Malware Analysis Report

2024-10-19 08:51

Sample ID 240727-anfn8athqp
Target BF2Editor_original_unpacked.zip
SHA256 b86bcee73c65b50d5a86976c855aca8ebe7542f7fb983ea7b6c9ef5b69456d18
Tags
macro strela discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b86bcee73c65b50d5a86976c855aca8ebe7542f7fb983ea7b6c9ef5b69456d18

Threat Level: Known bad

The file BF2Editor_original_unpacked.zip was found to be: Known bad.

Malicious Activity Summary

macro strela discovery

Detects Strela Stealer payload

Strela family

Suspicious Office macro

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-27 00:21

Signatures

Detects Strela Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Strela family

strela

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:27

Platform

win10-20240404-en

Max time kernel

131s

Max time network

137s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\SwiffPlayer_r.dll",#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4424 wrote to memory of 5116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4424 wrote to memory of 5116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4424 wrote to memory of 5116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\SwiffPlayer_r.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\SwiffPlayer_r.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:25

Platform

win10-20240404-en

Max time kernel

126s

Max time network

139s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\install-sh"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\install-sh"

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:25

Platform

win10-20240404-en

Max time kernel

126s

Max time network

141s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\boolean\test.sh"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\boolean\test.sh"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:26

Platform

win10-20240404-en

Max time kernel

129s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ObjectTest.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ObjectTest.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ObjectTest.exe

"C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ObjectTest.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp

Files

memory/1460-0-0x00000000009C0000-0x0000000000A3D000-memory.dmp

memory/1460-2-0x0000000000A40000-0x0000000000B1A000-memory.dmp

memory/1460-3-0x00000000009C0000-0x0000000000A3D000-memory.dmp

memory/1460-1-0x00000000001C0000-0x00000000001CB000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:26

Platform

win10-20240404-en

Max time kernel

131s

Max time network

137s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\fix_navmeshes.bat"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\fix_navmeshes.bat"

Network

Country Destination Domain Proto
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:26

Platform

win10-20240404-en

Max time kernel

130s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Battlefield 2\SoundEngineTest.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Battlefield 2\SoundEngineTest.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Battlefield 2\SoundEngineTest.exe

"C:\Users\Admin\AppData\Local\Temp\Battlefield 2\SoundEngineTest.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:27

Platform

win10-20240404-en

Max time kernel

131s

Max time network

143s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\bf2editor\Help\ObjectEditor_Help.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\bf2editor\Help\ObjectEditor_Help.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 169.253.116.51.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/4116-0-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

memory/4116-1-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

memory/4116-3-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

memory/4116-2-0x00007FFE363B5000-0x00007FFE363B6000-memory.dmp

memory/4116-7-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-8-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-4-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

memory/4116-9-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-11-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-10-0x00007FFDF3300000-0x00007FFDF3310000-memory.dmp

memory/4116-12-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-14-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-15-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-13-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-16-0x00007FFDF3300000-0x00007FFDF3310000-memory.dmp

memory/4116-18-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-17-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-19-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-20-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-22-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-21-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-23-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-24-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-26-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-27-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-38-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-53-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-74-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-75-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-178-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-179-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-217-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

memory/4116-218-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

memory/4116-219-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

memory/4116-220-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

memory/4116-216-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

memory/4116-221-0x00007FFE36310000-0x00007FFE364EB000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:25

Platform

win10-20240404-en

Max time kernel

127s

Max time network

136s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\coarsen\flat.sh"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\coarsen\flat.sh"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:25

Platform

win10-20240404-en

Max time kernel

126s

Max time network

140s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\coarsen\flat1.sh"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\coarsen\flat1.sh"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.6.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:26

Platform

win10-20240611-en

Max time kernel

119s

Max time network

140s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\delaunay\too_close.sh"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\delaunay\too_close.sh"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:26

Platform

win10-20240404-en

Max time kernel

141s

Max time network

136s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\libglib-2.0-0.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4112 wrote to memory of 212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4112 wrote to memory of 212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4112 wrote to memory of 212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\libglib-2.0-0.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\libglib-2.0-0.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 157.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/212-1-0x0000000001240000-0x000000000124B000-memory.dmp

memory/212-0-0x00000000049B0000-0x0000000004A8A000-memory.dmp

memory/212-2-0x0000000010000000-0x000000001007D000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:27

Platform

win10-20240404-en

Max time kernel

142s

Max time network

138s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\libgobject-2.0-0.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3176 wrote to memory of 880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3176 wrote to memory of 880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3176 wrote to memory of 880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\libgobject-2.0-0.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\libgobject-2.0-0.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/880-0-0x0000000000F50000-0x0000000000FCD000-memory.dmp

memory/880-1-0x0000000000D10000-0x0000000000D1B000-memory.dmp

memory/880-2-0x00000000045E0000-0x00000000046BA000-memory.dmp

memory/880-4-0x0000000000F50000-0x0000000000FCD000-memory.dmp

memory/880-3-0x0000000010000000-0x0000000010037000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:26

Platform

win10-20240404-en

Max time kernel

130s

Max time network

137s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\xpack_navmesh.bat"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\xpack_navmesh.bat"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:27

Platform

win10-20240404-en

Max time kernel

128s

Max time network

140s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\bf2editor\Help\CommandDescriptions.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\bf2editor\Help\CommandDescriptions.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/2580-4-0x00007FF855490000-0x00007FF8554A0000-memory.dmp

memory/2580-3-0x00007FF855490000-0x00007FF8554A0000-memory.dmp

memory/2580-9-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-8-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-7-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-2-0x00007FF855490000-0x00007FF8554A0000-memory.dmp

memory/2580-1-0x00007FF8954A5000-0x00007FF8954A6000-memory.dmp

memory/2580-0-0x00007FF855490000-0x00007FF8554A0000-memory.dmp

memory/2580-11-0x00007FF852840000-0x00007FF852850000-memory.dmp

memory/2580-10-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-12-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-13-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-14-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-15-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-18-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-17-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-16-0x00007FF852840000-0x00007FF852850000-memory.dmp

memory/2580-20-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-21-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-22-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-23-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-19-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-25-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-27-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-28-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-24-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-26-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-29-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-30-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-31-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-32-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-180-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-181-0x00007FF8954A5000-0x00007FF8954A6000-memory.dmp

memory/2580-218-0x00007FF855490000-0x00007FF8554A0000-memory.dmp

memory/2580-221-0x00007FF855490000-0x00007FF8554A0000-memory.dmp

memory/2580-220-0x00007FF855490000-0x00007FF8554A0000-memory.dmp

memory/2580-219-0x00007FF855490000-0x00007FF8554A0000-memory.dmp

memory/2580-222-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

memory/2580-223-0x00007FF895400000-0x00007FF8955DB000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:27

Platform

win10-20240404-en

Max time kernel

130s

Max time network

140s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\bf2editor\Help\Tutorial\How to create a destroyable object in the Editor.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\bf2editor\Help\Tutorial\How to create a destroyable object in the Editor.doc" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.17.209.123:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 123.209.17.2.in-addr.arpa udp
US 8.8.8.8:53 24.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/700-0-0x00007FFA9B310000-0x00007FFA9B320000-memory.dmp

memory/700-1-0x00007FFA9B310000-0x00007FFA9B320000-memory.dmp

memory/700-2-0x00007FFA9B310000-0x00007FFA9B320000-memory.dmp

memory/700-3-0x00007FFADB325000-0x00007FFADB326000-memory.dmp

memory/700-4-0x00007FFA9B310000-0x00007FFA9B320000-memory.dmp

memory/700-5-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp

memory/700-6-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp

memory/700-9-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp

memory/700-10-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp

memory/700-11-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp

memory/700-13-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp

memory/700-12-0x00007FFA98670000-0x00007FFA98680000-memory.dmp

memory/700-14-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp

memory/700-15-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp

memory/700-16-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp

memory/700-17-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp

memory/700-18-0x00007FFA98670000-0x00007FFA98680000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/700-199-0x0000026F69CE0000-0x0000026F69DE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDBE2F.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/700-683-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp

memory/700-685-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp

memory/700-684-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp

memory/700-686-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp

memory/700-687-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp

memory/700-688-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp

memory/700-689-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp

memory/700-691-0x0000026F69CE0000-0x0000026F69DE5000-memory.dmp

memory/700-752-0x0000026F69CE0000-0x0000026F69DE5000-memory.dmp

memory/700-766-0x00007FFA9B310000-0x00007FFA9B320000-memory.dmp

memory/700-767-0x00007FFA9B310000-0x00007FFA9B320000-memory.dmp

memory/700-768-0x00007FFA9B310000-0x00007FFA9B320000-memory.dmp

memory/700-765-0x00007FFA9B310000-0x00007FFA9B320000-memory.dmp

memory/700-769-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp

memory/700-771-0x00007FFADB280000-0x00007FFADB45B000-memory.dmp

memory/700-770-0x0000026F69CE0000-0x0000026F69DE5000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:27

Platform

win10-20240611-en

Max time kernel

122s

Max time network

137s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\TextureAtlasBuilder_r.dll",#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2744 wrote to memory of 4040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2744 wrote to memory of 4040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2744 wrote to memory of 4040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\TextureAtlasBuilder_r.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\TextureAtlasBuilder_r.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:26

Platform

win10-20240611-en

Max time kernel

120s

Max time network

137s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\delaunay\cartesian_speed.sh"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\delaunay\cartesian_speed.sh"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:25

Platform

win10-20240404-en

Max time kernel

129s

Max time network

138s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\delaunay\random_speed.sh"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\delaunay\random_speed.sh"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:26

Platform

win10-20240611-en

Max time kernel

121s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ROBOCOPY.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ROBOCOPY.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ROBOCOPY.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ROBOCOPY.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ROBOCOPY.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ROBOCOPY.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ROBOCOPY.exe

"C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\ROBOCOPY.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:26

Platform

win10-20240404-en

Max time kernel

129s

Max time network

136s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\asprintf.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 1436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 1436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 1436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\asprintf.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\asprintf.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 11.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:26

Platform

win10-20240404-en

Max time kernel

141s

Max time network

139s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\gts.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4672 wrote to memory of 1368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4672 wrote to memory of 1368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4672 wrote to memory of 1368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\gts.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\gts.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.211.222.173.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/1368-0-0x0000000000E70000-0x0000000000EED000-memory.dmp

memory/1368-1-0x00000000005F0000-0x00000000005FB000-memory.dmp

memory/1368-2-0x0000000000FB0000-0x000000000108A000-memory.dmp

memory/1368-3-0x0000000000E70000-0x0000000000EED000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:26

Platform

win10-20240404-en

Max time kernel

129s

Max time network

136s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\iconv.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1504 wrote to memory of 2716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1504 wrote to memory of 2716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1504 wrote to memory of 2716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\iconv.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\iconv.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:26

Platform

win10-20240404-en

Max time kernel

131s

Max time network

138s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\PCRegExp_r.dll",#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4908 wrote to memory of 2568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4908 wrote to memory of 2568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4908 wrote to memory of 2568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\PCRegExp_r.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\PCRegExp_r.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:25

Platform

win10-20240404-en

Max time kernel

130s

Max time network

138s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\delaunay\cartesian.sh"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\delaunay\cartesian.sh"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:26

Platform

win10-20240611-en

Max time kernel

120s

Max time network

139s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\SaveQuadLocal.bat"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Battlefield 2\BF2Editor.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\SaveQuadLocal.bat"

C:\Users\Admin\AppData\Local\Temp\Battlefield 2\BF2Editor.exe

bf2editor +loadMod +loadLevel +runConFileAndClose "saveQuadNoP4" +enableAsserts 0 +forceLoadPlugin SinglePlayerEditor

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:26

Platform

win10-20240404-en

Max time kernel

130s

Max time network

140s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\intl.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1104 wrote to memory of 2768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1104 wrote to memory of 2768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1104 wrote to memory of 2768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\intl.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\intl.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/2768-0-0x0000000002F60000-0x000000000303A000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:26

Platform

win10-20240404-en

Max time kernel

129s

Max time network

141s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\navmeshControl.py"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\navmeshControl.py"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:26

Platform

win10-20240404-en

Max time kernel

140s

Max time network

137s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\libgthread-2.0-0.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3820 wrote to memory of 1672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3820 wrote to memory of 1672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3820 wrote to memory of 1672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\libgthread-2.0-0.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\libgthread-2.0-0.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp

Files

memory/1672-0-0x0000000004810000-0x000000000488D000-memory.dmp

memory/1672-2-0x0000000004950000-0x0000000004A2A000-memory.dmp

memory/1672-1-0x0000000002BE0000-0x0000000002BEB000-memory.dmp

memory/1672-3-0x0000000010000000-0x000000001000A000-memory.dmp

memory/1672-4-0x0000000004810000-0x000000000488D000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:25

Platform

win10-20240404-en

Max time kernel

130s

Max time network

146s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\delaunay\two_segments.sh"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\Navmesh_SDK\gts-dice-0.7.3\test\delaunay\two_segments.sh"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:26

Platform

win10-20240404-en

Max time kernel

126s

Max time network

137s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\charset.dll",#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4364 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4364 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4364 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\charset.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\charset.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:27

Platform

win10-20240404-en

Max time kernel

140s

Max time network

136s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\libgmodule-2.0-0.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4720 wrote to memory of 376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4720 wrote to memory of 376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4720 wrote to memory of 376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\libgmodule-2.0-0.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\NavMesh\libgmodule-2.0-0.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp

Files

memory/376-0-0x0000000004660000-0x00000000046DD000-memory.dmp

memory/376-1-0x0000000002CA0000-0x0000000002CAB000-memory.dmp

memory/376-2-0x00000000047E0000-0x00000000048BA000-memory.dmp

memory/376-3-0x0000000010000000-0x0000000010009000-memory.dmp

memory/376-4-0x0000000004660000-0x00000000046DD000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-07-27 00:21

Reported

2024-07-27 00:27

Platform

win10-20240404-en

Max time kernel

74s

Max time network

80s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\RendDX9_r.dll",#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4340 wrote to memory of 4776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4340 wrote to memory of 4776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4340 wrote to memory of 4776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\RendDX9_r.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Battlefield 2\RendDX9_r.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A