Windows
Analysis Report
pcre2-16.dll
Overview
General Information
Detection
Score: | 4 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 40% |
Signatures
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Classification
- System is w10x64
loaddll64.exe (PID: 7260 cmdline:
loaddll64. exe "C:\Us ers\user\D esktop\pcr e2-16.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) conhost.exe (PID: 7268 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 7312 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\pcr e2-16.dll" ,#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) rundll32.exe (PID: 7336 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\pcre 2-16.dll", #1 MD5: EF3179D498793BF4234F708D3BE28633) WerFault.exe (PID: 7440 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 336 -s 332 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) rundll32.exe (PID: 7320 cmdline:
rundll32.e xe C:\User s\user\Des ktop\pcre2 -16.dll,pc re2_callou t_enumerat e_16 MD5: EF3179D498793BF4234F708D3BE28633) WerFault.exe (PID: 7452 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 320 -s 332 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) rundll32.exe (PID: 7596 cmdline:
rundll32.e xe C:\User s\user\Des ktop\pcre2 -16.dll,pc re2_code_c opy_16 MD5: EF3179D498793BF4234F708D3BE28633) WerFault.exe (PID: 7632 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 596 -s 324 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) rundll32.exe (PID: 7756 cmdline:
rundll32.e xe C:\User s\user\Des ktop\pcre2 -16.dll,pc re2_code_c opy_with_t ables_16 MD5: EF3179D498793BF4234F708D3BE28633) WerFault.exe (PID: 7792 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 756 -s 324 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) rundll32.exe (PID: 7860 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\pcre 2-16.dll", pcre2_call out_enumer ate_16 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 7868 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\pcre 2-16.dll", pcre2_code _copy_16 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 7884 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\pcre 2-16.dll", pcre2_code _copy_with _tables_16 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 7900 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\pcre 2-16.dll", pcre2_subs tring_numb er_from_na me_16 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 7924 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\pcre 2-16.dll", pcre2_subs tring_name table_scan _16 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 7952 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\pcre 2-16.dll", pcre2_subs tring_list _get_16 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 7980 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\pcre 2-16.dll", pcre2_subs tring_list _free_16 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 7992 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\pcre 2-16.dll", pcre2_subs tring_leng th_bynumbe r_16 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 8012 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\pcre 2-16.dll", pcre2_subs tring_leng th_byname_ 16 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 8028 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\pcre 2-16.dll", pcre2_subs tring_get_ bynumber_1 6 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 8040 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\pcre 2-16.dll", pcre2_subs tring_get_ byname_16 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 8052 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\pcre 2-16.dll", pcre2_subs tring_free _16 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 8064 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\pcre 2-16.dll", pcre2_subs tring_copy _bynumber_ 16 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 8088 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\pcre 2-16.dll", pcre2_subs tring_copy _byname_16 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 8112 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\pcre 2-16.dll", pcre2_subs titute_16 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 8128 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\pcre 2-16.dll", pcre2_set_ substitute _callout_1 6 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 8144 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\pcre 2-16.dll", pcre2_set_ recursion_ memory_man agement_16 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 8160 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\pcre 2-16.dll", pcre2_set_ recursion_ limit_16 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 8180 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\pcre 2-16.dll", pcre2_set_ parens_nes t_limit_16 MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 4504 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\pcre 2-16.dll", pcre2_set_ offset_lim it_16 MD5: EF3179D498793BF4234F708D3BE28633)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Binary string: |