Analysis Overview
SHA256
b86bcee73c65b50d5a86976c855aca8ebe7542f7fb983ea7b6c9ef5b69456d18
Threat Level: Known bad
The file BF2Editor_original_unpacked.zip was found to be: Known bad.
Malicious Activity Summary
Detects Strela Stealer payload
Strela family
Suspicious Office macro
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-27 00:21
Signatures
Detects Strela Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Strela family
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral28
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:27
Platform
win10-20240404-en
Max time kernel
131s
Max time network
137s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4424 wrote to memory of 5116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4424 wrote to memory of 5116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4424 wrote to memory of 5116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\SwiffPlayer_r.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\SwiffPlayer_r.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:25
Platform
win10-20240404-en
Max time kernel
126s
Max time network
139s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\install-sh"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:25
Platform
win10-20240404-en
Max time kernel
126s
Max time network
141s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\boolean\test.sh"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:26
Platform
win10-20240404-en
Max time kernel
129s
Max time network
138s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ObjectTest.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ObjectTest.exe
"C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ObjectTest.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 227.162.46.104.in-addr.arpa | udp |
Files
memory/1460-0-0x00000000009C0000-0x0000000000A3D000-memory.dmp
memory/1460-2-0x0000000000A40000-0x0000000000B1A000-memory.dmp
memory/1460-3-0x00000000009C0000-0x0000000000A3D000-memory.dmp
memory/1460-1-0x00000000001C0000-0x00000000001CB000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:26
Platform
win10-20240404-en
Max time kernel
131s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\fix_navmeshes.bat"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:26
Platform
win10-20240404-en
Max time kernel
130s
Max time network
138s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Battlefield 2\SoundEngineTest.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Battlefield 2\SoundEngineTest.exe
"C:\Users\Admin\AppData\Local\Temp\Battlefield 2\SoundEngineTest.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:27
Platform
win10-20240404-en
Max time kernel
131s
Max time network
143s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\bf2editor\Help\ObjectEditor_Help.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.253.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
memory/4116-0-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp
memory/4116-1-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp
memory/4116-3-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp
memory/4116-2-0x00007FFE363B5000-0x00007FFE363B6000-memory.dmp
memory/4116-7-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-8-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-4-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp
memory/4116-9-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-11-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-10-0x00007FFDF3300000-0x00007FFDF3310000-memory.dmp
memory/4116-12-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-14-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-15-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-13-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-16-0x00007FFDF3300000-0x00007FFDF3310000-memory.dmp
memory/4116-18-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-17-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-19-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-20-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-22-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-21-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-23-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-24-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-26-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-27-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-38-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-53-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-74-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-75-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-178-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-179-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-217-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp
memory/4116-218-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp
memory/4116-219-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp
memory/4116-220-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
memory/4116-216-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp
memory/4116-221-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:25
Platform
win10-20240404-en
Max time kernel
127s
Max time network
136s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\coarsen\flat.sh"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:25
Platform
win10-20240404-en
Max time kernel
126s
Max time network
140s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\coarsen\flat1.sh"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.6.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:26
Platform
win10-20240611-en
Max time kernel
119s
Max time network
140s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\delaunay\too_close.sh"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:26
Platform
win10-20240404-en
Max time kernel
141s
Max time network
136s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4112 wrote to memory of 212 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4112 wrote to memory of 212 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4112 wrote to memory of 212 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\libglib-2.0-0.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\libglib-2.0-0.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 157.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
memory/212-1-0x0000000001240000-0x000000000124B000-memory.dmp
memory/212-0-0x00000000049B0000-0x0000000004A8A000-memory.dmp
memory/212-2-0x0000000010000000-0x000000001007D000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:27
Platform
win10-20240404-en
Max time kernel
142s
Max time network
138s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3176 wrote to memory of 880 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3176 wrote to memory of 880 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3176 wrote to memory of 880 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\libgobject-2.0-0.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\libgobject-2.0-0.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 26.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
memory/880-0-0x0000000000F50000-0x0000000000FCD000-memory.dmp
memory/880-1-0x0000000000D10000-0x0000000000D1B000-memory.dmp
memory/880-2-0x00000000045E0000-0x00000000046BA000-memory.dmp
memory/880-4-0x0000000000F50000-0x0000000000FCD000-memory.dmp
memory/880-3-0x0000000010000000-0x0000000010037000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:26
Platform
win10-20240404-en
Max time kernel
130s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\xpack_navmesh.bat"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.173.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:27
Platform
win10-20240404-en
Max time kernel
128s
Max time network
140s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\bf2editor\Help\CommandDescriptions.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 18.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
memory/2580-4-0x00007FF855490000-0x00007FF8554A0000-memory.dmp
memory/2580-3-0x00007FF855490000-0x00007FF8554A0000-memory.dmp
memory/2580-9-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-8-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-7-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-2-0x00007FF855490000-0x00007FF8554A0000-memory.dmp
memory/2580-1-0x00007FF8954A5000-0x00007FF8954A6000-memory.dmp
memory/2580-0-0x00007FF855490000-0x00007FF8554A0000-memory.dmp
memory/2580-11-0x00007FF852840000-0x00007FF852850000-memory.dmp
memory/2580-10-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-12-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-13-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-14-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-15-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-18-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-17-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-16-0x00007FF852840000-0x00007FF852850000-memory.dmp
memory/2580-20-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-21-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-22-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-23-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-19-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-25-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-27-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-28-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-24-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-26-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-29-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-30-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-31-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-32-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-180-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-181-0x00007FF8954A5000-0x00007FF8954A6000-memory.dmp
memory/2580-218-0x00007FF855490000-0x00007FF8554A0000-memory.dmp
memory/2580-221-0x00007FF855490000-0x00007FF8554A0000-memory.dmp
memory/2580-220-0x00007FF855490000-0x00007FF8554A0000-memory.dmp
memory/2580-219-0x00007FF855490000-0x00007FF8554A0000-memory.dmp
memory/2580-222-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
memory/2580-223-0x00007FF895400000-0x00007FF8955DB000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:27
Platform
win10-20240404-en
Max time kernel
130s
Max time network
140s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\bf2editor\Help\Tutorial\How to create a destroyable object in the Editor.doc" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 19.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 2.17.209.123:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 123.209.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
memory/700-0-0x00007FFA9B310000-0x00007FFA9B320000-memory.dmp
memory/700-1-0x00007FFA9B310000-0x00007FFA9B320000-memory.dmp
memory/700-2-0x00007FFA9B310000-0x00007FFA9B320000-memory.dmp
memory/700-3-0x00007FFADB325000-0x00007FFADB326000-memory.dmp
memory/700-4-0x00007FFA9B310000-0x00007FFA9B320000-memory.dmp
memory/700-5-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp
memory/700-6-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp
memory/700-9-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp
memory/700-10-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp
memory/700-11-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp
memory/700-13-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp
memory/700-12-0x00007FFA98670000-0x00007FFA98680000-memory.dmp
memory/700-14-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp
memory/700-15-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp
memory/700-16-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp
memory/700-17-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp
memory/700-18-0x00007FFA98670000-0x00007FFA98680000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/700-199-0x0000026F69CE0000-0x0000026F69DE5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCDBE2F.tmp\iso690.xsl
| MD5 | ff0e07eff1333cdf9fc2523d323dd654 |
| SHA1 | 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4 |
| SHA256 | 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5 |
| SHA512 | b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d |
memory/700-683-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp
memory/700-685-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp
memory/700-684-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp
memory/700-686-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp
memory/700-687-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp
memory/700-688-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp
memory/700-689-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp
memory/700-691-0x0000026F69CE0000-0x0000026F69DE5000-memory.dmp
memory/700-752-0x0000026F69CE0000-0x0000026F69DE5000-memory.dmp
memory/700-766-0x00007FFA9B310000-0x00007FFA9B320000-memory.dmp
memory/700-767-0x00007FFA9B310000-0x00007FFA9B320000-memory.dmp
memory/700-768-0x00007FFA9B310000-0x00007FFA9B320000-memory.dmp
memory/700-765-0x00007FFA9B310000-0x00007FFA9B320000-memory.dmp
memory/700-769-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp
memory/700-771-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp
memory/700-770-0x0000026F69CE0000-0x0000026F69DE5000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:27
Platform
win10-20240611-en
Max time kernel
122s
Max time network
137s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2744 wrote to memory of 4040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2744 wrote to memory of 4040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2744 wrote to memory of 4040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\TextureAtlasBuilder_r.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\TextureAtlasBuilder_r.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:26
Platform
win10-20240611-en
Max time kernel
120s
Max time network
137s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\delaunay\cartesian_speed.sh"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:25
Platform
win10-20240404-en
Max time kernel
129s
Max time network
138s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\delaunay\random_speed.sh"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:26
Platform
win10-20240611-en
Max time kernel
121s
Max time network
138s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ROBOCOPY.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ROBOCOPY.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ROBOCOPY.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ROBOCOPY.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ROBOCOPY.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ROBOCOPY.exe
"C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ROBOCOPY.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:26
Platform
win10-20240404-en
Max time kernel
129s
Max time network
136s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2184 wrote to memory of 1436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2184 wrote to memory of 1436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2184 wrote to memory of 1436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\asprintf.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\asprintf.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 620
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 11.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:26
Platform
win10-20240404-en
Max time kernel
141s
Max time network
139s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4672 wrote to memory of 1368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4672 wrote to memory of 1368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4672 wrote to memory of 1368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\gts.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\gts.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.211.222.173.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/1368-0-0x0000000000E70000-0x0000000000EED000-memory.dmp
memory/1368-1-0x00000000005F0000-0x00000000005FB000-memory.dmp
memory/1368-2-0x0000000000FB0000-0x000000000108A000-memory.dmp
memory/1368-3-0x0000000000E70000-0x0000000000EED000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:26
Platform
win10-20240404-en
Max time kernel
129s
Max time network
136s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1504 wrote to memory of 2716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1504 wrote to memory of 2716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1504 wrote to memory of 2716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\iconv.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\iconv.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:26
Platform
win10-20240404-en
Max time kernel
131s
Max time network
138s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4908 wrote to memory of 2568 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4908 wrote to memory of 2568 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4908 wrote to memory of 2568 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\PCRegExp_r.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\PCRegExp_r.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:25
Platform
win10-20240404-en
Max time kernel
130s
Max time network
138s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\delaunay\cartesian.sh"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:26
Platform
win10-20240611-en
Max time kernel
120s
Max time network
139s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Battlefield 2\BF2Editor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1448 wrote to memory of 2264 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\Battlefield 2\BF2Editor.exe |
| PID 1448 wrote to memory of 2264 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\Battlefield 2\BF2Editor.exe |
| PID 1448 wrote to memory of 2264 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\Battlefield 2\BF2Editor.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\SaveQuadLocal.bat"
C:\Users\Admin\AppData\Local\Temp\Battlefield 2\BF2Editor.exe
bf2editor +loadMod +loadLevel +runConFileAndClose "saveQuadNoP4" +enableAsserts 0 +forceLoadPlugin SinglePlayerEditor
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.162.46.104.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:26
Platform
win10-20240404-en
Max time kernel
130s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1104 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1104 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1104 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\intl.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\intl.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 620
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 26.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
memory/2768-0-0x0000000002F60000-0x000000000303A000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:26
Platform
win10-20240404-en
Max time kernel
129s
Max time network
141s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\navmeshControl.py"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:26
Platform
win10-20240404-en
Max time kernel
140s
Max time network
137s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3820 wrote to memory of 1672 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3820 wrote to memory of 1672 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3820 wrote to memory of 1672 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\libgthread-2.0-0.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\libgthread-2.0-0.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
Files
memory/1672-0-0x0000000004810000-0x000000000488D000-memory.dmp
memory/1672-2-0x0000000004950000-0x0000000004A2A000-memory.dmp
memory/1672-1-0x0000000002BE0000-0x0000000002BEB000-memory.dmp
memory/1672-3-0x0000000010000000-0x000000001000A000-memory.dmp
memory/1672-4-0x0000000004810000-0x000000000488D000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:25
Platform
win10-20240404-en
Max time kernel
130s
Max time network
146s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\delaunay\two_segments.sh"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:26
Platform
win10-20240404-en
Max time kernel
126s
Max time network
137s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4364 wrote to memory of 3012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4364 wrote to memory of 3012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4364 wrote to memory of 3012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\charset.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\charset.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:27
Platform
win10-20240404-en
Max time kernel
140s
Max time network
136s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4720 wrote to memory of 376 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4720 wrote to memory of 376 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4720 wrote to memory of 376 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\libgmodule-2.0-0.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\libgmodule-2.0-0.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 26.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
Files
memory/376-0-0x0000000004660000-0x00000000046DD000-memory.dmp
memory/376-1-0x0000000002CA0000-0x0000000002CAB000-memory.dmp
memory/376-2-0x00000000047E0000-0x00000000048BA000-memory.dmp
memory/376-3-0x0000000010000000-0x0000000010009000-memory.dmp
memory/376-4-0x0000000004660000-0x00000000046DD000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-07-27 00:21
Reported
2024-07-27 00:27
Platform
win10-20240404-en
Max time kernel
74s
Max time network
80s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4340 wrote to memory of 4776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4340 wrote to memory of 4776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4340 wrote to memory of 4776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\RendDX9_r.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\RendDX9_r.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |