16.pdb// source: loaddll64.exe, 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1748628092.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1771745285.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1748710356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1754823653.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1714157625.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.1717569155.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1716011101.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1719718381.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.1719416153.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.1720597750.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.1720555307.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1719012220.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1722153325.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001C.00000002.1720518666.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001D.00000002.1720656916.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001E.00000002.1722112566.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001F.00000002.1720560199.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.1721926443.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000022.00000002.1721999203.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000023.00000002.1719436452.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000025.00000002.1720751694.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000026.00000002.1721201356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000029.00000002.1722036837.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, pcre2-16.dll

Source: pcre2-16.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: pcre2-16.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: pcre2-16.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: pcre2-16.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: pcre2-16.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFE0052B3D0 GetSystemInfo,VirtualAlloc,

0_2_00007FFE0052B3D0

Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pcr_1731c9291b48156d38e2b4f8fc44dc6afe3fb_76fbbc46_037511ff-28df-4739-9281-9d59950f9335\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pcr_a85d3f61e282c6ab111541d23626a541f6483d_76fbbc46_27c8a652-5e23-4709-baa0-ace937338ba4\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Checks if the current process is being debugged

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFE005447F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FFE005447F0

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00543D50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FFE00543D50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE005447F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00007FFE005447F0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",#1

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFE005256B0 cpuid

0_2_00007FFE005256B0

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFE005443AC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FFE005443AC

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pcr_1731c9291b48156d38e2b4f8fc44dc6afe3fb_76fbbc46_037511ff-28df-4739-9281-9d59950f9335\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	4254488A3DD41380F7DA45F62896269A	70C9BDA27FD5E94283A62C731357332850EB6872	5B78BB6B7A76D3E424DEC32C9624A2447A56C0F8FCAB44B3F9CF2119CB3D15D0
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pcr_1731c9291b48156d38e2b4f8fc44dc6afe3fb_76fbbc46_9d0da3c6-3573-4aad-832a-d223597dd415\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	1E198125B45BC3E73EA3604BBEF531F0	0C78BF5595FF6F7B778C27FF5D503FABD304E9E8	D391002F1A607ECB4AE3B0161A0881D7042DAAB013B70B36AC1C4436534F6A7B
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pcr_7e5183b4bd0fdc294ad553aa5ff79f7eff7cd_76fbbc46_ee145759-fa36-48dc-86ba-2b6d51b93db1\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	FB537E537EFC35FBC2400CD9CBC53C64	053BC80A3105B4EF03EED12F53808E86D6883CB2	AB6191805728EA3294C4EE82CBA854657C13868189EA4F3D7392869DFEA2B78B
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pcr_a85d3f61e282c6ab111541d23626a541f6483d_76fbbc46_27c8a652-5e23-4709-baa0-ace937338ba4\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	9CFABA2CC896E60C62394EA1CDBD8C4A	E9EFA9CAD9ABD23135527F75B11391E0C539E8D5	6A0BD6A5F408B27980A636BBC31185E1733DBCA651EBBCB0C09780620878D0E8
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1AD.tmp.dmp	Mini DuMP crash report, 14 streams, Mon May 27 18:14:37 2024, 0x1205a4 type	348710EC56DA357187ED4DBA67AD1306	94631C95E479310805281B8EE10890269C3075F3	FCEA78F46C35A3970787AF40B9A296EFA257141C63A3EFF762A6CB07693DDB3D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	D8936BC9AE73337AD36818A926AECB18	4C746D21AE7ED11D62CCDDDF48331E1B53A10344	4E85C3E66D00249EE25BBA880B6345E1A772E4B0B37913A28F4113CD746600D8
C:\ProgramData\Microsoft\Windows\WER\Temp\WER20D.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	88CE172FA98C6059EDAC4FE5F79B3DB8	F0FEEB0587775E60351B4895AFD861CA23C6CBD9	456E61F2D0CBCD80ACDE3A6A89F89864DB03E1B7F306DF73536AF4F72F23CB7E
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB37.tmp.dmp	Mini DuMP crash report, 14 streams, Mon May 27 18:14:31 2024, 0x1205a4 type	5EB15A4269F1BBB00162B58A95F0F878	299D50A4089497B187F092B5D795A44EB168875F	5A339E14E81EE3F77E979700FC7FFCB73D672738B086968853E9361839129975
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB47.tmp.dmp	Mini DuMP crash report, 14 streams, Mon May 27 18:14:31 2024, 0x1205a4 type	0613926A9BEF9D6E6A1D943F41DC43EB	898220143BB0C6C20092793E9D7994A8DAAE958B	F4E2E613C5C79FC59DB4CC35A83BF37C7FBC53E6ED17CBC1E7C98F513EC108E1
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREBF4.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	14E66218C57321C6BFEDA152C9D370AB	948741B6B1812131E0B312FF2A4A7921581221BD	74835B125CEF51061A587416BC584CC4DCE7C84E67EAF955FC9219C4C32A8DC8
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC23.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	A0716452368B39764FCB56AE7FFC4990	C8209DFEC4BFD6D6381C0A098583D36509DB501C	E4B8A08355645B4B175322DD9C5424E7508761B0A047E474DFB330F3E1DA2017
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC33.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	9027C53803251DDB0AF4A0584C8AE1C8	CB7F5D040D5DA760D3186BFE061C11F1A712D795	1DC4D72A22D5DE6CDB791CED0B745A22B2B27EB456F8C7D05EB0DECEC4EE00DB
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC81.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	8028B1FD246AE02220D2D03F647BAF12	60AFC8D30BD3783E1230DAB37A56693EBEA385BD	807A734C1C6B88994EB7C20421BDCD15DB8E5A07DDD2C53800FD852EEEC22960
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5D6.tmp.dmp	Mini DuMP crash report, 14 streams, Mon May 27 18:14:34 2024, 0x1205a4 type	13B799C136F8CEB1DA4E07FC15E069FF	28B731F11ED9D92DBD8CE310F5E20688115F4647	2ED2F8AF112F98273B404625F7FEAA560B6A098BF7AF10187960F4E9E51D4098
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF616.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	DC2FE57134D7F0F64F0B35A1E7A7AB16	50B6C4D73006DDA44772C56F4BAD072730129BEC	FC97EFDAA837444C83FEE8EB0059D2599276C547D01FD4FC063F6BBC6B2A605C
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF636.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	107EFBD464B0B6DC3846514488DFD8FE	297E2F2C23D6257A29820BD8568594D6279B48DA	510E323AE6DD151E78A26DBEA565B4329B46BE1AF4071B4463CCF8FB6947F5C1
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	404C4034CDE1B40DE38EE9D7C272C2A6	D7E396A76FF94AA98C87276AB58BBF63C6C95797	F10BF68C30058123975076BEBBBFAA8193A9CFC6CE2A3B66D277B0DC7394C2D0

Source: pcre2-16.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\DISQO-Dev\vcpkg\buildtrees\pcre2\x64-windows-rel\pcre2-16.pdb source: loaddll64.exe, 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1748628092.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1771745285.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1748710356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1754823653.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1714157625.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.1717569155.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1716011101.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1719718381.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.1719416153.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.1720597750.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.1720555307.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1719012220.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1722153325.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001C.00000002.1720518666.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001D.00000002.1720656916.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001E.00000002.1722112566.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001F.00000002.1720560199.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.1721926443.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000022.00000002.1721999203.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000023.00000002.1719436452.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000025.00000002.1720751694.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000026.00000002.1721201356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000029.00000002.1722036837.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, pcre2-16.dll
Source:	Binary string: C:\DISQO-Dev\vcpkg\buildtrees\pcre2\x64-windows-rel\pcre2-16.pdb// source: loaddll64.exe, 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1748628092.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1771745285.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1748710356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1754823653.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1714157625.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.1717569155.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1716011101.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1719718381.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.1719416153.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.1720597750.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.1720555307.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1719012220.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1722153325.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001C.00000002.1720518666.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001D.00000002.1720656916.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001E.00000002.1722112566.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001F.00000002.1720560199.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.1721926443.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000022.00000002.1721999203.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000023.00000002.1719436452.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000025.00000002.1720751694.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000026.00000002.1721201356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000029.00000002.1722036837.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, pcre2-16.dll

Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pcr_1731c9291b48156d38e2b4f8fc44dc6afe3fb_76fbbc46_037511ff-28df-4739-9281-9d59950f9335\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pcr_a85d3f61e282c6ab111541d23626a541f6483d_76fbbc46_27c8a652-5e23-4709-baa0-ace937338ba4\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior

Source: Amcache.hve.8.dr

String found in binary or memory: http://upx.sf.net

Detected potential crypto function

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0052B8B0	0_2_00007FFE0052B8B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE005240B0	0_2_00007FFE005240B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00512890	0_2_00007FFE00512890
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00541870	0_2_00007FFE00541870
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00508070	0_2_00007FFE00508070
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00515922	0_2_00007FFE00515922
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051593D	0_2_00007FFE0051593D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0050F100	0_2_00007FFE0050F100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00515902	0_2_00007FFE00515902
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00515912	0_2_00007FFE00515912
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE005170F0	0_2_00007FFE005170F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051E8F0	0_2_00007FFE0051E8F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE005170C9	0_2_00007FFE005170C9
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0052A980	0_2_00007FFE0052A980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00521960	0_2_00007FFE00521960
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00524960	0_2_00007FFE00524960
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0052A170	0_2_00007FFE0052A170
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051594D	0_2_00007FFE0051594D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051B14F	0_2_00007FFE0051B14F
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0052C1E0	0_2_00007FFE0052C1E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE005159D5	0_2_00007FFE005159D5
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00515AA2	0_2_00007FFE00515AA2
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051FAB0	0_2_00007FFE0051FAB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00515AB4	0_2_00007FFE00515AB4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051AA7E	0_2_00007FFE0051AA7E
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00520290	0_2_00007FFE00520290
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00511292	0_2_00007FFE00511292
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051F240	0_2_00007FFE0051F240
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00519240	0_2_00007FFE00519240
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00510BBB	0_2_00007FFE00510BBB
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00515B8C	0_2_00007FFE00515B8C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051B38F	0_2_00007FFE0051B38F
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051DB70	0_2_00007FFE0051DB70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00515B4C	0_2_00007FFE00515B4C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0050A3F0	0_2_00007FFE0050A3F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE004F3C40	0_2_00007FFE004F3C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00526D35	0_2_00007FFE00526D35
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051AD0E	0_2_00007FFE0051AD0E
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0052BCE0	0_2_00007FFE0052BCE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE005214E0	0_2_00007FFE005214E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051F4C0	0_2_00007FFE0051F4C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE004FD4EA	0_2_00007FFE004FD4EA
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051DDA0	0_2_00007FFE0051DDA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00524DB0	0_2_00007FFE00524DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051B5B5	0_2_00007FFE0051B5B5
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0050FD80	0_2_00007FFE0050FD80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00516590	0_2_00007FFE00516590
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0052ED60	0_2_00007FFE0052ED60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051054D	0_2_00007FFE0051054D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00500D60	0_2_00007FFE00500D60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051EE20	0_2_00007FFE0051EE20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0052A610	0_2_00007FFE0052A610
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00522E10	0_2_00007FFE00522E10
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0052B5C0	0_2_00007FFE0052B5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE005095C0	0_2_00007FFE005095C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0052C5D0	0_2_00007FFE0052C5D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE005115D0	0_2_00007FFE005115D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051669E	0_2_00007FFE0051669E
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0050D6B0	0_2_00007FFE0050D6B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051667F	0_2_00007FFE0051667F
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00516687	0_2_00007FFE00516687
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00516692	0_2_00007FFE00516692
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051BE97	0_2_00007FFE0051BE97
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0053169C	0_2_00007FFE0053169C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00518672	0_2_00007FFE00518672
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00512E75	0_2_00007FFE00512E75
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0053BF20	0_2_00007FFE0053BF20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0050BF3D	0_2_00007FFE0050BF3D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00530710	0_2_00007FFE00530710
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00506ECA	0_2_00007FFE00506ECA
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0052DEC0	0_2_00007FFE0052DEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00509FA0	0_2_00007FFE00509FA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00511FA9	0_2_00007FFE00511FA9
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00514FB0	0_2_00007FFE00514FB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051AF9D	0_2_00007FFE0051AF9D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00517F73	0_2_00007FFE00517F73
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00528F40	0_2_00007FFE00528F40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0050BF40	0_2_00007FFE0050BF40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00515747	0_2_00007FFE00515747
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00523820	0_2_00007FFE00523820
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00508830	0_2_00007FFE00508830
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051B830	0_2_00007FFE0051B830
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00515805	0_2_00007FFE00515805
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051581A	0_2_00007FFE0051581A
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE0051F7E0	0_2_00007FFE0051F7E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE005157F5	0_2_00007FFE005157F5
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE004FAFE8	0_2_00007FFE004FAFE8

One or more processes crash

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7336 -s 332

Source: classification engine

Classification label: clean4.winDLL@108/17@0/0

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7596
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7320
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7336
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7756

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\9a540079-8a23-46e2-b9c0-b272d37860c0

Jump to behavior

Source: pcre2-16.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_callout_enumerate_16

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\pcre2-16.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_callout_enumerate_16
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7336 -s 332
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7320 -s 332
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_code_copy_16
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7596 -s 324
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_code_copy_with_tables_16
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7756 -s 324
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_callout_enumerate_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_code_copy_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_code_copy_with_tables_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_number_from_name_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_nametable_scan_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_list_get_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_list_free_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_length_bynumber_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_length_byname_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_get_bynumber_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_get_byname_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_free_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_copy_bynumber_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_copy_byname_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substitute_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_substitute_callout_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_recursion_memory_management_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_recursion_limit_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_parens_nest_limit_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_offset_limit_16
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_callout_enumerate_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_code_copy_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pcre2-16.dll,pcre2_code_copy_with_tables_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_callout_enumerate_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_code_copy_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_code_copy_with_tables_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_number_from_name_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_nametable_scan_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_list_get_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_list_free_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_length_bynumber_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_length_byname_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_get_bynumber_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_get_byname_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_free_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_copy_bynumber_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substring_copy_byname_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_substitute_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_substitute_callout_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_recursion_memory_management_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_recursion_limit_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_parens_nest_limit_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",pcre2_set_offset_limit_16	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: vcruntime140.dll			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: pcre2-16.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: pcre2-16.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: pcre2-16.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: pcre2-16.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: pcre2-16.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: pcre2-16.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: pcre2-16.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: pcre2-16.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: pcre2-16.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\DISQO-Dev\vcpkg\buildtrees\pcre2\x64-windows-rel\pcre2-16.pdb source: loaddll64.exe, 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1748628092.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1771745285.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1748710356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1754823653.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1714157625.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.1717569155.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1716011101.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1719718381.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.1719416153.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.1720597750.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.1720555307.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1719012220.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1722153325.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001C.00000002.1720518666.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001D.00000002.1720656916.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001E.00000002.1722112566.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001F.00000002.1720560199.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.1721926443.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000022.00000002.1721999203.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000023.00000002.1719436452.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000025.00000002.1720751694.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000026.00000002.1721201356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000029.00000002.1722036837.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, pcre2-16.dll
Source:	Binary string: C:\DISQO-Dev\vcpkg\buildtrees\pcre2\x64-windows-rel\pcre2-16.pdb// source: loaddll64.exe, 00000000.00000002.2879905573.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1748628092.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1771745285.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1748710356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1754823653.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1714157625.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.1717569155.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1716011101.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1719718381.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.1719416153.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.1720597750.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.1720555307.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1719012220.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1722153325.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001C.00000002.1720518666.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001D.00000002.1720656916.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001E.00000002.1722112566.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001F.00000002.1720560199.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.1721926443.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000022.00000002.1721999203.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000023.00000002.1719436452.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000025.00000002.1720751694.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000026.00000002.1721201356.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000029.00000002.1722036837.00007FFE00552000.00000002.00000001.01000000.00000003.sdmp, pcre2-16.dll

Source: pcre2-16.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: pcre2-16.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: pcre2-16.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: pcre2-16.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: pcre2-16.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFE0052B3D0 GetSystemInfo,VirtualAlloc,

0_2_00007FFE0052B3D0

Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pcr_1731c9291b48156d38e2b4f8fc44dc6afe3fb_76fbbc46_037511ff-28df-4739-9281-9d59950f9335\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_pcr_a85d3f61e282c6ab111541d23626a541f6483d_76fbbc46_27c8a652-5e23-4709-baa0-ace937338ba4\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Checks if the current process is being debugged

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll64.exe

0_2_00007FFE005447F0

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE00543D50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FFE00543D50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFE005447F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00007FFE005447F0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pcre2-16.dll",#1

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFE005256B0 cpuid

0_2_00007FFE005256B0

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFE005443AC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FFE005443AC

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

ID:	1448101
Product:	CloudBasic
Start time:	20:13:45
Start date:	27.05.2024
Sample:	pcre2-16.dll
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	36185746a613bdc3e52906e4c053ab89
SHA1:	fa0ee487b8b311d26b51cca2c83eb12441a0d4d5
SHA256:	b1adadb919f6fb08fa87b4a7bae069ead20f48f3e5779d9b3b4f2e4e1ba0f189
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Windows Analysis Report
pcre2-16.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report pcre2-16.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
pcre2-16.dll