Windows Analysis Report
CXWk52EmUt.exe

Overview

General Information

Sample name:	CXWk52EmUt.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:	13ca948d23ccdd89891280921149a1cb097cb16ec32ea1461e172badd8e88746
Analysis ID:	1500389
MD5:	25841cf541b1b1f7d85cecd00dc260d6
SHA1:	01785395638b15e469b1b3d5a373e639e2177e22
SHA256:	13ca948d23ccdd89891280921149a1cb097cb16ec32ea1461e172badd8e88746
Infos:

Detection

Score:	54
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Detected VMProtect packer

HTML page contains suspicious iframes

Hides threads from debuggers

Machine Learning detection for dropped file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Switches to a custom stack to bypass stack traces

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction (VM detection)

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Checks if the current process is being debugged

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Drops PE files

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Keylogger Generic

Yara signature match

Classification

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Avengers.exe	ReversingLabs: Detection: 29%
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	ReversingLabs: Detection: 30%

Multi AV Scanner detection for submitted file

Source: CXWk52EmUt.exe

Virustotal: Detection: 22%

Perma Link

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Avengers.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Joe Sandbox ML: detected

Phishing

HTML page contains suspicious iframes

Source: https://xteamzone.blogspot.com/	HTTP Parser: position:fixed; top:0; left:0; bottom:0; right:0; width:100%; height:100%; border:none; margin:0; padding:0; overflow:hidden; z-index:999999;
Source: https://xteamzone.blogspot.com/	HTTP Parser: position:fixed; top:0; left:0; bottom:0; right:0; width:100%; height:100%; border:none; margin:0; padding:0; overflow:hidden; z-index:999999;
Source: https://xteamzone.blogspot.com/	HTTP Parser: position:fixed; top:0; left:0; bottom:0; right:0; width:100%; height:100%; border:none; margin:0; padding:0; overflow:hidden; z-index:999999;

Source: https://xteamzone.blogspot.com/	HTTP Parser: No favicon
Source: https://xteamzone.blogspot.com/	HTTP Parser: No favicon
Source: https://xteamzone.blogspot.com/	HTTP Parser: No favicon
Source: https://xteamzone.blogspot.com/	HTTP Parser: No favicon
Source: https://xteamzone.blogspot.com/	HTTP Parser: No favicon
Source: https://xteamzone.blogspot.com/	HTTP Parser: No favicon
Source: https://xteamzone.blogspot.com/	HTTP Parser: No favicon

Uses 32bit PE files

Source: CXWk52EmUt.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:58929 version: TLS 1.0

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

File opened: C:\Program Files (x86)\Gsm_X_Team\Avengers\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.164.15:443 -> 192.168.2.5:58925 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:58926 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:58927 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:58928 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:58958 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:58972 version: TLS 1.2

Source:	Binary string: X:\Work\PeCancer\Versions\pdb\Release\XShell32.pdb source: Loader.exe, 00000004.00000002.3293842440.0000000003770000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdbUGP source: Loader.exe, 00000004.00000002.3297255984.00000000040CC000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: X:\Work\PeCancer\Versions\pdb\Release\cuckooX.pdbd source: Loader.exe, 00000004.00000002.3293842440.000000000378F000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: Loader.exe, 00000004.00000002.3294235894.00000000039D0000.00000040.00001000.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2551300730.0000000003CAC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3295043851.0000000003DC8000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdb source: Loader.exe, 00000004.00000002.3297255984.00000000040CC000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbUGP source: Loader.exe, 00000004.00000003.2565898788.0000000001BAE000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3297255984.0000000004050000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: Loader.exe, 00000004.00000002.3297969549.0000000004278000.00000040.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2545233930.0000000004052000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Loader.exe, 00000004.00000002.3295699542.0000000003EA9000.00000040.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2540118398.0000000003CAB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Loader.exe, 00000004.00000002.3295699542.0000000003EA9000.00000040.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2540118398.0000000003CAB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: X:\Work\PeCancer\Versions\pdb\Release\cuckooX.pdb source: Loader.exe, 00000004.00000002.3293842440.000000000378F000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: X:\Work\PeCancer\Versions\pdb\Release\XShell32.pdbP source: Loader.exe, 00000004.00000002.3293842440.0000000003770000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdb source: Loader.exe, 00000004.00000003.2559650717.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3300078236.00000000044A4000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: Loader.exe, 00000004.00000002.3294235894.00000000039D0000.00000040.00001000.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2551300730.0000000003CAC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3295043851.0000000003DC8000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: Loader.exe, 00000004.00000002.3297969549.0000000004278000.00000040.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2545233930.0000000004052000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: Loader.exe, 00000004.00000003.2565898788.0000000001BAE000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3297255984.0000000004050000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: Loader.exe, 00000004.00000003.2559650717.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3300078236.00000000044A4000.00000040.00000800.00020000.00000000.sdmp

Detected non-DNS traffic on DNS port

Source: global traffic	TCP traffic: 192.168.2.5:63298 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:58924 -> 162.159.36.2:53

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.15.14 172.67.15.14
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 104.22.44.142 104.22.44.142

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:58929 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.164.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.164.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.164.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.164.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.164.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.164.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.164.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.164.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.164.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=NCLdtzswErgtaRf&MD=b+Fn6nrs HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /clientwebservice/ping HTTP/1.1Connection: Keep-AliveUser-Agent: DNS resiliency checker/1.0Host: fe3cr.delivery.mp.microsoft.com
Source: global traffic	HTTP traffic detected: GET /sls/ping HTTP/1.1Connection: Keep-AliveUser-Agent: DNS resiliency checker/1.0Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=NCLdtzswErgtaRf&MD=b+Fn6nrs HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=NCLdtzswErgtaRf&MD=b+Fn6nrs HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: xteamzone.blogspot.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /static/v1/widgets/3566091532-css_bundle_v2.css HTTP/1.1Host: www.blogger.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /static/v1/widgets/3618731732-widgets.js HTTP/1.1Host: www.blogger.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog HTTP/1.1Host: softblogs.orgfree.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /6455bf966a9aad4bc5792f1d/1gvnf8pli HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://xteamzone.blogspot.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/ HTTP/1.1Host: softblogs.orgfree.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /6455bf966a9aad4bc5792f1d/1gvnf8pli HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /static/v1/widgets/3618731732-widgets.js HTTP/1.1Host: www.blogger.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/knowledgebase.php HTTP/1.1Host: softblogs.orgfree.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/css/app.min.css?3.4.3 HTTP/1.1Host: softblogs.orgfree.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://softblogs.orgfree.com/blog/knowledgebase.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/js/jquery-3.5.1.min.js HTTP/1.1Host: softblogs.orgfree.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://softblogs.orgfree.com/blog/knowledgebase.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/js/hesk_functions.js?3.4.3 HTTP/1.1Host: softblogs.orgfree.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://softblogs.orgfree.com/blog/knowledgebase.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/js/svg4everybody.min.js HTTP/1.1Host: softblogs.orgfree.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://softblogs.orgfree.com/blog/knowledgebase.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/js/selectize.min.js HTTP/1.1Host: softblogs.orgfree.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://softblogs.orgfree.com/blog/knowledgebase.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/js/app.min.js?3.4.3 HTTP/1.1Host: softblogs.orgfree.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://softblogs.orgfree.com/blog/knowledgebase.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/fonts/Lato-Bold.woff2 HTTP/1.1Host: softblogs.orgfree.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://softblogs.orgfree.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://softblogs.orgfree.com/blog/theme/hesk3/customer/css/app.min.css?3.4.3Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/fonts/Lato-Regular.woff2 HTTP/1.1Host: softblogs.orgfree.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://softblogs.orgfree.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://softblogs.orgfree.com/blog/theme/hesk3/customer/css/app.min.css?3.4.3Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/img/sprite.svg HTTP/1.1Host: softblogs.orgfree.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: imageReferer: https://softblogs.orgfree.com/blog/knowledgebase.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/js/svg4everybody.min.js HTTP/1.1Host: softblogs.orgfree.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/js/hesk_functions.js?3.4.3 HTTP/1.1Host: softblogs.orgfree.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/js/app.min.js?3.4.3 HTTP/1.1Host: softblogs.orgfree.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/js/selectize.min.js HTTP/1.1Host: softblogs.orgfree.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-main.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://xteamzone.blogspot.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-vendor.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://xteamzone.blogspot.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-vendors.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://xteamzone.blogspot.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-common.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://xteamzone.blogspot.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/js/jquery-3.5.1.min.js HTTP/1.1Host: softblogs.orgfree.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-runtime.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://xteamzone.blogspot.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-app.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://xteamzone.blogspot.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: xteamzone.blogspot.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/img/sprite.svg HTTP/1.1Host: softblogs.orgfree.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /v1/widget-settings?propertyId=6455bf966a9aad4bc5792f1d&widgetId=1gvnf8pli&sv=null HTTP/1.1Host: va.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Origin: https://xteamzone.blogspot.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-main.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-runtime.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-app.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-vendor.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-vendors.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-common.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: xteamzone.blogspot.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: twk_idm_key=RDo41c25ApOcLm-6YXM6b; TawkConnectionTime=1724838357290
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/languages/en.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /v1/widget-settings?propertyId=6455bf966a9aad4bc5792f1d&widgetId=1gvnf8pli&sv=null HTTP/1.1Host: va.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/languages/en.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-bf24a88e.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-71978bb6.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-f1565420.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-7c2f6ba4.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-48f3b594.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-4fe9d5dd.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /s/?k=66cef1d7ee771623a2438f32&cver=0&pop=false&asver=0&tkn=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InZpc2l0b3ItYXBwbGljYXRpb24tc2VydmVyLTIwMjEwMjIifQ.eyJwaWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQiLCJ2aWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQtZGpfaXBoclZKV2tzOERXNE8zYWxGIiwic2lkIjoiNjZjZWYxZDdlZTc3MTYyM2EyNDM4ZjMyIiwiaWF0IjoxNzI0ODM4MzU5LCJleHAiOjE3MjQ4NDAxNTksImp0aSI6InVlUDA3aTVTXzBKOXhueFlpM0JoYiJ9.R0Uu6mm5Hdr7Onmk5ZXo_O6hv1rwuLzQgzj0lAWRMl009TKru9u3QIcSvllvt_Bg76kImd6KuFaq5K884vIn_w&EIO=3&transport=websocket&__t=P6OOAti HTTP/1.1Host: vsa45.tawk.toConnection: UpgradePragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Upgrade: websocketOrigin: https://xteamzone.blogspot.comSec-WebSocket-Version: 13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Sec-WebSocket-Key: dwCzYocRbE+cBGsip+H+ig==Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Source: global traffic	HTTP traffic detected: GET /v1/session/start HTTP/1.1Host: va.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/css/min-widget.css HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/css/bubble-widget.css HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/css/message-preview.css HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-2d0b9454.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-24d8db78.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-4fe9d5dd.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-71978bb6.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-f1565420.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-bf24a88e.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-7c2f6ba4.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-48f3b594.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /s/?k=66cef1d7ee771623a2438f32&cver=0&pop=false&asver=0&tkn=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InZpc2l0b3ItYXBwbGljYXRpb24tc2VydmVyLTIwMjEwMjIifQ.eyJwaWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQiLCJ2aWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQtZGpfaXBoclZKV2tzOERXNE8zYWxGIiwic2lkIjoiNjZjZWYxZDdlZTc3MTYyM2EyNDM4ZjMyIiwiaWF0IjoxNzI0ODM4MzU5LCJleHAiOjE3MjQ4NDAxNTksImp0aSI6InVlUDA3aTVTXzBKOXhueFlpM0JoYiJ9.R0Uu6mm5Hdr7Onmk5ZXo_O6hv1rwuLzQgzj0lAWRMl009TKru9u3QIcSvllvt_Bg76kImd6KuFaq5K884vIn_w&EIO=3&transport=websocket&__t=P6OOBGQ HTTP/1.1Host: vsa45.tawk.toConnection: UpgradePragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Upgrade: websocketOrigin: https://xteamzone.blogspot.comSec-WebSocket-Version: 13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Sec-WebSocket-Key: dt3bUI9yAwliUyZ+YPvl9Q==Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Source: global traffic	HTTP traffic detected: GET /v1/session/start HTTP/1.1Host: va.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/assets/fonts/tawk-font-icon-2.woff2?55755728= HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://xteamzone.blogspot.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://embed.tawk.to/_s/v4/app/66cbd978a7b/css/bubble-widget.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/css/max-widget.css HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-2d0b9454.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/assets/images/attention-grabbers/7-r-br.svg HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-24d8db78.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/assets/images/attention-grabbers/7-r-br.svg HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /s/?k=66cef1d7ee771623a2438f32&cver=0&pop=false&asver=0&tkn=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InZpc2l0b3ItYXBwbGljYXRpb24tc2VydmVyLTIwMjEwMjIifQ.eyJwaWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQiLCJ2aWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQtZGpfaXBoclZKV2tzOERXNE8zYWxGIiwic2lkIjoiNjZjZWYxZDdlZTc3MTYyM2EyNDM4ZjMyIiwiaWF0IjoxNzI0ODM4MzU5LCJleHAiOjE3MjQ4NDAxNTksImp0aSI6InVlUDA3aTVTXzBKOXhueFlpM0JoYiJ9.R0Uu6mm5Hdr7Onmk5ZXo_O6hv1rwuLzQgzj0lAWRMl009TKru9u3QIcSvllvt_Bg76kImd6KuFaq5K884vIn_w&EIO=3&transport=websocket&__t=P6OOBdi HTTP/1.1Host: vsa45.tawk.toConnection: UpgradePragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Upgrade: websocketOrigin: https://xteamzone.blogspot.comSec-WebSocket-Version: 13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Sec-WebSocket-Key: 25UUKp0vsrWhp5hUsuj3Pw==Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Source: global traffic	HTTP traffic detected: GET /v1/session/start HTTP/1.1Host: va.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /v1/session/start HTTP/1.1Host: va.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /s/?k=66cef1d7ee771623a2438f32&cver=0&pop=false&asver=0&tkn=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InZpc2l0b3ItYXBwbGljYXRpb24tc2VydmVyLTIwMjEwMjIifQ.eyJwaWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQiLCJ2aWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQtZGpfaXBoclZKV2tzOERXNE8zYWxGIiwic2lkIjoiNjZjZWYxZDdlZTc3MTYyM2EyNDM4ZjMyIiwiaWF0IjoxNzI0ODM4MzU5LCJleHAiOjE3MjQ4NDAxNTksImp0aSI6InVlUDA3aTVTXzBKOXhueFlpM0JoYiJ9.R0Uu6mm5Hdr7Onmk5ZXo_O6hv1rwuLzQgzj0lAWRMl009TKru9u3QIcSvllvt_Bg76kImd6KuFaq5K884vIn_w&EIO=3&transport=websocket&__t=P6OOC56 HTTP/1.1Host: vsa65.tawk.toConnection: UpgradePragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Upgrade: websocketOrigin: https://xteamzone.blogspot.comSec-WebSocket-Version: 13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Sec-WebSocket-Key: fr64WLP+VV/b3eM6QJkfnw==Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Source: global traffic	HTTP traffic detected: GET /v1/session/start HTTP/1.1Host: va.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /s/?k=66cef1d7ee771623a2438f32&cver=0&pop=false&asver=0&tkn=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InZpc2l0b3ItYXBwbGljYXRpb24tc2VydmVyLTIwMjEwMjIifQ.eyJwaWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQiLCJ2aWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQtZGpfaXBoclZKV2tzOERXNE8zYWxGIiwic2lkIjoiNjZjZWYxZDdlZTc3MTYyM2EyNDM4ZjMyIiwiaWF0IjoxNzI0ODM4MzU5LCJleHAiOjE3MjQ4NDAxNTksImp0aSI6InVlUDA3aTVTXzBKOXhueFlpM0JoYiJ9.R0Uu6mm5Hdr7Onmk5ZXo_O6hv1rwuLzQgzj0lAWRMl009TKru9u3QIcSvllvt_Bg76kImd6KuFaq5K884vIn_w&EIO=3&transport=websocket&__t=P6OOCQf HTTP/1.1Host: vsa103.tawk.toConnection: UpgradePragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Upgrade: websocketOrigin: https://xteamzone.blogspot.comSec-WebSocket-Version: 13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Sec-WebSocket-Key: Y+5DrBdFiZNNgm8Z9b071Q==Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Source: global traffic	HTTP traffic detected: GET /v1/session/start HTTP/1.1Host: va.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: Loader.exe, 00000004.00000002.3283975765.0000000000401000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.facebook.com/Gsm_X_Team-447686715562578/ equals www.facebook.com (Facebook)
Source: Loader.exe, 00000004.00000002.3283975765.0000000000401000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.facebook.com/Gsm_X_Team-447686715562578/open equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: xteamzone.blogspot.com
Source: global traffic	DNS traffic detected: DNS query: www.blogger.com
Source: global traffic	DNS traffic detected: DNS query: softblogs.orgfree.com
Source: global traffic	DNS traffic detected: DNS query: embed.tawk.to
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: va.tawk.to
Source: global traffic	DNS traffic detected: DNS query: vsa45.tawk.to
Source: global traffic	DNS traffic detected: DNS query: cdn.jsdelivr.net
Source: global traffic	DNS traffic detected: DNS query: vsa65.tawk.to
Source: global traffic	DNS traffic detected: DNS query: vsa103.tawk.to

Source: unknown

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900D492X-BM-CBT: 1696428841X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900D492X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticshX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2484Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1724838265023&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF

Source: Avengers.exe.0.dr	String found in binary or memory: http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07
Source: Avengers.exe.0.dr	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: Avengers.exe.0.dr	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: chromecache_604.9.dr	String found in binary or memory: https://github.com/selectize/selectize.js
Source: chromecache_600.9.dr	String found in binary or memory: https://www.tawk.to/?utm_source=tawk-messenger&utm_medium=link&utm_campaign=referral&utm_term=6455bf
Source: CXWk52EmUt.exe	String found in binary or memory: https://xteamzone.blogspot.com
Source: CXWk52EmUt.exe, 00000000.00000003.2706805847.00000000007B6000.00000004.00000020.00020000.00000000.sdmp, CXWk52EmUt.exe, 00000000.00000002.2708117877.0000000000817000.00000004.00000020.00020000.00000000.sdmp, CXWk52EmUt.exe, 00000000.00000002.2708117877.0000000000813000.00000004.00000020.00020000.00000000.sdmp, CXWk52EmUt.exe, 00000000.00000003.2706805847.000000000078F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xteamzone.blogspot.com/
Source: CXWk52EmUt.exe, 00000000.00000003.2706805847.00000000007B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xteamzone.blogspot.com/2
Source: CXWk52EmUt.exe, 00000000.00000003.2706805847.00000000007B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xteamzone.blogspot.com/27
Source: CXWk52EmUt.exe, 00000000.00000003.2706805847.00000000007B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xteamzone.blogspot.com/3
Source: CXWk52EmUt.exe, 00000000.00000003.2706805847.00000000007B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xteamzone.blogspot.com/5
Source: CXWk52EmUt.exe, 00000000.00000003.2706805847.00000000007B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xteamzone.blogspot.com/G
Source: CXWk52EmUt.exe, 00000000.00000003.2706805847.00000000007B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xteamzone.blogspot.com/crosoft
Source: CXWk52EmUt.exe, 00000000.00000003.2706805847.00000000007B6000.00000004.00000020.00020000.00000000.sdmp, CXWk52EmUt.exe, 00000000.00000002.2708117877.0000000000817000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xteamzone.blogspot.com/q
Source: CXWk52EmUt.exe, 00000000.00000003.2706805847.00000000007B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xteamzone.blogspot.com/x
Source: Loader.exe, 00000004.00000002.3283975765.0000000000401000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://xteamzone.blogspot.comopen
Source: CXWk52EmUt.exe, 00000000.00000003.2706805847.00000000007B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xteamzone.blogspot.coms

Source: unknown	Network traffic detected: HTTP traffic on port 58927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58978
Source: unknown	Network traffic detected: HTTP traffic on port 58942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58974
Source: unknown	Network traffic detected: HTTP traffic on port 58985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59029
Source: unknown	Network traffic detected: HTTP traffic on port 58962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58977
Source: unknown	Network traffic detected: HTTP traffic on port 58965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58980
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59030
Source: unknown	Network traffic detected: HTTP traffic on port 58959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58993
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58991
Source: unknown	Network traffic detected: HTTP traffic on port 59018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58990
Source: unknown	Network traffic detected: HTTP traffic on port 58979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63300 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58996
Source: unknown	Network traffic detected: HTTP traffic on port 58967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58999
Source: unknown	Network traffic detected: HTTP traffic on port 58948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58998
Source: unknown	Network traffic detected: HTTP traffic on port 59013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63300
Source: unknown	Network traffic detected: HTTP traffic on port 58953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63301
Source: unknown	Network traffic detected: HTTP traffic on port 58976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58927
Source: unknown	Network traffic detected: HTTP traffic on port 59027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58925
Source: unknown	Network traffic detected: HTTP traffic on port 58984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 58973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58938
Source: unknown	Network traffic detected: HTTP traffic on port 59005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58935
Source: unknown	Network traffic detected: HTTP traffic on port 59020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58934
Source: unknown	Network traffic detected: HTTP traffic on port 58969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58930
Source: unknown	Network traffic detected: HTTP traffic on port 58946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58940
Source: unknown	Network traffic detected: HTTP traffic on port 59011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63301 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58949
Source: unknown	Network traffic detected: HTTP traffic on port 59031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58946
Source: unknown	Network traffic detected: HTTP traffic on port 58943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58941
Source: unknown	Network traffic detected: HTTP traffic on port 58961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58944
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58943
Source: unknown	Network traffic detected: HTTP traffic on port 58964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59004
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59003
Source: unknown	Network traffic detected: HTTP traffic on port 59014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58951
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59006
Source: unknown	Network traffic detected: HTTP traffic on port 58940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58950
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59001
Source: unknown	Network traffic detected: HTTP traffic on port 58958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58958
Source: unknown	Network traffic detected: HTTP traffic on port 58929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58953
Source: unknown	Network traffic detected: HTTP traffic on port 58960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59008
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59009
Source: unknown	Network traffic detected: HTTP traffic on port 58938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58960
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58962
Source: unknown	Network traffic detected: HTTP traffic on port 58986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59012
Source: unknown	Network traffic detected: HTTP traffic on port 58974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58969
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58964
Source: unknown	Network traffic detected: HTTP traffic on port 58966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59018
Source: unknown	Network traffic detected: HTTP traffic on port 58949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58966
Source: unknown	Network traffic detected: HTTP traffic on port 58980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58965
Source: unknown	Network traffic detected: HTTP traffic on port 58963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59026
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58970
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58973
Source: unknown	Network traffic detected: HTTP traffic on port 59012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59028
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59022
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59024
Source: unknown	Network traffic detected: HTTP traffic on port 59009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59023
Source: unknown	Network traffic detected: HTTP traffic on port 58994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59020
Source: unknown	Network traffic detected: HTTP traffic on port 58935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58977 -> 443

Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.164.15:443 -> 192.168.2.5:58925 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:58926 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:58927 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:58928 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:58958 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:58972 version: TLS 1.2

Creates a DirectInput object (often for capturing keystrokes)

Source: Loader.exe, 00000004.00000002.3297969549.0000000004278000.00000040.00000020.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_6f9e72a3-e

Installs a raw input device (often for capturing keystrokes)

Source: Loader.exe, 00000004.00000003.2559650717.0000000004059000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_4fc2e14b-7

Yara detected Keylogger Generic

Source: Yara match	File source: 00000004.00000002.3283975765.0000000000A27000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3297969549.0000000004278000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2545233930.0000000004052000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 3596, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.3283943529.0000000000400000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: 00000004.00000000.2391784942.0000000000400000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe, type: DROPPED	Matched rule: Detects executables packed with Enigma Author: ditekSHen

Detected VMProtect packer

Source: Avengers.exe.0.dr

Static PE information: .vmp0 and .vmp1 section names

Uses 32bit PE files

Source: CXWk52EmUt.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 00000004.00000002.3283943529.0000000000400000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: 00000004.00000000.2391784942.0000000000400000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe, type: DROPPED	Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018

Source: classification engine

Classification label: mal54.phis.evad.winEXE@23/515@11/8

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

File created: C:\Program Files (x86)\Gsm_X_Team

Jump to behavior

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

File created: C:\Users\user\Desktop\XTM_Avengers v1.8 ReBirth.lnk

Jump to behavior

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

File created: C:\Users\user\AppData\Local\Temp\$inst

Jump to behavior

Source: Yara match

File source: 00000004.00000002.3283975765.0000000000401000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CXWk52EmUt.exe

Virustotal: Detection: 22%

Source: CXWk52EmUt.exe	String found in binary or memory: Opslaan van de-installatie informatie...
Source: CXWk52EmUt.exe	String found in binary or memory: er: Kan bestand niet maken:Schrijven van registersleutels...Maken van snelkoppelingen...Opslaan van de-installatie informatie...Verwijderen van backup bestanden...EindeInstallatie AvengersDoel map:
Source: CXWk52EmUt.exe	String found in binary or memory: Avengers zal worden verwijderd uit de volgende map. Klik op De-Installeren om de de-installatie te starten.
Source: CXWk52EmUt.exe	String found in binary or memory: De-Install
Source: CXWk52EmUt.exe	String found in binary or memory: De-install van:
Source: CXWk52EmUt.exe	String found in binary or memory: De-installeren Avengers
Source: CXWk52EmUt.exe	String found in binary or memory: De-installatie Afgerond
Source: CXWk52EmUt.exe	String found in binary or memory: De de-installatie is met succes be
Source: CXWk52EmUt.exe	String found in binary or memory: indigen.Installatie wachtwoordUitvoeren van opdrachten...Registreren: Installatie van Avengers word afgebrokenSchrijven van INI bestanden...Bezig met installerenSetup is gereed om Avengers op uw computer te installeren.Avengers zal worden verwijderd uit de volgende map. Klik op De-Installeren om de de-installatie te starten.De-InstallDe-install van:Ja, de computer nu opnieuw opstartenNee, ik start de computer later opnieuwDe-installeren AvengersVerwijder Avengers van uw computer.AfgerondDe-installatie AfgerondDe de-installatie is met succes be

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

File read: C:\Users\user\Desktop\CXWk52EmUt.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CXWk52EmUt.exe "C:\Users\user\Desktop\CXWk52EmUt.exe"
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process created: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe "C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe"
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://xteamzone.blogspot.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=2264,i,5190171125939309774,15604953791507897399,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process created: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe "C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://xteamzone.blogspot.com/	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=2264,i,5190171125939309774,15604953791507897399,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: XTM_Avengers v1.8 ReBirth.lnk.0.dr	LNK file: ..\..\..\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe
Source: Google Drive.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Automated click: OK
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Automated click: Next >
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Automated click: Next >
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Automated click: Next >
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Automated click: Next >
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Automated click: Install

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

File opened: C:\Windows\SysWOW64\msftedit.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: CXWk52EmUt.exe

Static file information: File size 18872709 > 1048576

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

File opened: C:\Program Files (x86)\Gsm_X_Team\Avengers\msvcr100.dll

Jump to behavior

Source:	Binary string: X:\Work\PeCancer\Versions\pdb\Release\XShell32.pdb source: Loader.exe, 00000004.00000002.3293842440.0000000003770000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdbUGP source: Loader.exe, 00000004.00000002.3297255984.00000000040CC000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: X:\Work\PeCancer\Versions\pdb\Release\cuckooX.pdbd source: Loader.exe, 00000004.00000002.3293842440.000000000378F000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: Loader.exe, 00000004.00000002.3294235894.00000000039D0000.00000040.00001000.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2551300730.0000000003CAC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3295043851.0000000003DC8000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdb source: Loader.exe, 00000004.00000002.3297255984.00000000040CC000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbUGP source: Loader.exe, 00000004.00000003.2565898788.0000000001BAE000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3297255984.0000000004050000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: Loader.exe, 00000004.00000002.3297969549.0000000004278000.00000040.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2545233930.0000000004052000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Loader.exe, 00000004.00000002.3295699542.0000000003EA9000.00000040.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2540118398.0000000003CAB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Loader.exe, 00000004.00000002.3295699542.0000000003EA9000.00000040.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2540118398.0000000003CAB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: X:\Work\PeCancer\Versions\pdb\Release\cuckooX.pdb source: Loader.exe, 00000004.00000002.3293842440.000000000378F000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: X:\Work\PeCancer\Versions\pdb\Release\XShell32.pdbP source: Loader.exe, 00000004.00000002.3293842440.0000000003770000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdb source: Loader.exe, 00000004.00000003.2559650717.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3300078236.00000000044A4000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: Loader.exe, 00000004.00000002.3294235894.00000000039D0000.00000040.00001000.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2551300730.0000000003CAC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3295043851.0000000003DC8000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: Loader.exe, 00000004.00000002.3297969549.0000000004278000.00000040.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2545233930.0000000004052000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: Loader.exe, 00000004.00000003.2565898788.0000000001BAE000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3297255984.0000000004050000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: Loader.exe, 00000004.00000003.2559650717.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3300078236.00000000044A4000.00000040.00000800.00020000.00000000.sdmp

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

PE file contains an invalid checksum

Source: Uninstall.exe.0.dr	Static PE information: real checksum: 0xcf312 should be: 0xdb4a7
Source: 7z.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xeebe5
Source: 7z.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x2fb1d
Source: Avengers.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x57b1bd

PE file contains sections with non-standard names

Source: Avengers.exe.0.dr	Static PE information: section name: .vmp0
Source: Avengers.exe.0.dr	Static PE information: section name: .vmp1
Source: Loader.exe.0.dr	Static PE information: section name: .textbss
Source: Loader.exe.0.dr	Static PE information: section name: .enigma0
Source: Loader.exe.0.dr	Static PE information: section name: .enigma1
Source: 7z.dll.0.dr	Static PE information: section name: .sxdata

Source: msvcr100.dll.0.dr

Static PE information: section name: .text entropy: 6.909044922675825

Drops PE files

Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\need_files\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\need_files\AdbWinApi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\cl64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\need_files\AdbWinUsbApi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\need_files\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\Avengers.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\cl32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\need_files\adb.exe	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Window searched: window name: Filemonclass	Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Memory written: PID: 3596 base: 1B50005 value: E9 8B 2F 3A 75	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Memory written: PID: 3596 base: 76EF2F90 value: E9 7A D0 C5 8A	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Memory written: PID: 3596 base: 1B60007 value: E9 EB DF 3C 75	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Memory written: PID: 3596 base: 76F2DFF0 value: E9 1E 20 C3 8A	Jump to behavior

Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE70DC
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE704A
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE70ED
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE728D
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE73F6
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE7377
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE7995
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE7981
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE79DA
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE7A5B
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE7BE2
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE7CE5
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE7F58
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE81EF
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE8209
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE82D3
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: A45383
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: A5420E
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: A4E2D9
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: A4E2EF
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: A5EC67

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Loader.exe, 00000004.00000002.3287150436.0000000000C5C000.00000020.00000001.01000000.00000007.sdmp

Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: 14727D3 second address: 14727D7 instructions: 0x00000000 rdtsc 0x00000002 rol cl, 1 0x00000004 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: E67C81 second address: E67C85 instructions: 0x00000000 rdtsc 0x00000002 rol cl, 1 0x00000004 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE72E5 second address: AE70DC instructions: 0x00000000 rdtsc 0x00000002 mov ebx, ecx 0x00000004 clc 0x00000005 jmp 00007FE800BB1AE9h 0x0000000a mov bl, al 0x0000000c bswap eax 0x0000000e xchg ebp, eax 0x00000010 bsf esi, ebx 0x00000013 bswap eax 0x00000015 mov word ptr [esp], dx 0x00000019 jmp 00007FE800BB1B72h 0x0000001b lea esp, dword ptr [esp+01h] 0x0000001f lea ebx, dword ptr [ebp-0000C3ABh] 0x00000025 mov si, word ptr [esp] 0x00000029 mov bp, word ptr [esp] 0x0000002d rcl bl, 00000002h 0x00000030 ror di, 0008h 0x00000034 jmp 00007FE800BB1B3Ah 0x00000039 cpuid 0x0000003b setp dl 0x0000003e rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE70DC second address: AE704A instructions: 0x00000000 rdtsc 0x00000002 setb ch 0x00000005 sub esp, 1Ch 0x00000008 pop dword ptr [esp+13h] 0x0000000c jmp 00007FE80087F877h 0x0000000e mov ah, dh 0x00000010 mov word ptr [esp+0Ah], ax 0x00000015 push dword ptr [esp+14h] 0x00000019 lea edi, dword ptr [edx+edx] 0x0000001c mov ebx, ecx 0x0000001e bswap edi 0x00000020 jmp 00007FE80087F86Ah 0x00000022 mov ebx, ebp 0x00000024 btr bx, bx 0x00000028 cpuid 0x0000002a lea ecx, dword ptr [00000000h+eax*4] 0x00000031 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE7108 second address: AE70ED instructions: 0x00000000 rdtsc 0x00000002 mov bl, bh 0x00000004 add esp, 00000000h 0x00000007 jmp 00007FE800BB1BCBh 0x00000009 not bx 0x0000000c rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE726E second address: AE7285 instructions: 0x00000000 rdtsc 0x00000002 lea ecx, dword ptr [00000000h+ebp*4] 0x00000009 mov al, byte ptr [esp] 0x0000000c std 0x0000000d sbb dx, di 0x00000010 push esp 0x00000011 jmp 00007FE80087F8A8h 0x00000013 add esp, 00000000h 0x00000016 setno dh 0x00000019 bswap edi 0x0000001b xchg word ptr [esp], si 0x0000001f xchg dword ptr [esp], ebx 0x00000022 jmp 00007FE80087F8EBh 0x00000024 mov bh, byte ptr [esp] 0x00000027 cld 0x00000028 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE7285 second address: AE728D instructions: 0x00000000 rdtsc 0x00000002 cpuid 0x00000004 pop word ptr [esp] 0x00000008 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE728D second address: AE73F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80087F902h 0x00000004 neg ebp 0x00000006 xchg cx, si 0x00000009 bsr cx, cx 0x0000000d mov ch, 5Bh 0x0000000f inc bp 0x00000011 add esp, 00000000h 0x00000014 jmp 00007FE80087F8AAh 0x00000016 mov eax, dword ptr [esp] 0x00000019 neg bh 0x0000001b add esp, 00000000h 0x0000001e seto ah 0x00000021 sub esp, 1Bh 0x00000024 jmp 00007FE80087FBCBh 0x00000029 not di 0x0000002c mov edi, dword ptr [esp+0Bh] 0x00000030 xchg dword ptr [esp+0Eh], esi 0x00000034 mov bl, 18h 0x00000036 xchg al, bh 0x00000038 adc si, 5B5Dh 0x0000003d jmp 00007FE80087F6FCh 0x00000042 dec bp 0x00000044 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE73F6 second address: AE7377 instructions: 0x00000000 rdtsc 0x00000002 bts ebx, esi 0x00000005 pop edx 0x00000006 lea ebx, dword ptr [ecx-5Bh] 0x00000009 cld 0x0000000a call 00007FE800BB1AF5h 0x0000000f jmp 00007FE800BB1BDAh 0x00000011 not di 0x00000014 xchg eax, edi 0x00000015 cld 0x00000016 btc edi, esi 0x00000019 mov ax, 1499h 0x0000001d dec edx 0x0000001e jmp 00007FE800BB1C17h 0x00000020 xchg dword ptr [esp], eax 0x00000023 pushfd 0x00000024 sub esi, 569C5F6Bh 0x0000002a mov ch, ah 0x0000002c pop dword ptr [esp+15h] 0x00000030 neg dl 0x00000032 jmp 00007FE800BB1BC2h 0x00000034 mov al, dh 0x00000036 pop word ptr [esp+11h] 0x0000003b xchg eax, edx 0x0000003c bswap ebp 0x0000003e bsr bx, cx 0x00000042 mov al, dh 0x00000044 jmp 00007FE800BB1C4Dh 0x00000046 and eax, esi 0x00000048 pop edx 0x00000049 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE7887 second address: AE7995 instructions: 0x00000000 rdtsc 0x00000002 pop word ptr [esp+0Bh] 0x00000007 xchg bx, si 0x0000000a jmp 00007FE80087F8F2h 0x0000000c pop dword ptr [esp+02h] 0x00000010 cmc 0x00000011 mov word ptr [esp+04h], di 0x00000016 xchg edi, ebx 0x00000018 sub esp, 07h 0x0000001b mov word ptr [esp+08h], dx 0x00000020 jmp 00007FE80087FE7Bh 0x00000025 mov dword ptr [esp+0Fh], edi 0x00000029 bswap edi 0x0000002b sete ah 0x0000002e bswap edi 0x00000030 lea eax, dword ptr [esp+57h] 0x00000034 dec al 0x00000036 jmp 00007FE80087F4C6h 0x0000003b rcl ch, cl 0x0000003d adc bl, 00000043h 0x00000040 xchg dword ptr [esp+0Eh], eax 0x00000044 xchg word ptr [esp+05h], dx 0x00000049 pop ax 0x0000004b lea esp, dword ptr [esp+09h] 0x0000004f jmp 00007FE80087F7D8h 0x00000054 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE7995 second address: AE7981 instructions: 0x00000000 rdtsc 0x00000002 call 00007FE800BB1B53h 0x00000007 mov ebp, ecx 0x00000009 add esp, 03h 0x0000000c mov bh, FEh 0x0000000e inc bl 0x00000010 sub si, 54E5h 0x00000015 jmp 00007FE800BB1BCCh 0x00000017 bt bp, si 0x0000001b pop dx 0x0000001d mov edi, ebx 0x0000001f neg eax 0x00000021 mov eax, dword ptr [esp] 0x00000024 sub esp, 05h 0x00000027 call 00007FE800BB1C5Fh 0x0000002c jmp 00007FE800BB1BADh 0x0000002e mov ax, si 0x00000031 mov bh, 3Eh 0x00000033 mov byte ptr [esp+17h], ch 0x00000037 push word ptr [esp+08h] 0x0000003c neg bl 0x0000003e mov dl, byte ptr [esp+0Ch] 0x00000042 jmp 00007FE800BB1BC6h 0x00000044 pop word ptr [esp+13h] 0x00000049 mov ebp, dword ptr [esp+0Dh] 0x0000004d mov word ptr [esp+14h], si 0x00000052 xchg ah, dh 0x00000054 jmp 00007FE800BB1C22h 0x00000056 btc di, ax 0x0000005a and edx, 07E7B862h 0x00000060 xchg ah, al 0x00000062 mov dl, cl 0x00000064 neg edx 0x00000066 jmp 00007FE800BB1BCAh 0x00000068 mov word ptr [esp+14h], bx 0x0000006d xchg bh, dh 0x0000006f btc esi, edi 0x00000072 xchg byte ptr [esp+08h], dh 0x00000076 jmp 00007FE800BB1C27h 0x00000078 neg di 0x0000007b xchg eax, esi 0x0000007c xchg al, dl 0x0000007e rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE7981 second address: AE79DA instructions: 0x00000000 rdtsc 0x00000002 call 00007FE80087F8B2h 0x00000007 mov ecx, dword ptr [esp+17h] 0x0000000b add esp, 12h 0x0000000e jmp 00007FE80087F98Ah 0x00000013 pop word ptr [esp] 0x00000017 cmc 0x00000018 bsr bp, cx 0x0000001c mov cl, dl 0x0000001e mov dword ptr [esp+02h], esi 0x00000022 neg edi 0x00000024 jmp 00007FE80087F84Bh 0x00000029 xchg ebp, edx 0x0000002b call 00007FE80087F8B8h 0x00000030 lea eax, dword ptr [edi+ebp] 0x00000033 pop bp 0x00000035 bswap edi 0x00000037 mov dl, bh 0x00000039 xchg esi, edx 0x0000003b jmp 00007FE80087F8F8h 0x0000003d bts di, dx 0x00000041 std 0x00000042 lea edi, dword ptr [eax+edx] 0x00000045 shr ecx, 1Fh 0x00000048 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE79DA second address: AE7A5B instructions: 0x00000000 rdtsc 0x00000002 pop dx 0x00000004 jmp 00007FE800BB1BCBh 0x00000006 pop dword ptr [esp] 0x00000009 sub si, cx 0x0000000c xchg dword ptr [esp], ecx 0x0000000f pop word ptr [esp] 0x00000013 pop bx 0x00000015 jmp 00007FE800BB1C1Eh 0x00000017 mov si, word ptr [esp] 0x0000001b lea ebp, dword ptr [00000000h+esi*4] 0x00000022 rol ah, cl 0x00000024 bts esi, ebp 0x00000027 xchg ebx, ebp 0x00000029 xchg bx, dx 0x0000002c call 00007FE800BB1BC5h 0x00000031 jmp 00007FE800BB1C20h 0x00000033 neg dh 0x00000035 xchg word ptr [esp], ax 0x00000039 pop word ptr [esp] 0x0000003d lea esp, dword ptr [esp+02h] 0x00000041 jmp 00007FE800BB1C24h 0x00000043 lea esp, dword ptr [esp] 0x00000046 cmc 0x00000047 adc si, ax 0x0000004a mov cl, FFh 0x0000004c rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE7B6C second address: AE7BE2 instructions: 0x00000000 rdtsc 0x00000002 xchg word ptr [esp+03h], di 0x00000007 add di, si 0x0000000a jmp 00007FE80087F90Bh 0x0000000c mov edx, dword ptr [esp+07h] 0x00000010 mov word ptr [esp], bp 0x00000014 mov ch, 07h 0x00000016 xchg edx, ebx 0x00000018 xchg byte ptr [esp+01h], dh 0x0000001c jmp 00007FE80087F8AAh 0x0000001e pop ax 0x00000020 lea eax, dword ptr [ecx+edi] 0x00000023 mov bx, ax 0x00000026 mov al, bl 0x00000028 setp al 0x0000002b xchg bl, ah 0x0000002d jmp 00007FE80087FAB7h 0x00000032 mov word ptr [esp+01h], si 0x00000037 add esp, 05h 0x0000003a bswap esi 0x0000003c setbe bl 0x0000003f mov ecx, ebx 0x00000041 btr ebx, esi 0x00000044 call 00007FE80087F7D0h 0x00000049 jmp 00007FE80087F879h 0x0000004b setnle ch 0x0000004e mov al, E6h 0x00000050 mov edi, 742DD4D8h 0x00000055 or dl, bl 0x00000057 inc bp 0x00000059 cpuid 0x0000005b jmp 00007FE80087F88Dh 0x0000005d lea esp, dword ptr [esp+03h] 0x00000061 push word ptr [esp] 0x00000065 lea esi, dword ptr [30B5F79Fh] 0x0000006b bsf edx, esp 0x0000006e mov ebp, 4E6D7C1Eh 0x00000073 push word ptr [esp] 0x00000077 jmp 00007FE80087F892h 0x00000079 neg dl 0x0000007b push word ptr [esp+05h] 0x00000080 bsr di, bp 0x00000084 not ecx 0x00000086 push ax 0x00000088 mov dword ptr [esp+01h], ecx 0x0000008c jmp 00007FE80087F8A7h 0x0000008e xchg di, si 0x00000091 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE7BE2 second address: AE7CE5 instructions: 0x00000000 rdtsc 0x00000002 xchg ax, bx 0x00000004 xchg word ptr [esp+03h], si 0x00000009 stc 0x0000000a mov edi, dword ptr [esp] 0x0000000d jmp 00007FE800BB1C36h 0x0000000f mov word ptr [esp+05h], bp 0x00000014 xchg bl, ah 0x00000016 lea ebp, dword ptr [00000000h+eax4] 0x0000001d jmp 00007FE800BB1C21h 0x0000001f xchg dword ptr [esp+04h], ebp 0x00000023 xchg dword ptr [esp+04h], esi 0x00000027 neg di 0x0000002a lea esi, dword ptr [00000000h+ebx4] 0x00000031 xchg dword ptr [esp+04h], ecx 0x00000035 push word ptr [esp+01h] 0x0000003a jmp 00007FE800BB1BBFh 0x0000003c xchg di, ax 0x0000003f mov eax, dword ptr [esp+06h] 0x00000043 lea edx, dword ptr [B708AE44h] 0x00000049 shr dh, cl 0x0000004b jmp 00007FE800BB1CD0h 0x00000050 neg ebx 0x00000052 dec ah 0x00000054 xchg bx, si 0x00000057 xchg byte ptr [esp+03h], cl 0x0000005b mov cx, 8A1Dh 0x0000005f bsf eax, ecx 0x00000062 jmp 00007FE800BB1BA8h 0x00000064 push dword ptr [esp+08h] 0x00000068 xchg dword ptr [esp+0Ah], ebx 0x0000006c xchg ebx, ebp 0x0000006e xchg dword ptr [esp+0Bh], ebp 0x00000072 dec cx 0x00000074 mov bh, dl 0x00000076 jmp 00007FE800BB1B82h 0x00000078 mov cl, B7h 0x0000007a neg dh 0x0000007c neg bp 0x0000007f setnl bh 0x00000082 xchg word ptr [esp+06h], si 0x00000087 sub esp, 0Ah 0x0000008a jmp 00007FE800BB1BC8h 0x0000008c mov byte ptr [esp+0Ah], dl 0x00000090 mov bx, sp 0x00000093 xchg edx, ebx 0x00000095 bts bx, dx 0x00000099 mov edx, esi 0x0000009b jmp 00007FE800BB1C21h 0x0000009d rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE7E0F second address: AE7E14 instructions: 0x00000000 rdtsc 0x00000002 neg ax 0x00000005 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE7F56 second address: AE7F58 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE81BC second address: AE81EF instructions: 0x00000000 rdtsc 0x00000002 mov ah, byte ptr [esp] 0x00000005 mov cx, word ptr [esp] 0x00000009 jmp 00007FE80087F8EFh 0x0000000b not di 0x0000000e mov ecx, dword ptr [esp] 0x00000011 xchg ecx, esi 0x00000013 setp al 0x00000016 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE81EF second address: AE8209 instructions: 0x00000000 rdtsc 0x00000002 mov cl, 19h 0x00000004 jmp 00007FE800BB1CF9h 0x00000009 lea ebx, dword ptr [00000000h+ebx*4] 0x00000010 mov cx, word ptr [esp+01h] 0x00000015 mov ah, byte ptr [esp+01h] 0x00000019 push word ptr [esp] 0x0000001d mov ax, 2ECCh 0x00000021 xchg dword ptr [esp], ecx 0x00000024 jmp 00007FE800BB1B31h 0x00000029 mov dword ptr [esp], edi 0x0000002c mov si, C383h 0x00000030 cpuid 0x00000032 mov cx, sp 0x00000035 setne bh 0x00000038 mov dh, byte ptr [esp+01h] 0x0000003c jmp 00007FE800BB1BB1h 0x0000003e push word ptr [esp+02h] 0x00000043 xchg edx, edi 0x00000045 mov eax, dword ptr [esp+02h] 0x00000049 call 00007FE800BB1BC2h 0x0000004e rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE8209 second address: AE82D3 instructions: 0x00000000 rdtsc 0x00000002 pop word ptr [esp+04h] 0x00000007 lea eax, dword ptr [00000000h+edx*4] 0x0000000e jmp 00007FE80087F8F5h 0x00000010 pop dword ptr [esp] 0x00000013 push dword ptr [esp+02h] 0x00000017 mov bp, bx 0x0000001a pop word ptr [esp+02h] 0x0000001f lea esp, dword ptr [esp+02h] 0x00000023 jmp 00007FE80087F94Ah 0x00000025 push word ptr [esp+02h] 0x0000002a mov si, word ptr [esp+02h] 0x0000002f rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A512A3 second address: A512AD instructions: 0x00000000 rdtsc 0x00000002 xchg byte ptr [esp+02h], bl 0x00000006 xchg dword ptr [esp+04h], esi 0x0000000a rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A3E533 second address: A3E555 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80087F86Ah 0x00000004 lea esp, dword ptr [esp+04h] 0x00000008 inc edi 0x00000009 not cx 0x0000000c mov dx, 8364h 0x00000010 bsr ax, bx 0x00000014 jmp 00007FE80087F8DBh 0x00000016 jnp 00007FE80087F8E6h 0x00000018 stc 0x00000019 bswap eax 0x0000001b xor ah, ah 0x0000001d jmp 00007FE80087F918h 0x0000001f mov edx, dword ptr [esp] 0x00000022 call 00007FE80087F896h 0x00000027 ror edi, 00000000h 0x0000002a sub esp, 10h 0x0000002d jnc 00007FE80087F8EBh 0x0000002f jmp 00007FE80087F8EEh 0x00000031 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A453E7 second address: A452F9 instructions: 0x00000000 rdtsc 0x00000002 inc bx 0x00000004 jmp 00007FE800BB1BAEh 0x00000006 mov dl, byte ptr [esp] 0x00000009 mov eax, ebx 0x0000000b call 00007FE800BB1BB4h 0x00000010 xchg dword ptr [esp+08h], ebp 0x00000014 xchg al, dh 0x00000016 bt dx, dx 0x0000001a mov dl, byte ptr [esp] 0x0000001d jmp 00007FE800BB1BA8h 0x0000001f sub esp, 06h 0x00000022 mov word ptr [esp+03h], di 0x00000027 lea esp, dword ptr [esp+02h] 0x0000002b push dword ptr [esp+0Ch] 0x0000002f retn 0010h 0x00000032 mov bx, A433h 0x00000036 mov al, byte ptr [esp] 0x00000039 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A452F9 second address: A45321 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80087F8F6h 0x00000004 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A45321 second address: A45323 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A45323 second address: A45383 instructions: 0x00000000 rdtsc 0x00000002 xchg bx, ax 0x00000005 setno dh 0x00000008 xchg dx, ax 0x0000000b mov eax, dword ptr [esp] 0x0000000e jmp 00007FE80087F8E9h 0x00000010 setl dh 0x00000013 sub esp, 1Bh 0x00000016 jmp 00007FE80087F901h 0x00000018 jo 00007FE80087F8A5h 0x0000001a rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A54228 second address: A541B0 instructions: 0x00000000 rdtsc 0x00000002 bt ax, bp 0x00000006 jnl 00007FE800BB1B5Ch 0x0000000c rol dx, cl 0x0000000f call 00007FE800BB1C2Fh 0x00000014 mov ebx, dword ptr [esp] 0x00000017 mov dx, word ptr [esp] 0x0000001b shl bh, 00000002h 0x0000001e xchg dword ptr [esp], edx 0x00000021 mov eax, dword ptr [esp] 0x00000024 jmp 00007FE800BB1BBDh 0x00000026 setne bl 0x00000029 not bx 0x0000002c bswap ebx 0x0000002e stc 0x0000002f lea edx, dword ptr [edx-00000024h] 0x00000035 xchg al, bl 0x00000037 jmp 00007FE800BB1BC9h 0x00000039 setl ah 0x0000003c neg bx 0x0000003f btr bx, bx 0x00000043 xchg dword ptr [esp], edx 0x00000046 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A541B0 second address: A5420E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80087F922h 0x00000004 lea edx, dword ptr [eax+esi] 0x00000007 sub esp, 05h 0x0000000a mov ah, byte ptr [esp+04h] 0x0000000e rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A4DDAE second address: A4DE0C instructions: 0x00000000 rdtsc 0x00000002 mov dh, byte ptr [esp] 0x00000005 jmp 00007FE800BB1C41h 0x00000007 sub esi, 04h 0x0000000a mov edx, 3EE98BB8h 0x0000000f rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A4E2EF second address: A4E2D9 instructions: 0x00000000 rdtsc 0x00000002 call 00007FE80087F8D6h 0x00000007 bswap eax 0x00000009 lea edx, dword ptr [00000000h+edx4] 0x00000010 xchg dword ptr [esp], ebp 0x00000013 or dl, dh 0x00000015 cmp dh, ah 0x00000017 jmp 00007FE8008800EBh 0x0000001c shr ah, cl 0x0000001e mov dx, 0888h 0x00000022 lea ebp, dword ptr [ebp-0000001Dh] 0x00000028 inc ah 0x0000002a neg dx 0x0000002d sete ah 0x00000030 jmp 00007FE80087F1D7h 0x00000035 bswap eax 0x00000037 xchg dword ptr [esp], ebp 0x0000003a mov dl, F5h 0x0000003c shl ah, cl 0x0000003e lea edx, dword ptr [00000000h+ebx4] 0x00000045 push dword ptr [esp] 0x00000048 retn 0004h 0x0000004b rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A51675 second address: A453E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE800BB1BB4h 0x00000004 mov edx, esi 0x00000006 mov edi, dword ptr [edx] 0x00000008 mov bl, ch 0x0000000a mov al, bh 0x0000000c not ax 0x0000000f jmp 00007FE800BB1BCFh 0x00000011 add esi, 04h 0x00000014 and eax, eax 0x00000016 jnle 00007FE800BB1C0Eh 0x00000018 mov bl, DAh 0x0000001a jmp 00007FE800BB1BF7h 0x0000001c mov ax, cx 0x0000001f jmp 00007FE800BA585Bh 0x00000024 mov ecx, edi 0x00000026 call 00007FE800BB1C0Bh 0x0000002b shr bl, cl 0x0000002d inc ah 0x0000002f call 00007FE800BB2364h 0x00000034 bswap edx 0x00000036 xchg dword ptr [esp+04h], ebp 0x0000003a xchg bx, dx 0x0000003d jmp 00007FE800BB156Ch 0x00000042 mov bx, EAE9h 0x00000046 neg dx 0x00000049 mov ax, word ptr [esp] 0x0000004d lea ebp, dword ptr [ebp+2Ch] 0x00000050 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A72802 second address: A72804 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A72804 second address: A7280C instructions: 0x00000000 rdtsc 0x00000002 call 00007FE800BB1BF6h 0x00000007 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A58AFA second address: A4E2EF instructions: 0x00000000 rdtsc 0x00000002 call 00007FE80087F8AAh 0x00000007 mov ebx, esi 0x00000009 rol dx, 0002h 0x0000000d jc 00007FE80087F8B4h 0x0000000f jnc 00007FE80087F967h 0x00000015 rcr ax, cl 0x00000018 dec edx 0x00000019 lea eax, dword ptr [00000000h+edx4] 0x00000020 jmp 00007FE80087F834h 0x00000025 sub esi, 04h 0x00000028 lea eax, dword ptr [00000000h+ebp4] 0x0000002f mov eax, dword ptr [esp] 0x00000032 jmp 00007FE80087F913h 0x00000034 mov dword ptr [esi], ebx 0x00000036 setnl dh 0x00000039 mov ax, di 0x0000003c lea edx, dword ptr [00000000h+ebp*4] 0x00000043 jmp 00007FE80087501Dh 0x00000048 not dh 0x0000004a mov dx, word ptr [esp] 0x0000004e bsf dx, si 0x00000052 jnl 00007FE80087F8B0h 0x00000054 jmp 00007FE80087F8FCh 0x00000056 lea ebx, dword ptr [ebp+50h] 0x00000059 sub esp, 1Bh 0x0000005c jnc 00007FE80087F913h 0x0000005e rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A58C10 second address: A58C54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE800BB1BCBh 0x00000004 rol dh, cl 0x00000006 inc al 0x00000008 mov ax, EDEBh 0x0000000c xchg dword ptr [esp+0Ch], esi 0x00000010 bsr ax, sp 0x00000014 jmp 00007FE800BB1C40h 0x00000016 setns dl 0x00000019 mov dx, 02CBh 0x0000001d rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A5904F second address: A58EDF instructions: 0x00000000 rdtsc 0x00000002 call 00007FE80087F81Fh 0x00000007 pop word ptr [esp] 0x0000000b lea esp, dword ptr [esp+02h] 0x0000000f jmp 00007FE80087F806h 0x00000014 inc edi 0x00000015 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A58EDF second address: A58EFF instructions: 0x00000000 rdtsc 0x00000002 bswap eax 0x00000004 mov al, dl 0x00000006 mov dl, 86h 0x00000008 jmp 00007FE800BB1BC9h 0x0000000a rcr eax, cl 0x0000000c jns 00007FE800BB1BD8h 0x0000000e lea edx, dword ptr [esi+ebp] 0x00000011 xchg ax, dx 0x00000013 call 00007FE800BB1C40h 0x00000018 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A58EFF second address: A58F22 instructions: 0x00000000 rdtsc 0x00000002 call 00007FE80087F8B8h 0x00000007 lea esp, dword ptr [esp+01h] 0x0000000b lea eax, dword ptr [edx+esi] 0x0000000e pop ax 0x00000010 lea esp, dword ptr [esp+01h] 0x00000014 jmp 00007FE80087F8E0h 0x00000016 xchg dword ptr [esp], eax 0x00000019 sub edx, eax 0x0000001b lea edx, dword ptr [eax+ecx] 0x0000001e mov dx, di 0x00000021 sub esp, 07h 0x00000024 jmp 00007FE80087F90Ah 0x00000026 lea edx, dword ptr [5A7A1BB0h] 0x0000002c lea esp, dword ptr [esp+03h] 0x00000030 lea eax, dword ptr [eax+69h] 0x00000033 sub esp, 1Dh 0x00000036 lea edx, dword ptr [00000000h+edi*4] 0x0000003d push word ptr [esp+10h] 0x00000042 jmp 00007FE80087F899h 0x00000044 xchg dword ptr [esp+04h], edx 0x00000048 pop word ptr [esp+03h] 0x0000004d lea esp, dword ptr [esp+01h] 0x00000051 xchg dword ptr [esp+20h], eax 0x00000055 mov edx, ebx 0x00000057 push cx 0x00000059 jmp 00007FE80087F90Ah 0x0000005b mov edx, F108C7B0h 0x00000060 mov dl, byte ptr [esp] 0x00000063 lea esp, dword ptr [esp+02h] 0x00000067 push dword ptr [esp+20h] 0x0000006b retn 0024h 0x0000006e lea edx, dword ptr [edx+esi] 0x00000071 mov eax, esi 0x00000073 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A58F22 second address: A590CA instructions: 0x00000000 rdtsc 0x00000002 call 00007FE800BB1C8Fh 0x00000007 mov dh, al 0x00000009 lea eax, dword ptr [edx+edi] 0x0000000c xchg edx, eax 0x0000000e xchg dword ptr [esp], edi 0x00000011 mov ax, word ptr [esp] 0x00000015 call 00007FE800BB1BCCh 0x0000001a jmp 00007FE800BB1C54h 0x0000001c clc 0x0000001d inc dx 0x0000001f lea edi, dword ptr [edi+000000BCh] 0x00000025 mov dh, ah 0x00000027 stc 0x00000028 bsr dx, dx 0x0000002c jmp 00007FE800BB1BCAh 0x0000002e lea eax, dword ptr [edx+ebx] 0x00000031 xchg eax, edx 0x00000032 xchg dword ptr [esp+04h], edi 0x00000036 mov al, dl 0x00000038 ror dh, cl 0x0000003a jmp 00007FE800BB1C0Ch 0x0000003c mov dx, 2A86h 0x00000040 neg dx 0x00000043 push dword ptr [esp+04h] 0x00000047 retn 0008h 0x0000004a ror bl, 00000000h 0x0000004d xchg edx, eax 0x0000004f mov dx, F783h 0x00000053 lea edx, dword ptr [00000000h+edx*4] 0x0000005a jmp 00007FE800BB1D7Ch 0x0000005f mov eax, dword ptr [esp] 0x00000062 neg bl 0x00000064 inc ax 0x00000066 jo 00007FE800BB1B4Ch 0x0000006c jno 00007FE800BB1B28h 0x00000072 bt dx, si 0x00000076 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A52EFC second address: A52F0D instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 mov edx, esi 0x00000007 mov edi, dword ptr [edx] 0x00000009 jmp 00007FE80087F8B1h 0x0000000b bsr ax, si 0x0000000f jbe 00007FE80087F903h 0x00000011 not edx 0x00000013 mov dx, 7CB5h 0x00000017 jmp 00007FE80087F8E5h 0x00000019 add esi, 04h 0x0000001c mov edx, dword ptr [esp] 0x0000001f rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A52F0D second address: A53007 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [00000000h+ebp*4] 0x00000009 jmp 00007FE800BB1C31h 0x0000000b bt edx, edi 0x0000000e je 00007FE800BB1BD7h 0x00000010 jne 00007FE800BB1BD5h 0x00000012 push ebp 0x00000013 inc bh 0x00000015 jnle 00007FE800BB1C20h 0x00000017 jmp 00007FE800BB1BDAh 0x00000019 setnb al 0x0000001c or dl, bl 0x0000001e jmp 00007FE800BB1C19h 0x00000020 push ecx 0x00000021 xchg dx, bp 0x00000024 bsr dx, sp 0x00000028 jc 00007FE800BB1BD2h 0x0000002a jnc 00007FE800BB1C54h 0x0000002c lea eax, dword ptr [edi+00003A49h] 0x00000032 jmp 00007FE800BB1B88h 0x00000034 push esi 0x00000035 mov ah, bh 0x00000037 xchg cx, ax 0x0000003a cmc 0x0000003b jne 00007FE800BB1C25h 0x0000003d jmp 00007FE800BB1C1Eh 0x0000003f mov edx, dword ptr [esp] 0x00000042 mov bl, E9h 0x00000044 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A5A3C1 second address: A5A466 instructions: 0x00000000 rdtsc 0x00000002 dec ah 0x00000004 jmp 00007FE80087F90Bh 0x00000006 sub ebp, 04h 0x00000009 mov ah, 04h 0x0000000b ror al, cl 0x0000000d jnle 00007FE80087F8E5h 0x0000000f jmp 00007FE80087F90Dh 0x00000011 mov dword ptr [ebp+00h], ecx 0x00000014 mov ax, di 0x00000017 mov ax, DDFFh 0x0000001b mov edx, dword ptr [esp] 0x0000001e rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A4F8B0 second address: A4F90E instructions: 0x00000000 rdtsc 0x00000002 not ecx 0x00000004 push esi 0x00000005 jmp 00007FE800BB1C07h 0x00000007 neg dx 0x0000000a jle 00007FE800BB1C07h 0x0000000c stc 0x0000000d call 00007FE800BB1C2Dh 0x00000012 xchg eax, ebx 0x00000013 jmp 00007FE800BB1BB7h 0x00000015 push ebp 0x00000016 mov bh, ch 0x00000018 mov di, 6FF2h 0x0000001c cpuid 0x0000001e call 00007FE800BB1C09h 0x00000023 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A4EE2F second address: A4EF8A instructions: 0x00000000 rdtsc 0x00000002 mov ebx, ecx 0x00000004 jmp 00007FE80087F8B5h 0x00000006 mov edi, dword ptr [esi] 0x00000008 pushfd 0x00000009 mov edx, ebp 0x0000000b sub esp, 15h 0x0000000e jnp 00007FE80087F933h 0x00000010 jmp 00007FE80087F8A4h 0x00000012 cmp dx, cx 0x00000015 lea esp, dword ptr [esp+01h] 0x00000019 jmp 00007FE80087F944h 0x0000001b add esi, 04h 0x0000001e lea ebx, dword ptr [00000000h+esi*4] 0x00000025 bts ebx, edx 0x00000028 jl 00007FE80087F85Bh 0x0000002a jnl 00007FE80087F88Ah 0x0000002c bts ax, bp 0x00000030 rol ebx, 1Fh 0x00000033 jmp 00007FE80087F8B3h 0x00000035 bts dx, di 0x00000039 jmp 00007FE80087FA1Bh 0x0000003e jg 00007FE80087F96Dh 0x00000044 push ebp 0x00000045 mov bp, ax 0x00000048 lea ebx, dword ptr [esp-74B4BB32h] 0x0000004f sub esp, 18h 0x00000052 jnc 00007FE80087F7A1h 0x00000058 jmp 00007FE80087F8BAh 0x0000005a mov bp, EEBEh 0x0000005e jmp 00007FE80087F8FEh 0x00000060 lea edx, dword ptr [eax+64h] 0x00000063 sub esp, 1Bh 0x00000066 jnc 00007FE80087F8B0h 0x00000068 mov al, byte ptr [esp+18h] 0x0000006c jmp 00007FE80087F91Ch 0x0000006e lea esp, dword ptr [esp+03h] 0x00000072 mov dword ptr [esp+14h], ecx 0x00000076 lea esp, dword ptr [esp+14h] 0x0000007a jmp 00007FE80087F8ACh 0x0000007c rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A56FEF second address: A5709C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE800BB1C19h 0x00000004 mov ebx, dword ptr [esi] 0x00000006 mov dx, word ptr [esp] 0x0000000a setnl dh 0x0000000d bsf edx, edi 0x00000010 jc 00007FE800BB1BBDh 0x00000012 jnc 00007FE800BB1BBBh 0x00000014 jmp 00007FE800BB1C27h 0x00000016 mov al, byte ptr [esi+04h] 0x00000019 or dl, FFFFFFD0h 0x0000001c jp 00007FE800BB1BB5h 0x0000001e btr edx, edx 0x00000021 jmp 00007FE800BB1C19h 0x00000023 sub esp, 09h 0x00000026 add esp, 06h 0x00000029 lea esp, dword ptr [esp+03h] 0x0000002d jmp 00007FE800BB1BD0h 0x0000002f sub esi, 02h 0x00000032 bts edx, eax 0x00000035 jc 00007FE800BB1C0Ch 0x00000037 lea edx, dword ptr [edx+000000C2h] 0x0000003d jmp 00007FE800BB1BF6h 0x0000003f mov edx, 8AD7F0E6h 0x00000044 lea edx, dword ptr [00000000h+ecx*4] 0x0000004b jmp 00007FE800BB1C90h 0x00000050 xchg eax, ecx 0x00000051 mov dx, word ptr [esp] 0x00000055 setb dh 0x00000058 shl ebx, cl 0x0000005a jmp 00007FE800BB1B70h 0x0000005f mov dl, byte ptr [esp] 0x00000062 bswap edx 0x00000064 xchg eax, ecx 0x00000065 mov dl, byte ptr [esp] 0x00000068 mov dx, BFCAh 0x0000006c jmp 00007FE800BB1BCDh 0x0000006e mov dword ptr [esi+04h], ebx 0x00000071 mov bh, byte ptr [esp] 0x00000074 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A5709C second address: A5709E instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A5709E second address: A570A0 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A570A0 second address: A54228 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80087F90Dh 0x00000004 pushfd 0x00000005 pop dword ptr [esi] 0x00000007 lea edx, dword ptr [edx+ebx] 0x0000000a xchg ah, bl 0x0000000c jmp 00007FE80087F8A4h 0x0000000e lea eax, dword ptr [00000000h+edx*4] 0x00000015 mov ebx, dword ptr [esp] 0x00000018 jmp 00007FE80087CA33h 0x0000001d rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A5167C second address: A453E7 instructions: 0x00000000 rdtsc 0x00000002 mov ax, word ptr [esp] 0x00000006 mov ax, F87Ah 0x0000000a mov al, 63h 0x0000000c jmp 00007FE800BB1CF8h 0x00000011 lea ebp, dword ptr [ebp-0000C377h] 0x00000017 bswap edx 0x00000019 bsf bx, di 0x0000001d sub ah, FFFFFF9Ah 0x00000020 xchg dword ptr [esp], ebp 0x00000023 mov dx, sp 0x00000026 jmp 00007FE800BB1B18h 0x0000002b xchg eax, ebx 0x0000002c xchg bl, dl 0x0000002e not eax 0x00000030 push dword ptr [esp] 0x00000033 retn 0004h 0x00000036 mov ecx, edi 0x00000038 call 00007FE800BB1C0Bh 0x0000003d shr bl, cl 0x0000003f inc ah 0x00000041 call 00007FE800BB2364h 0x00000046 bswap edx 0x00000048 xchg dword ptr [esp+04h], ebp 0x0000004c xchg bx, dx 0x0000004f jmp 00007FE800BB156Ch 0x00000054 mov bx, EAE9h 0x00000058 neg dx 0x0000005b mov ax, word ptr [esp] 0x0000005f lea ebp, dword ptr [ebp+2Ch] 0x00000062 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A5EDCC second address: A5EC67 instructions: 0x00000000 rdtsc 0x00000002 mov ax, word ptr [esp] 0x00000006 jmp 00007FE80087F807h 0x0000000b xchg ebp, eax 0x0000000d mov al, 48h 0x0000000f mov ebp, edx 0x00000011 xchg dword ptr [esp], ebx 0x00000014 call 00007FE80087F859h 0x00000019 xchg ebx, edx 0x0000001b push word ptr [esp+01h] 0x00000020 jmp 00007FE80087F895h 0x00000022 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A452BD second address: A453E7 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edi 0x00000004 call 00007FE800BB1C0Bh 0x00000009 shr bl, cl 0x0000000b inc ah 0x0000000d call 00007FE800BB2364h 0x00000012 bswap edx 0x00000014 xchg dword ptr [esp+04h], ebp 0x00000018 xchg bx, dx 0x0000001b jmp 00007FE800BB156Ch 0x00000020 mov bx, EAE9h 0x00000024 neg dx 0x00000027 mov ax, word ptr [esp] 0x0000002b lea ebp, dword ptr [ebp+2Ch] 0x0000002e rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A75245 second address: A54228 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80087F8D6h 0x00000004 add al, dl 0x00000006 mov ax, ss 0x00000008 mov edx, dword ptr [esp] 0x0000000b mov bl, byte ptr [esp] 0x0000000e jmp 00007FE80087F908h 0x00000010 and edx, 2453CC41h 0x00000016 jne 00007FE80087F8B4h 0x00000018 xchg edx, ebx 0x0000001a call 00007FE80087F964h 0x0000001f bsf ebx, edi 0x00000022 neg ebx 0x00000024 neg bx 0x00000027 not ebx 0x00000029 xchg dword ptr [esp], eax 0x0000002c jmp 00007FE80087F88Ch 0x0000002e mov bh, ah 0x00000030 mov ebx, 2E8230DBh 0x00000035 cmc 0x00000036 pushfd 0x00000037 lea eax, dword ptr [eax+1Fh] 0x0000003a mov bx, DD22h 0x0000003e call 00007FE80087F8AAh 0x00000043 jmp 00007FE80087F8FBh 0x00000045 lea ebx, dword ptr [2917076Ah] 0x0000004b xchg dword ptr [esp+08h], eax 0x0000004f mov bx, 11BCh 0x00000053 and dx, 4BF9h 0x00000058 bsf bx, dx 0x0000005c pushad 0x0000005d jmp 00007FE80087F8FFh 0x0000005f xchg word ptr [esp+17h], bx 0x00000064 push dword ptr [esp+28h] 0x00000068 retn 002Ch 0x0000006b push eax 0x0000006c jmp 00007FE800839FB1h 0x00000071 pop ss 0x00000072 pushfd 0x00000073 jmp 00007FE8008C51F2h 0x00000078 pop dword ptr [esi] 0x0000007a mov bx, word ptr [esp] 0x0000007e inc edx 0x0000007f jno 00007FE80087F942h 0x00000081 neg bh 0x00000083 jmp 00007FE80085E7D8h 0x00000088 rdtsc

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Special instruction interceptor: First address: 11CFDC4 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Special instruction interceptor: First address: 115F75D instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Gsm_X_Team\Avengers\need_files\AdbWinApi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Gsm_X_Team\Avengers\need_files\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Gsm_X_Team\Avengers\cl64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Gsm_X_Team\Avengers\need_files\AdbWinUsbApi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Gsm_X_Team\Avengers\need_files\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Gsm_X_Team\Avengers\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Gsm_X_Team\Avengers\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Gsm_X_Team\Avengers\Avengers.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Gsm_X_Team\Avengers\cl32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Gsm_X_Team\Avengers\need_files\adb.exe	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe TID: 6528

Thread sleep time: -1470000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: Loader.exe, 00000004.00000003.2545233930.0000000004052000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: Loader.exe, 00000004.00000003.2545233930.0000000004052000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: Loader.exe, 00000004.00000003.2767723161.0000000001BC3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Open window title or class name: regmonclass
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Open window title or class name: filemonclass

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Process queried: DebugPort	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://xteamzone.blogspot.com/

Jump to behavior

Source: Loader.exe, 00000004.00000003.2559650717.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3300078236.00000000044A4000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: Loader.exe, 00000004.00000002.3283975765.0000000000401000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Shell_TrayWnd
Source: Loader.exe, 00000004.00000003.2559650717.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3300078236.00000000044A4000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow
Source: Loader.exe, 00000004.00000002.3283975765.0000000000401000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Shell_TrayWndS
Source: Loader.exe, 00000004.00000002.3283975765.0000000000401000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SV

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.16.201	blogger.l.google.com	United States	15169	GOOGLEUS	false
172.67.15.14	vsa45.tawk.to	United States	13335	CLOUDFLARENETUS	false
216.58.206.68	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.22.44.142	embed.tawk.to	United States	13335	CLOUDFLARENETUS	false
142.250.186.97	blogspot.l.googleusercontent.com	United States	15169	GOOGLEUS	false
23.179.32.36	softblogs.orgfree.com	United States	62838	REPRISE-HOSTINGUS	false

Private

IP
192.168.2.5

Contacted Domains

Name	IP	Active
embed.tawk.to	104.22.44.142	true
va.tawk.to	104.22.44.142	true
vsa45.tawk.to	172.67.15.14	true
blogspot.l.googleusercontent.com	142.250.186.97	true
softblogs.orgfree.com	23.179.32.36	true
www.google.com	216.58.206.68	true
vsa103.tawk.to	172.67.15.14	true
blogger.l.google.com	172.217.16.201	true
vsa65.tawk.to	104.22.44.142	true
15.164.165.52.in-addr.arpa	unknown	unknown
cdn.jsdelivr.net	unknown	unknown
xteamzone.blogspot.com	unknown	unknown
www.blogger.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://embed.tawk.to/_s/v4/assets/images/attention-grabbers/7-r-br.svg	false	Avira URL Cloud: safe	unknown
https://embed.tawk.to/_s/v4/app/66cbd978a7b/js/twk-chunk-7c2f6ba4.js	false	Avira URL Cloud: safe	unknown
https://softblogs.orgfree.com/blog/theme/hesk3/customer/js/jquery-3.5.1.min.js	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://embed.tawk.to/_s/v4/app/66cbd978a7b/js/twk-main.js	false	Avira URL Cloud: safe	unknown
https://va.tawk.to/v1/widget-settings?propertyId=6455bf966a9aad4bc5792f1d&widgetId=1gvnf8pli&sv=null	false	Avira URL Cloud: safe	unknown
https://softblogs.orgfree.com/blog/theme/hesk3/customer/js/svg4everybody.min.js	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://embed.tawk.to/_s/v4/app/66cbd978a7b/js/twk-app.js	false	Avira URL Cloud: safe	unknown
https://xteamzone.blogspot.com/favicon.ico	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://vsa45.tawk.to/s/?k=66cef1d7ee771623a2438f32&cver=0&pop=false&asver=0&tkn=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InZpc2l0b3ItYXBwbGljYXRpb24tc2VydmVyLTIwMjEwMjIifQ.eyJwaWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQiLCJ2aWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQtZGpfaXBoclZKV2tzOERXNE8zYWxGIiwic2lkIjoiNjZjZWYxZDdlZTc3MTYyM2EyNDM4ZjMyIiwiaWF0IjoxNzI0ODM4MzU5LCJleHAiOjE3MjQ4NDAxNTksImp0aSI6InVlUDA3aTVTXzBKOXhueFlpM0JoYiJ9.R0Uu6mm5Hdr7Onmk5ZXo_O6hv1rwuLzQgzj0lAWRMl009TKru9u3QIcSvllvt_Bg76kImd6KuFaq5K884vIn_w&EIO=3&transport=websocket&__t=P6OOAti	false	Avira URL Cloud: safe	unknown
https://embed.tawk.to/_s/v4/app/66cbd978a7b/js/twk-chunk-4fe9d5dd.js	false	Avira URL Cloud: safe	unknown
https://embed.tawk.to/_s/v4/app/66cbd978a7b/js/twk-chunk-bf24a88e.js	false	Avira URL Cloud: safe	unknown
https://vsa103.tawk.to/s/?k=66cef1d7ee771623a2438f32&cver=0&pop=false&asver=0&tkn=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InZpc2l0b3ItYXBwbGljYXRpb24tc2VydmVyLTIwMjEwMjIifQ.eyJwaWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQiLCJ2aWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQtZGpfaXBoclZKV2tzOERXNE8zYWxGIiwic2lkIjoiNjZjZWYxZDdlZTc3MTYyM2EyNDM4ZjMyIiwiaWF0IjoxNzI0ODM4MzU5LCJleHAiOjE3MjQ4NDAxNTksImp0aSI6InVlUDA3aTVTXzBKOXhueFlpM0JoYiJ9.R0Uu6mm5Hdr7Onmk5ZXo_O6hv1rwuLzQgzj0lAWRMl009TKru9u3QIcSvllvt_Bg76kImd6KuFaq5K884vIn_w&EIO=3&transport=websocket&__t=P6OOCQf	false	Avira URL Cloud: safe	unknown
https://embed.tawk.to/_s/v4/app/66cbd978a7b/js/twk-chunk-24d8db78.js	false	Avira URL Cloud: safe	unknown
https://softblogs.orgfree.com/blog/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://embed.tawk.to/_s/v4/app/66cbd978a7b/languages/en.js	false	Avira URL Cloud: safe	unknown
https://embed.tawk.to/_s/v4/app/66cbd978a7b/js/twk-vendor.js	false	Avira URL Cloud: safe	unknown
https://va.tawk.to/v1/session/start	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://softblogs.orgfree.com/blog/theme/hesk3/customer/js/app.min.js?3.4.3	false	Avira URL Cloud: safe	unknown
https://softblogs.orgfree.com/blog/theme/hesk3/customer/js/hesk_functions.js?3.4.3	false	Avira URL Cloud: safe	unknown
https://embed.tawk.to/_s/v4/app/66cbd978a7b/css/bubble-widget.css	false	Avira URL Cloud: safe	unknown
https://www.blogger.com/static/v1/widgets/3566091532-css_bundle_v2.css	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://softblogs.orgfree.com/blog/theme/hesk3/customer/fonts/Lato-Regular.woff2	false	Avira URL Cloud: safe	unknown
https://embed.tawk.to/_s/v4/app/66cbd978a7b/js/twk-chunk-48f3b594.js	false	Avira URL Cloud: safe	unknown
https://softblogs.orgfree.com/blog/theme/hesk3/customer/css/app.min.css?3.4.3	false	Avira URL Cloud: safe	unknown
https://softblogs.orgfree.com/blog/theme/hesk3/customer/js/selectize.min.js	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://vsa65.tawk.to/s/?k=66cef1d7ee771623a2438f32&cver=0&pop=false&asver=0&tkn=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InZpc2l0b3ItYXBwbGljYXRpb24tc2VydmVyLTIwMjEwMjIifQ.eyJwaWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQiLCJ2aWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQtZGpfaXBoclZKV2tzOERXNE8zYWxGIiwic2lkIjoiNjZjZWYxZDdlZTc3MTYyM2EyNDM4ZjMyIiwiaWF0IjoxNzI0ODM4MzU5LCJleHAiOjE3MjQ4NDAxNTksImp0aSI6InVlUDA3aTVTXzBKOXhueFlpM0JoYiJ9.R0Uu6mm5Hdr7Onmk5ZXo_O6hv1rwuLzQgzj0lAWRMl009TKru9u3QIcSvllvt_Bg76kImd6KuFaq5K884vIn_w&EIO=3&transport=websocket&__t=P6OOC56	false	Avira URL Cloud: safe	unknown
https://vsa45.tawk.to/s/?k=66cef1d7ee771623a2438f32&cver=0&pop=false&asver=0&tkn=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InZpc2l0b3ItYXBwbGljYXRpb24tc2VydmVyLTIwMjEwMjIifQ.eyJwaWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQiLCJ2aWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQtZGpfaXBoclZKV2tzOERXNE8zYWxGIiwic2lkIjoiNjZjZWYxZDdlZTc3MTYyM2EyNDM4ZjMyIiwiaWF0IjoxNzI0ODM4MzU5LCJleHAiOjE3MjQ4NDAxNTksImp0aSI6InVlUDA3aTVTXzBKOXhueFlpM0JoYiJ9.R0Uu6mm5Hdr7Onmk5ZXo_O6hv1rwuLzQgzj0lAWRMl009TKru9u3QIcSvllvt_Bg76kImd6KuFaq5K884vIn_w&EIO=3&transport=websocket&__t=P6OOBGQ	false	Avira URL Cloud: safe	unknown
https://embed.tawk.to/_s/v4/assets/fonts/tawk-font-icon-2.woff2?55755728=	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://embed.tawk.to/_s/v4/app/66cbd978a7b/js/twk-chunk-2d0b9454.js	false	Avira URL Cloud: safe	unknown
https://embed.tawk.to/6455bf966a9aad4bc5792f1d/1gvnf8pli	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://xteamzone.blogspot.com/	true		unknown
https://www.blogger.com/static/v1/widgets/3618731732-widgets.js	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://vsa45.tawk.to/s/?k=66cef1d7ee771623a2438f32&cver=0&pop=false&asver=0&tkn=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InZpc2l0b3ItYXBwbGljYXRpb24tc2VydmVyLTIwMjEwMjIifQ.eyJwaWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQiLCJ2aWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQtZGpfaXBoclZKV2tzOERXNE8zYWxGIiwic2lkIjoiNjZjZWYxZDdlZTc3MTYyM2EyNDM4ZjMyIiwiaWF0IjoxNzI0ODM4MzU5LCJleHAiOjE3MjQ4NDAxNTksImp0aSI6InVlUDA3aTVTXzBKOXhueFlpM0JoYiJ9.R0Uu6mm5Hdr7Onmk5ZXo_O6hv1rwuLzQgzj0lAWRMl009TKru9u3QIcSvllvt_Bg76kImd6KuFaq5K884vIn_w&EIO=3&transport=websocket&__t=P6OOBdi	false	Avira URL Cloud: safe	unknown
https://embed.tawk.to/_s/v4/app/66cbd978a7b/js/twk-chunk-common.js	false	Avira URL Cloud: safe	unknown
https://softblogs.orgfree.com/blog	false	Avira URL Cloud: safe	unknown
https://embed.tawk.to/_s/v4/app/66cbd978a7b/css/min-widget.css	false	Avira URL Cloud: safe	unknown
https://softblogs.orgfree.com/blog/theme/hesk3/customer/fonts/Lato-Bold.woff2	false	Avira URL Cloud: safe	unknown
https://embed.tawk.to/_s/v4/app/66cbd978a7b/js/twk-chunk-vendors.js	false	Avira URL Cloud: safe	unknown
https://softblogs.orgfree.com/blog/theme/hesk3/customer/img/sprite.svg	false	Avira URL Cloud: safe	unknown
https://softblogs.orgfree.com/blog/knowledgebase.php	false	Avira URL Cloud: safe	unknown
https://embed.tawk.to/_s/v4/app/66cbd978a7b/css/max-widget.css	false	Avira URL Cloud: safe	unknown
https://embed.tawk.to/_s/v4/app/66cbd978a7b/js/twk-chunk-f1565420.js	false	Avira URL Cloud: safe	unknown
https://embed.tawk.to/_s/v4/app/66cbd978a7b/css/message-preview.css	false	Avira URL Cloud: safe	unknown
https://embed.tawk.to/_s/v4/app/66cbd978a7b/js/twk-runtime.js	false	Avira URL Cloud: safe	unknown
https://embed.tawk.to/_s/v4/app/66cbd978a7b/js/twk-chunk-71978bb6.js	false	Avira URL Cloud: safe	unknown

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Avengers.exe	ReversingLabs: Detection: 29%
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	ReversingLabs: Detection: 30%

Multi AV Scanner detection for submitted file

Source: CXWk52EmUt.exe

Virustotal: Detection: 22%

Perma Link

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Avengers.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Joe Sandbox ML: detected

Phishing

HTML page contains suspicious iframes

Source: https://xteamzone.blogspot.com/	HTTP Parser: position:fixed; top:0; left:0; bottom:0; right:0; width:100%; height:100%; border:none; margin:0; padding:0; overflow:hidden; z-index:999999;
Source: https://xteamzone.blogspot.com/	HTTP Parser: position:fixed; top:0; left:0; bottom:0; right:0; width:100%; height:100%; border:none; margin:0; padding:0; overflow:hidden; z-index:999999;
Source: https://xteamzone.blogspot.com/	HTTP Parser: position:fixed; top:0; left:0; bottom:0; right:0; width:100%; height:100%; border:none; margin:0; padding:0; overflow:hidden; z-index:999999;

Source: https://xteamzone.blogspot.com/	HTTP Parser: No favicon
Source: https://xteamzone.blogspot.com/	HTTP Parser: No favicon
Source: https://xteamzone.blogspot.com/	HTTP Parser: No favicon
Source: https://xteamzone.blogspot.com/	HTTP Parser: No favicon
Source: https://xteamzone.blogspot.com/	HTTP Parser: No favicon
Source: https://xteamzone.blogspot.com/	HTTP Parser: No favicon
Source: https://xteamzone.blogspot.com/	HTTP Parser: No favicon

Uses 32bit PE files

Source: CXWk52EmUt.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:58929 version: TLS 1.0

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

File opened: C:\Program Files (x86)\Gsm_X_Team\Avengers\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.164.15:443 -> 192.168.2.5:58925 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:58926 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:58927 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:58928 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:58958 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:58972 version: TLS 1.2

Source:	Binary string: X:\Work\PeCancer\Versions\pdb\Release\XShell32.pdb source: Loader.exe, 00000004.00000002.3293842440.0000000003770000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdbUGP source: Loader.exe, 00000004.00000002.3297255984.00000000040CC000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: X:\Work\PeCancer\Versions\pdb\Release\cuckooX.pdbd source: Loader.exe, 00000004.00000002.3293842440.000000000378F000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: Loader.exe, 00000004.00000002.3294235894.00000000039D0000.00000040.00001000.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2551300730.0000000003CAC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3295043851.0000000003DC8000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdb source: Loader.exe, 00000004.00000002.3297255984.00000000040CC000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbUGP source: Loader.exe, 00000004.00000003.2565898788.0000000001BAE000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3297255984.0000000004050000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: Loader.exe, 00000004.00000002.3297969549.0000000004278000.00000040.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2545233930.0000000004052000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Loader.exe, 00000004.00000002.3295699542.0000000003EA9000.00000040.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2540118398.0000000003CAB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Loader.exe, 00000004.00000002.3295699542.0000000003EA9000.00000040.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2540118398.0000000003CAB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: X:\Work\PeCancer\Versions\pdb\Release\cuckooX.pdb source: Loader.exe, 00000004.00000002.3293842440.000000000378F000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: X:\Work\PeCancer\Versions\pdb\Release\XShell32.pdbP source: Loader.exe, 00000004.00000002.3293842440.0000000003770000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdb source: Loader.exe, 00000004.00000003.2559650717.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3300078236.00000000044A4000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: Loader.exe, 00000004.00000002.3294235894.00000000039D0000.00000040.00001000.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2551300730.0000000003CAC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3295043851.0000000003DC8000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: Loader.exe, 00000004.00000002.3297969549.0000000004278000.00000040.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2545233930.0000000004052000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: Loader.exe, 00000004.00000003.2565898788.0000000001BAE000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3297255984.0000000004050000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: Loader.exe, 00000004.00000003.2559650717.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3300078236.00000000044A4000.00000040.00000800.00020000.00000000.sdmp

Detected non-DNS traffic on DNS port

Source: global traffic	TCP traffic: 192.168.2.5:63298 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:58924 -> 162.159.36.2:53

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.15.14 172.67.15.14
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 104.22.44.142 104.22.44.142

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:58929 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.164.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.164.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.164.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.164.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.164.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.164.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.164.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.164.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.164.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=NCLdtzswErgtaRf&MD=b+Fn6nrs HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /clientwebservice/ping HTTP/1.1Connection: Keep-AliveUser-Agent: DNS resiliency checker/1.0Host: fe3cr.delivery.mp.microsoft.com
Source: global traffic	HTTP traffic detected: GET /sls/ping HTTP/1.1Connection: Keep-AliveUser-Agent: DNS resiliency checker/1.0Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=NCLdtzswErgtaRf&MD=b+Fn6nrs HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=NCLdtzswErgtaRf&MD=b+Fn6nrs HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: xteamzone.blogspot.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /static/v1/widgets/3566091532-css_bundle_v2.css HTTP/1.1Host: www.blogger.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /static/v1/widgets/3618731732-widgets.js HTTP/1.1Host: www.blogger.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog HTTP/1.1Host: softblogs.orgfree.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /6455bf966a9aad4bc5792f1d/1gvnf8pli HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://xteamzone.blogspot.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/ HTTP/1.1Host: softblogs.orgfree.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /6455bf966a9aad4bc5792f1d/1gvnf8pli HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /static/v1/widgets/3618731732-widgets.js HTTP/1.1Host: www.blogger.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/knowledgebase.php HTTP/1.1Host: softblogs.orgfree.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/css/app.min.css?3.4.3 HTTP/1.1Host: softblogs.orgfree.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://softblogs.orgfree.com/blog/knowledgebase.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/js/jquery-3.5.1.min.js HTTP/1.1Host: softblogs.orgfree.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://softblogs.orgfree.com/blog/knowledgebase.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/js/hesk_functions.js?3.4.3 HTTP/1.1Host: softblogs.orgfree.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://softblogs.orgfree.com/blog/knowledgebase.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/js/svg4everybody.min.js HTTP/1.1Host: softblogs.orgfree.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://softblogs.orgfree.com/blog/knowledgebase.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/js/selectize.min.js HTTP/1.1Host: softblogs.orgfree.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://softblogs.orgfree.com/blog/knowledgebase.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/js/app.min.js?3.4.3 HTTP/1.1Host: softblogs.orgfree.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://softblogs.orgfree.com/blog/knowledgebase.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/fonts/Lato-Bold.woff2 HTTP/1.1Host: softblogs.orgfree.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://softblogs.orgfree.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://softblogs.orgfree.com/blog/theme/hesk3/customer/css/app.min.css?3.4.3Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/fonts/Lato-Regular.woff2 HTTP/1.1Host: softblogs.orgfree.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://softblogs.orgfree.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://softblogs.orgfree.com/blog/theme/hesk3/customer/css/app.min.css?3.4.3Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/img/sprite.svg HTTP/1.1Host: softblogs.orgfree.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: imageReferer: https://softblogs.orgfree.com/blog/knowledgebase.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/js/svg4everybody.min.js HTTP/1.1Host: softblogs.orgfree.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/js/hesk_functions.js?3.4.3 HTTP/1.1Host: softblogs.orgfree.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/js/app.min.js?3.4.3 HTTP/1.1Host: softblogs.orgfree.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/js/selectize.min.js HTTP/1.1Host: softblogs.orgfree.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-main.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://xteamzone.blogspot.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-vendor.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://xteamzone.blogspot.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-vendors.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://xteamzone.blogspot.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-common.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://xteamzone.blogspot.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/js/jquery-3.5.1.min.js HTTP/1.1Host: softblogs.orgfree.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-runtime.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://xteamzone.blogspot.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-app.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://xteamzone.blogspot.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: xteamzone.blogspot.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/theme/hesk3/customer/img/sprite.svg HTTP/1.1Host: softblogs.orgfree.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /v1/widget-settings?propertyId=6455bf966a9aad4bc5792f1d&widgetId=1gvnf8pli&sv=null HTTP/1.1Host: va.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Origin: https://xteamzone.blogspot.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-main.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-runtime.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-app.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-vendor.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-vendors.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-common.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: xteamzone.blogspot.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: twk_idm_key=RDo41c25ApOcLm-6YXM6b; TawkConnectionTime=1724838357290
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/languages/en.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /v1/widget-settings?propertyId=6455bf966a9aad4bc5792f1d&widgetId=1gvnf8pli&sv=null HTTP/1.1Host: va.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/languages/en.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-bf24a88e.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-71978bb6.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-f1565420.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-7c2f6ba4.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-48f3b594.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-4fe9d5dd.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /s/?k=66cef1d7ee771623a2438f32&cver=0&pop=false&asver=0&tkn=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InZpc2l0b3ItYXBwbGljYXRpb24tc2VydmVyLTIwMjEwMjIifQ.eyJwaWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQiLCJ2aWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQtZGpfaXBoclZKV2tzOERXNE8zYWxGIiwic2lkIjoiNjZjZWYxZDdlZTc3MTYyM2EyNDM4ZjMyIiwiaWF0IjoxNzI0ODM4MzU5LCJleHAiOjE3MjQ4NDAxNTksImp0aSI6InVlUDA3aTVTXzBKOXhueFlpM0JoYiJ9.R0Uu6mm5Hdr7Onmk5ZXo_O6hv1rwuLzQgzj0lAWRMl009TKru9u3QIcSvllvt_Bg76kImd6KuFaq5K884vIn_w&EIO=3&transport=websocket&__t=P6OOAti HTTP/1.1Host: vsa45.tawk.toConnection: UpgradePragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Upgrade: websocketOrigin: https://xteamzone.blogspot.comSec-WebSocket-Version: 13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Sec-WebSocket-Key: dwCzYocRbE+cBGsip+H+ig==Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Source: global traffic	HTTP traffic detected: GET /v1/session/start HTTP/1.1Host: va.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/css/min-widget.css HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/css/bubble-widget.css HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/css/message-preview.css HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-2d0b9454.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-24d8db78.js HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://xteamzone.blogspot.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-4fe9d5dd.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-71978bb6.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-f1565420.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-bf24a88e.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-7c2f6ba4.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-48f3b594.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /s/?k=66cef1d7ee771623a2438f32&cver=0&pop=false&asver=0&tkn=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InZpc2l0b3ItYXBwbGljYXRpb24tc2VydmVyLTIwMjEwMjIifQ.eyJwaWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQiLCJ2aWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQtZGpfaXBoclZKV2tzOERXNE8zYWxGIiwic2lkIjoiNjZjZWYxZDdlZTc3MTYyM2EyNDM4ZjMyIiwiaWF0IjoxNzI0ODM4MzU5LCJleHAiOjE3MjQ4NDAxNTksImp0aSI6InVlUDA3aTVTXzBKOXhueFlpM0JoYiJ9.R0Uu6mm5Hdr7Onmk5ZXo_O6hv1rwuLzQgzj0lAWRMl009TKru9u3QIcSvllvt_Bg76kImd6KuFaq5K884vIn_w&EIO=3&transport=websocket&__t=P6OOBGQ HTTP/1.1Host: vsa45.tawk.toConnection: UpgradePragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Upgrade: websocketOrigin: https://xteamzone.blogspot.comSec-WebSocket-Version: 13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Sec-WebSocket-Key: dt3bUI9yAwliUyZ+YPvl9Q==Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Source: global traffic	HTTP traffic detected: GET /v1/session/start HTTP/1.1Host: va.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/assets/fonts/tawk-font-icon-2.woff2?55755728= HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://xteamzone.blogspot.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://embed.tawk.to/_s/v4/app/66cbd978a7b/css/bubble-widget.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/css/max-widget.css HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-2d0b9454.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/assets/images/attention-grabbers/7-r-br.svg HTTP/1.1Host: embed.tawk.toConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/app/66cbd978a7b/js/twk-chunk-24d8db78.js HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_s/v4/assets/images/attention-grabbers/7-r-br.svg HTTP/1.1Host: embed.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /s/?k=66cef1d7ee771623a2438f32&cver=0&pop=false&asver=0&tkn=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InZpc2l0b3ItYXBwbGljYXRpb24tc2VydmVyLTIwMjEwMjIifQ.eyJwaWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQiLCJ2aWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQtZGpfaXBoclZKV2tzOERXNE8zYWxGIiwic2lkIjoiNjZjZWYxZDdlZTc3MTYyM2EyNDM4ZjMyIiwiaWF0IjoxNzI0ODM4MzU5LCJleHAiOjE3MjQ4NDAxNTksImp0aSI6InVlUDA3aTVTXzBKOXhueFlpM0JoYiJ9.R0Uu6mm5Hdr7Onmk5ZXo_O6hv1rwuLzQgzj0lAWRMl009TKru9u3QIcSvllvt_Bg76kImd6KuFaq5K884vIn_w&EIO=3&transport=websocket&__t=P6OOBdi HTTP/1.1Host: vsa45.tawk.toConnection: UpgradePragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Upgrade: websocketOrigin: https://xteamzone.blogspot.comSec-WebSocket-Version: 13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Sec-WebSocket-Key: 25UUKp0vsrWhp5hUsuj3Pw==Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Source: global traffic	HTTP traffic detected: GET /v1/session/start HTTP/1.1Host: va.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /v1/session/start HTTP/1.1Host: va.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /s/?k=66cef1d7ee771623a2438f32&cver=0&pop=false&asver=0&tkn=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InZpc2l0b3ItYXBwbGljYXRpb24tc2VydmVyLTIwMjEwMjIifQ.eyJwaWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQiLCJ2aWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQtZGpfaXBoclZKV2tzOERXNE8zYWxGIiwic2lkIjoiNjZjZWYxZDdlZTc3MTYyM2EyNDM4ZjMyIiwiaWF0IjoxNzI0ODM4MzU5LCJleHAiOjE3MjQ4NDAxNTksImp0aSI6InVlUDA3aTVTXzBKOXhueFlpM0JoYiJ9.R0Uu6mm5Hdr7Onmk5ZXo_O6hv1rwuLzQgzj0lAWRMl009TKru9u3QIcSvllvt_Bg76kImd6KuFaq5K884vIn_w&EIO=3&transport=websocket&__t=P6OOC56 HTTP/1.1Host: vsa65.tawk.toConnection: UpgradePragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Upgrade: websocketOrigin: https://xteamzone.blogspot.comSec-WebSocket-Version: 13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Sec-WebSocket-Key: fr64WLP+VV/b3eM6QJkfnw==Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Source: global traffic	HTTP traffic detected: GET /v1/session/start HTTP/1.1Host: va.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /s/?k=66cef1d7ee771623a2438f32&cver=0&pop=false&asver=0&tkn=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InZpc2l0b3ItYXBwbGljYXRpb24tc2VydmVyLTIwMjEwMjIifQ.eyJwaWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQiLCJ2aWQiOiI2NDU1YmY5NjZhOWFhZDRiYzU3OTJmMWQtZGpfaXBoclZKV2tzOERXNE8zYWxGIiwic2lkIjoiNjZjZWYxZDdlZTc3MTYyM2EyNDM4ZjMyIiwiaWF0IjoxNzI0ODM4MzU5LCJleHAiOjE3MjQ4NDAxNTksImp0aSI6InVlUDA3aTVTXzBKOXhueFlpM0JoYiJ9.R0Uu6mm5Hdr7Onmk5ZXo_O6hv1rwuLzQgzj0lAWRMl009TKru9u3QIcSvllvt_Bg76kImd6KuFaq5K884vIn_w&EIO=3&transport=websocket&__t=P6OOCQf HTTP/1.1Host: vsa103.tawk.toConnection: UpgradePragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Upgrade: websocketOrigin: https://xteamzone.blogspot.comSec-WebSocket-Version: 13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Sec-WebSocket-Key: Y+5DrBdFiZNNgm8Z9b071Q==Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Source: global traffic	HTTP traffic detected: GET /v1/session/start HTTP/1.1Host: va.tawk.toConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: Loader.exe, 00000004.00000002.3283975765.0000000000401000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.facebook.com/Gsm_X_Team-447686715562578/ equals www.facebook.com (Facebook)
Source: Loader.exe, 00000004.00000002.3283975765.0000000000401000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.facebook.com/Gsm_X_Team-447686715562578/open equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: xteamzone.blogspot.com
Source: global traffic	DNS traffic detected: DNS query: www.blogger.com
Source: global traffic	DNS traffic detected: DNS query: softblogs.orgfree.com
Source: global traffic	DNS traffic detected: DNS query: embed.tawk.to
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: va.tawk.to
Source: global traffic	DNS traffic detected: DNS query: vsa45.tawk.to
Source: global traffic	DNS traffic detected: DNS query: cdn.jsdelivr.net
Source: global traffic	DNS traffic detected: DNS query: vsa65.tawk.to
Source: global traffic	DNS traffic detected: DNS query: vsa103.tawk.to

Source: unknown

Source: Avengers.exe.0.dr	String found in binary or memory: http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07
Source: Avengers.exe.0.dr	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: Avengers.exe.0.dr	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: chromecache_604.9.dr	String found in binary or memory: https://github.com/selectize/selectize.js
Source: chromecache_600.9.dr	String found in binary or memory: https://www.tawk.to/?utm_source=tawk-messenger&utm_medium=link&utm_campaign=referral&utm_term=6455bf
Source: CXWk52EmUt.exe	String found in binary or memory: https://xteamzone.blogspot.com
Source: CXWk52EmUt.exe, 00000000.00000003.2706805847.00000000007B6000.00000004.00000020.00020000.00000000.sdmp, CXWk52EmUt.exe, 00000000.00000002.2708117877.0000000000817000.00000004.00000020.00020000.00000000.sdmp, CXWk52EmUt.exe, 00000000.00000002.2708117877.0000000000813000.00000004.00000020.00020000.00000000.sdmp, CXWk52EmUt.exe, 00000000.00000003.2706805847.000000000078F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xteamzone.blogspot.com/
Source: CXWk52EmUt.exe, 00000000.00000003.2706805847.00000000007B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xteamzone.blogspot.com/2
Source: CXWk52EmUt.exe, 00000000.00000003.2706805847.00000000007B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xteamzone.blogspot.com/27
Source: CXWk52EmUt.exe, 00000000.00000003.2706805847.00000000007B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xteamzone.blogspot.com/3
Source: CXWk52EmUt.exe, 00000000.00000003.2706805847.00000000007B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xteamzone.blogspot.com/5
Source: CXWk52EmUt.exe, 00000000.00000003.2706805847.00000000007B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xteamzone.blogspot.com/G
Source: CXWk52EmUt.exe, 00000000.00000003.2706805847.00000000007B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xteamzone.blogspot.com/crosoft
Source: CXWk52EmUt.exe, 00000000.00000003.2706805847.00000000007B6000.00000004.00000020.00020000.00000000.sdmp, CXWk52EmUt.exe, 00000000.00000002.2708117877.0000000000817000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xteamzone.blogspot.com/q
Source: CXWk52EmUt.exe, 00000000.00000003.2706805847.00000000007B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xteamzone.blogspot.com/x
Source: Loader.exe, 00000004.00000002.3283975765.0000000000401000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://xteamzone.blogspot.comopen
Source: CXWk52EmUt.exe, 00000000.00000003.2706805847.00000000007B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xteamzone.blogspot.coms

Source: unknown	Network traffic detected: HTTP traffic on port 58927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58978
Source: unknown	Network traffic detected: HTTP traffic on port 58942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58974
Source: unknown	Network traffic detected: HTTP traffic on port 58985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59029
Source: unknown	Network traffic detected: HTTP traffic on port 58962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58977
Source: unknown	Network traffic detected: HTTP traffic on port 58965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58980
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59030
Source: unknown	Network traffic detected: HTTP traffic on port 58959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58993
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58991
Source: unknown	Network traffic detected: HTTP traffic on port 59018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58990
Source: unknown	Network traffic detected: HTTP traffic on port 58979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63300 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58996
Source: unknown	Network traffic detected: HTTP traffic on port 58967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58999
Source: unknown	Network traffic detected: HTTP traffic on port 58948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58998
Source: unknown	Network traffic detected: HTTP traffic on port 59013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63300
Source: unknown	Network traffic detected: HTTP traffic on port 58953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63301
Source: unknown	Network traffic detected: HTTP traffic on port 58976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58927
Source: unknown	Network traffic detected: HTTP traffic on port 59027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58925
Source: unknown	Network traffic detected: HTTP traffic on port 58984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 58973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58938
Source: unknown	Network traffic detected: HTTP traffic on port 59005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58935
Source: unknown	Network traffic detected: HTTP traffic on port 59020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58934
Source: unknown	Network traffic detected: HTTP traffic on port 58969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58930
Source: unknown	Network traffic detected: HTTP traffic on port 58946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58940
Source: unknown	Network traffic detected: HTTP traffic on port 59011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63301 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58949
Source: unknown	Network traffic detected: HTTP traffic on port 59031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58946
Source: unknown	Network traffic detected: HTTP traffic on port 58943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58941
Source: unknown	Network traffic detected: HTTP traffic on port 58961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58944
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58943
Source: unknown	Network traffic detected: HTTP traffic on port 58964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59004
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59003
Source: unknown	Network traffic detected: HTTP traffic on port 59014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58951
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59006
Source: unknown	Network traffic detected: HTTP traffic on port 58940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58950
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59001
Source: unknown	Network traffic detected: HTTP traffic on port 58958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58958
Source: unknown	Network traffic detected: HTTP traffic on port 58929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58953
Source: unknown	Network traffic detected: HTTP traffic on port 58960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59008
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59009
Source: unknown	Network traffic detected: HTTP traffic on port 58938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58960
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58962
Source: unknown	Network traffic detected: HTTP traffic on port 58986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59012
Source: unknown	Network traffic detected: HTTP traffic on port 58974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58969
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58964
Source: unknown	Network traffic detected: HTTP traffic on port 58966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59018
Source: unknown	Network traffic detected: HTTP traffic on port 58949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58966
Source: unknown	Network traffic detected: HTTP traffic on port 58980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58965
Source: unknown	Network traffic detected: HTTP traffic on port 58963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59026
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58970
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58973
Source: unknown	Network traffic detected: HTTP traffic on port 59012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59028
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59022
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59024
Source: unknown	Network traffic detected: HTTP traffic on port 59009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59023
Source: unknown	Network traffic detected: HTTP traffic on port 58994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59020
Source: unknown	Network traffic detected: HTTP traffic on port 58935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58977 -> 443

Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.164.15:443 -> 192.168.2.5:58925 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:58926 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:58927 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:58928 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:58958 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:58972 version: TLS 1.2

Creates a DirectInput object (often for capturing keystrokes)

Source: Loader.exe, 00000004.00000002.3297969549.0000000004278000.00000040.00000020.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_6f9e72a3-e

Installs a raw input device (often for capturing keystrokes)

Source: Loader.exe, 00000004.00000003.2559650717.0000000004059000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_4fc2e14b-7

Yara detected Keylogger Generic

Source: Yara match	File source: 00000004.00000002.3283975765.0000000000A27000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3297969549.0000000004278000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2545233930.0000000004052000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 3596, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.3283943529.0000000000400000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: 00000004.00000000.2391784942.0000000000400000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects executables packed with Enigma Author: ditekSHen
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe, type: DROPPED	Matched rule: Detects executables packed with Enigma Author: ditekSHen

Detected VMProtect packer

Source: Avengers.exe.0.dr

Static PE information: .vmp0 and .vmp1 section names

Uses 32bit PE files

Source: CXWk52EmUt.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 00000004.00000002.3283943529.0000000000400000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: 00000004.00000000.2391784942.0000000000400000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe, type: DROPPED	Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018

Source: classification engine

Classification label: mal54.phis.evad.winEXE@23/515@11/8

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

File created: C:\Program Files (x86)\Gsm_X_Team

Jump to behavior

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

File created: C:\Users\user\Desktop\XTM_Avengers v1.8 ReBirth.lnk

Jump to behavior

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

File created: C:\Users\user\AppData\Local\Temp\$inst

Jump to behavior

Source: Yara match

File source: 00000004.00000002.3283975765.0000000000401000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CXWk52EmUt.exe

Virustotal: Detection: 22%

Source: CXWk52EmUt.exe	String found in binary or memory: Opslaan van de-installatie informatie...
Source: CXWk52EmUt.exe	String found in binary or memory: er: Kan bestand niet maken:Schrijven van registersleutels...Maken van snelkoppelingen...Opslaan van de-installatie informatie...Verwijderen van backup bestanden...EindeInstallatie AvengersDoel map:
Source: CXWk52EmUt.exe	String found in binary or memory: Avengers zal worden verwijderd uit de volgende map. Klik op De-Installeren om de de-installatie te starten.
Source: CXWk52EmUt.exe	String found in binary or memory: De-Install
Source: CXWk52EmUt.exe	String found in binary or memory: De-install van:
Source: CXWk52EmUt.exe	String found in binary or memory: De-installeren Avengers
Source: CXWk52EmUt.exe	String found in binary or memory: De-installatie Afgerond
Source: CXWk52EmUt.exe	String found in binary or memory: De de-installatie is met succes be
Source: CXWk52EmUt.exe	String found in binary or memory: indigen.Installatie wachtwoordUitvoeren van opdrachten...Registreren: Installatie van Avengers word afgebrokenSchrijven van INI bestanden...Bezig met installerenSetup is gereed om Avengers op uw computer te installeren.Avengers zal worden verwijderd uit de volgende map. Klik op De-Installeren om de de-installatie te starten.De-InstallDe-install van:Ja, de computer nu opnieuw opstartenNee, ik start de computer later opnieuwDe-installeren AvengersVerwijder Avengers van uw computer.AfgerondDe-installatie AfgerondDe de-installatie is met succes be

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

File read: C:\Users\user\Desktop\CXWk52EmUt.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CXWk52EmUt.exe "C:\Users\user\Desktop\CXWk52EmUt.exe"
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process created: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe "C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe"
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://xteamzone.blogspot.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=2264,i,5190171125939309774,15604953791507897399,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process created: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe "C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://xteamzone.blogspot.com/	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=2264,i,5190171125939309774,15604953791507897399,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: XTM_Avengers v1.8 ReBirth.lnk.0.dr	LNK file: ..\..\..\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe
Source: Google Drive.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Automated click: OK
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Automated click: Next >
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Automated click: Next >
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Automated click: Next >
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Automated click: Next >
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Automated click: Install

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

File opened: C:\Windows\SysWOW64\msftedit.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: CXWk52EmUt.exe

Static file information: File size 18872709 > 1048576

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

File opened: C:\Program Files (x86)\Gsm_X_Team\Avengers\msvcr100.dll

Jump to behavior

Source:	Binary string: X:\Work\PeCancer\Versions\pdb\Release\XShell32.pdb source: Loader.exe, 00000004.00000002.3293842440.0000000003770000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdbUGP source: Loader.exe, 00000004.00000002.3297255984.00000000040CC000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: X:\Work\PeCancer\Versions\pdb\Release\cuckooX.pdbd source: Loader.exe, 00000004.00000002.3293842440.000000000378F000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: Loader.exe, 00000004.00000002.3294235894.00000000039D0000.00000040.00001000.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2551300730.0000000003CAC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3295043851.0000000003DC8000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdb source: Loader.exe, 00000004.00000002.3297255984.00000000040CC000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbUGP source: Loader.exe, 00000004.00000003.2565898788.0000000001BAE000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3297255984.0000000004050000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: Loader.exe, 00000004.00000002.3297969549.0000000004278000.00000040.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2545233930.0000000004052000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Loader.exe, 00000004.00000002.3295699542.0000000003EA9000.00000040.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2540118398.0000000003CAB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Loader.exe, 00000004.00000002.3295699542.0000000003EA9000.00000040.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2540118398.0000000003CAB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: X:\Work\PeCancer\Versions\pdb\Release\cuckooX.pdb source: Loader.exe, 00000004.00000002.3293842440.000000000378F000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: X:\Work\PeCancer\Versions\pdb\Release\XShell32.pdbP source: Loader.exe, 00000004.00000002.3293842440.0000000003770000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdb source: Loader.exe, 00000004.00000003.2559650717.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3300078236.00000000044A4000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: Loader.exe, 00000004.00000002.3294235894.00000000039D0000.00000040.00001000.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2551300730.0000000003CAC000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3295043851.0000000003DC8000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: Loader.exe, 00000004.00000002.3297969549.0000000004278000.00000040.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000003.2545233930.0000000004052000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: Loader.exe, 00000004.00000003.2565898788.0000000001BAE000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3297255984.0000000004050000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: Loader.exe, 00000004.00000003.2559650717.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3300078236.00000000044A4000.00000040.00000800.00020000.00000000.sdmp

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

PE file contains an invalid checksum

Source: Uninstall.exe.0.dr	Static PE information: real checksum: 0xcf312 should be: 0xdb4a7
Source: 7z.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xeebe5
Source: 7z.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x2fb1d
Source: Avengers.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x57b1bd

PE file contains sections with non-standard names

Source: Avengers.exe.0.dr	Static PE information: section name: .vmp0
Source: Avengers.exe.0.dr	Static PE information: section name: .vmp1
Source: Loader.exe.0.dr	Static PE information: section name: .textbss
Source: Loader.exe.0.dr	Static PE information: section name: .enigma0
Source: Loader.exe.0.dr	Static PE information: section name: .enigma1
Source: 7z.dll.0.dr	Static PE information: section name: .sxdata

Source: msvcr100.dll.0.dr

Static PE information: section name: .text entropy: 6.909044922675825

Drops PE files

Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\need_files\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\need_files\AdbWinApi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\cl64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\need_files\AdbWinUsbApi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\need_files\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\Avengers.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\cl32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	File created: C:\Program Files (x86)\Gsm_X_Team\Avengers\need_files\adb.exe	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Window searched: window name: Filemonclass	Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Memory written: PID: 3596 base: 1B50005 value: E9 8B 2F 3A 75	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Memory written: PID: 3596 base: 76EF2F90 value: E9 7A D0 C5 8A	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Memory written: PID: 3596 base: 1B60007 value: E9 EB DF 3C 75	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Memory written: PID: 3596 base: 76F2DFF0 value: E9 1E 20 C3 8A	Jump to behavior

Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE70DC
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE704A
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE70ED
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE728D
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE73F6
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE7377
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE7995
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE7981
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE79DA
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE7A5B
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE7BE2
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE7CE5
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE7F58
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE81EF
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE8209
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: AE82D3
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: A45383
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: A5420E
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: A4E2D9
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: A4E2EF
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	API/Special instruction interceptor: Address: A5EC67

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Loader.exe, 00000004.00000002.3287150436.0000000000C5C000.00000020.00000001.01000000.00000007.sdmp

Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: 14727D3 second address: 14727D7 instructions: 0x00000000 rdtsc 0x00000002 rol cl, 1 0x00000004 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: E67C81 second address: E67C85 instructions: 0x00000000 rdtsc 0x00000002 rol cl, 1 0x00000004 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE72E5 second address: AE70DC instructions: 0x00000000 rdtsc 0x00000002 mov ebx, ecx 0x00000004 clc 0x00000005 jmp 00007FE800BB1AE9h 0x0000000a mov bl, al 0x0000000c bswap eax 0x0000000e xchg ebp, eax 0x00000010 bsf esi, ebx 0x00000013 bswap eax 0x00000015 mov word ptr [esp], dx 0x00000019 jmp 00007FE800BB1B72h 0x0000001b lea esp, dword ptr [esp+01h] 0x0000001f lea ebx, dword ptr [ebp-0000C3ABh] 0x00000025 mov si, word ptr [esp] 0x00000029 mov bp, word ptr [esp] 0x0000002d rcl bl, 00000002h 0x00000030 ror di, 0008h 0x00000034 jmp 00007FE800BB1B3Ah 0x00000039 cpuid 0x0000003b setp dl 0x0000003e rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE70DC second address: AE704A instructions: 0x00000000 rdtsc 0x00000002 setb ch 0x00000005 sub esp, 1Ch 0x00000008 pop dword ptr [esp+13h] 0x0000000c jmp 00007FE80087F877h 0x0000000e mov ah, dh 0x00000010 mov word ptr [esp+0Ah], ax 0x00000015 push dword ptr [esp+14h] 0x00000019 lea edi, dword ptr [edx+edx] 0x0000001c mov ebx, ecx 0x0000001e bswap edi 0x00000020 jmp 00007FE80087F86Ah 0x00000022 mov ebx, ebp 0x00000024 btr bx, bx 0x00000028 cpuid 0x0000002a lea ecx, dword ptr [00000000h+eax*4] 0x00000031 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE7108 second address: AE70ED instructions: 0x00000000 rdtsc 0x00000002 mov bl, bh 0x00000004 add esp, 00000000h 0x00000007 jmp 00007FE800BB1BCBh 0x00000009 not bx 0x0000000c rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE726E second address: AE7285 instructions: 0x00000000 rdtsc 0x00000002 lea ecx, dword ptr [00000000h+ebp*4] 0x00000009 mov al, byte ptr [esp] 0x0000000c std 0x0000000d sbb dx, di 0x00000010 push esp 0x00000011 jmp 00007FE80087F8A8h 0x00000013 add esp, 00000000h 0x00000016 setno dh 0x00000019 bswap edi 0x0000001b xchg word ptr [esp], si 0x0000001f xchg dword ptr [esp], ebx 0x00000022 jmp 00007FE80087F8EBh 0x00000024 mov bh, byte ptr [esp] 0x00000027 cld 0x00000028 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE7285 second address: AE728D instructions: 0x00000000 rdtsc 0x00000002 cpuid 0x00000004 pop word ptr [esp] 0x00000008 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE728D second address: AE73F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80087F902h 0x00000004 neg ebp 0x00000006 xchg cx, si 0x00000009 bsr cx, cx 0x0000000d mov ch, 5Bh 0x0000000f inc bp 0x00000011 add esp, 00000000h 0x00000014 jmp 00007FE80087F8AAh 0x00000016 mov eax, dword ptr [esp] 0x00000019 neg bh 0x0000001b add esp, 00000000h 0x0000001e seto ah 0x00000021 sub esp, 1Bh 0x00000024 jmp 00007FE80087FBCBh 0x00000029 not di 0x0000002c mov edi, dword ptr [esp+0Bh] 0x00000030 xchg dword ptr [esp+0Eh], esi 0x00000034 mov bl, 18h 0x00000036 xchg al, bh 0x00000038 adc si, 5B5Dh 0x0000003d jmp 00007FE80087F6FCh 0x00000042 dec bp 0x00000044 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE73F6 second address: AE7377 instructions: 0x00000000 rdtsc 0x00000002 bts ebx, esi 0x00000005 pop edx 0x00000006 lea ebx, dword ptr [ecx-5Bh] 0x00000009 cld 0x0000000a call 00007FE800BB1AF5h 0x0000000f jmp 00007FE800BB1BDAh 0x00000011 not di 0x00000014 xchg eax, edi 0x00000015 cld 0x00000016 btc edi, esi 0x00000019 mov ax, 1499h 0x0000001d dec edx 0x0000001e jmp 00007FE800BB1C17h 0x00000020 xchg dword ptr [esp], eax 0x00000023 pushfd 0x00000024 sub esi, 569C5F6Bh 0x0000002a mov ch, ah 0x0000002c pop dword ptr [esp+15h] 0x00000030 neg dl 0x00000032 jmp 00007FE800BB1BC2h 0x00000034 mov al, dh 0x00000036 pop word ptr [esp+11h] 0x0000003b xchg eax, edx 0x0000003c bswap ebp 0x0000003e bsr bx, cx 0x00000042 mov al, dh 0x00000044 jmp 00007FE800BB1C4Dh 0x00000046 and eax, esi 0x00000048 pop edx 0x00000049 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE7887 second address: AE7995 instructions: 0x00000000 rdtsc 0x00000002 pop word ptr [esp+0Bh] 0x00000007 xchg bx, si 0x0000000a jmp 00007FE80087F8F2h 0x0000000c pop dword ptr [esp+02h] 0x00000010 cmc 0x00000011 mov word ptr [esp+04h], di 0x00000016 xchg edi, ebx 0x00000018 sub esp, 07h 0x0000001b mov word ptr [esp+08h], dx 0x00000020 jmp 00007FE80087FE7Bh 0x00000025 mov dword ptr [esp+0Fh], edi 0x00000029 bswap edi 0x0000002b sete ah 0x0000002e bswap edi 0x00000030 lea eax, dword ptr [esp+57h] 0x00000034 dec al 0x00000036 jmp 00007FE80087F4C6h 0x0000003b rcl ch, cl 0x0000003d adc bl, 00000043h 0x00000040 xchg dword ptr [esp+0Eh], eax 0x00000044 xchg word ptr [esp+05h], dx 0x00000049 pop ax 0x0000004b lea esp, dword ptr [esp+09h] 0x0000004f jmp 00007FE80087F7D8h 0x00000054 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE7995 second address: AE7981 instructions: 0x00000000 rdtsc 0x00000002 call 00007FE800BB1B53h 0x00000007 mov ebp, ecx 0x00000009 add esp, 03h 0x0000000c mov bh, FEh 0x0000000e inc bl 0x00000010 sub si, 54E5h 0x00000015 jmp 00007FE800BB1BCCh 0x00000017 bt bp, si 0x0000001b pop dx 0x0000001d mov edi, ebx 0x0000001f neg eax 0x00000021 mov eax, dword ptr [esp] 0x00000024 sub esp, 05h 0x00000027 call 00007FE800BB1C5Fh 0x0000002c jmp 00007FE800BB1BADh 0x0000002e mov ax, si 0x00000031 mov bh, 3Eh 0x00000033 mov byte ptr [esp+17h], ch 0x00000037 push word ptr [esp+08h] 0x0000003c neg bl 0x0000003e mov dl, byte ptr [esp+0Ch] 0x00000042 jmp 00007FE800BB1BC6h 0x00000044 pop word ptr [esp+13h] 0x00000049 mov ebp, dword ptr [esp+0Dh] 0x0000004d mov word ptr [esp+14h], si 0x00000052 xchg ah, dh 0x00000054 jmp 00007FE800BB1C22h 0x00000056 btc di, ax 0x0000005a and edx, 07E7B862h 0x00000060 xchg ah, al 0x00000062 mov dl, cl 0x00000064 neg edx 0x00000066 jmp 00007FE800BB1BCAh 0x00000068 mov word ptr [esp+14h], bx 0x0000006d xchg bh, dh 0x0000006f btc esi, edi 0x00000072 xchg byte ptr [esp+08h], dh 0x00000076 jmp 00007FE800BB1C27h 0x00000078 neg di 0x0000007b xchg eax, esi 0x0000007c xchg al, dl 0x0000007e rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE7981 second address: AE79DA instructions: 0x00000000 rdtsc 0x00000002 call 00007FE80087F8B2h 0x00000007 mov ecx, dword ptr [esp+17h] 0x0000000b add esp, 12h 0x0000000e jmp 00007FE80087F98Ah 0x00000013 pop word ptr [esp] 0x00000017 cmc 0x00000018 bsr bp, cx 0x0000001c mov cl, dl 0x0000001e mov dword ptr [esp+02h], esi 0x00000022 neg edi 0x00000024 jmp 00007FE80087F84Bh 0x00000029 xchg ebp, edx 0x0000002b call 00007FE80087F8B8h 0x00000030 lea eax, dword ptr [edi+ebp] 0x00000033 pop bp 0x00000035 bswap edi 0x00000037 mov dl, bh 0x00000039 xchg esi, edx 0x0000003b jmp 00007FE80087F8F8h 0x0000003d bts di, dx 0x00000041 std 0x00000042 lea edi, dword ptr [eax+edx] 0x00000045 shr ecx, 1Fh 0x00000048 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE79DA second address: AE7A5B instructions: 0x00000000 rdtsc 0x00000002 pop dx 0x00000004 jmp 00007FE800BB1BCBh 0x00000006 pop dword ptr [esp] 0x00000009 sub si, cx 0x0000000c xchg dword ptr [esp], ecx 0x0000000f pop word ptr [esp] 0x00000013 pop bx 0x00000015 jmp 00007FE800BB1C1Eh 0x00000017 mov si, word ptr [esp] 0x0000001b lea ebp, dword ptr [00000000h+esi*4] 0x00000022 rol ah, cl 0x00000024 bts esi, ebp 0x00000027 xchg ebx, ebp 0x00000029 xchg bx, dx 0x0000002c call 00007FE800BB1BC5h 0x00000031 jmp 00007FE800BB1C20h 0x00000033 neg dh 0x00000035 xchg word ptr [esp], ax 0x00000039 pop word ptr [esp] 0x0000003d lea esp, dword ptr [esp+02h] 0x00000041 jmp 00007FE800BB1C24h 0x00000043 lea esp, dword ptr [esp] 0x00000046 cmc 0x00000047 adc si, ax 0x0000004a mov cl, FFh 0x0000004c rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE7B6C second address: AE7BE2 instructions: 0x00000000 rdtsc 0x00000002 xchg word ptr [esp+03h], di 0x00000007 add di, si 0x0000000a jmp 00007FE80087F90Bh 0x0000000c mov edx, dword ptr [esp+07h] 0x00000010 mov word ptr [esp], bp 0x00000014 mov ch, 07h 0x00000016 xchg edx, ebx 0x00000018 xchg byte ptr [esp+01h], dh 0x0000001c jmp 00007FE80087F8AAh 0x0000001e pop ax 0x00000020 lea eax, dword ptr [ecx+edi] 0x00000023 mov bx, ax 0x00000026 mov al, bl 0x00000028 setp al 0x0000002b xchg bl, ah 0x0000002d jmp 00007FE80087FAB7h 0x00000032 mov word ptr [esp+01h], si 0x00000037 add esp, 05h 0x0000003a bswap esi 0x0000003c setbe bl 0x0000003f mov ecx, ebx 0x00000041 btr ebx, esi 0x00000044 call 00007FE80087F7D0h 0x00000049 jmp 00007FE80087F879h 0x0000004b setnle ch 0x0000004e mov al, E6h 0x00000050 mov edi, 742DD4D8h 0x00000055 or dl, bl 0x00000057 inc bp 0x00000059 cpuid 0x0000005b jmp 00007FE80087F88Dh 0x0000005d lea esp, dword ptr [esp+03h] 0x00000061 push word ptr [esp] 0x00000065 lea esi, dword ptr [30B5F79Fh] 0x0000006b bsf edx, esp 0x0000006e mov ebp, 4E6D7C1Eh 0x00000073 push word ptr [esp] 0x00000077 jmp 00007FE80087F892h 0x00000079 neg dl 0x0000007b push word ptr [esp+05h] 0x00000080 bsr di, bp 0x00000084 not ecx 0x00000086 push ax 0x00000088 mov dword ptr [esp+01h], ecx 0x0000008c jmp 00007FE80087F8A7h 0x0000008e xchg di, si 0x00000091 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE7BE2 second address: AE7CE5 instructions: 0x00000000 rdtsc 0x00000002 xchg ax, bx 0x00000004 xchg word ptr [esp+03h], si 0x00000009 stc 0x0000000a mov edi, dword ptr [esp] 0x0000000d jmp 00007FE800BB1C36h 0x0000000f mov word ptr [esp+05h], bp 0x00000014 xchg bl, ah 0x00000016 lea ebp, dword ptr [00000000h+eax4] 0x0000001d jmp 00007FE800BB1C21h 0x0000001f xchg dword ptr [esp+04h], ebp 0x00000023 xchg dword ptr [esp+04h], esi 0x00000027 neg di 0x0000002a lea esi, dword ptr [00000000h+ebx4] 0x00000031 xchg dword ptr [esp+04h], ecx 0x00000035 push word ptr [esp+01h] 0x0000003a jmp 00007FE800BB1BBFh 0x0000003c xchg di, ax 0x0000003f mov eax, dword ptr [esp+06h] 0x00000043 lea edx, dword ptr [B708AE44h] 0x00000049 shr dh, cl 0x0000004b jmp 00007FE800BB1CD0h 0x00000050 neg ebx 0x00000052 dec ah 0x00000054 xchg bx, si 0x00000057 xchg byte ptr [esp+03h], cl 0x0000005b mov cx, 8A1Dh 0x0000005f bsf eax, ecx 0x00000062 jmp 00007FE800BB1BA8h 0x00000064 push dword ptr [esp+08h] 0x00000068 xchg dword ptr [esp+0Ah], ebx 0x0000006c xchg ebx, ebp 0x0000006e xchg dword ptr [esp+0Bh], ebp 0x00000072 dec cx 0x00000074 mov bh, dl 0x00000076 jmp 00007FE800BB1B82h 0x00000078 mov cl, B7h 0x0000007a neg dh 0x0000007c neg bp 0x0000007f setnl bh 0x00000082 xchg word ptr [esp+06h], si 0x00000087 sub esp, 0Ah 0x0000008a jmp 00007FE800BB1BC8h 0x0000008c mov byte ptr [esp+0Ah], dl 0x00000090 mov bx, sp 0x00000093 xchg edx, ebx 0x00000095 bts bx, dx 0x00000099 mov edx, esi 0x0000009b jmp 00007FE800BB1C21h 0x0000009d rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE7E0F second address: AE7E14 instructions: 0x00000000 rdtsc 0x00000002 neg ax 0x00000005 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE7F56 second address: AE7F58 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE81BC second address: AE81EF instructions: 0x00000000 rdtsc 0x00000002 mov ah, byte ptr [esp] 0x00000005 mov cx, word ptr [esp] 0x00000009 jmp 00007FE80087F8EFh 0x0000000b not di 0x0000000e mov ecx, dword ptr [esp] 0x00000011 xchg ecx, esi 0x00000013 setp al 0x00000016 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE81EF second address: AE8209 instructions: 0x00000000 rdtsc 0x00000002 mov cl, 19h 0x00000004 jmp 00007FE800BB1CF9h 0x00000009 lea ebx, dword ptr [00000000h+ebx*4] 0x00000010 mov cx, word ptr [esp+01h] 0x00000015 mov ah, byte ptr [esp+01h] 0x00000019 push word ptr [esp] 0x0000001d mov ax, 2ECCh 0x00000021 xchg dword ptr [esp], ecx 0x00000024 jmp 00007FE800BB1B31h 0x00000029 mov dword ptr [esp], edi 0x0000002c mov si, C383h 0x00000030 cpuid 0x00000032 mov cx, sp 0x00000035 setne bh 0x00000038 mov dh, byte ptr [esp+01h] 0x0000003c jmp 00007FE800BB1BB1h 0x0000003e push word ptr [esp+02h] 0x00000043 xchg edx, edi 0x00000045 mov eax, dword ptr [esp+02h] 0x00000049 call 00007FE800BB1BC2h 0x0000004e rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: AE8209 second address: AE82D3 instructions: 0x00000000 rdtsc 0x00000002 pop word ptr [esp+04h] 0x00000007 lea eax, dword ptr [00000000h+edx*4] 0x0000000e jmp 00007FE80087F8F5h 0x00000010 pop dword ptr [esp] 0x00000013 push dword ptr [esp+02h] 0x00000017 mov bp, bx 0x0000001a pop word ptr [esp+02h] 0x0000001f lea esp, dword ptr [esp+02h] 0x00000023 jmp 00007FE80087F94Ah 0x00000025 push word ptr [esp+02h] 0x0000002a mov si, word ptr [esp+02h] 0x0000002f rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A512A3 second address: A512AD instructions: 0x00000000 rdtsc 0x00000002 xchg byte ptr [esp+02h], bl 0x00000006 xchg dword ptr [esp+04h], esi 0x0000000a rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A3E533 second address: A3E555 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80087F86Ah 0x00000004 lea esp, dword ptr [esp+04h] 0x00000008 inc edi 0x00000009 not cx 0x0000000c mov dx, 8364h 0x00000010 bsr ax, bx 0x00000014 jmp 00007FE80087F8DBh 0x00000016 jnp 00007FE80087F8E6h 0x00000018 stc 0x00000019 bswap eax 0x0000001b xor ah, ah 0x0000001d jmp 00007FE80087F918h 0x0000001f mov edx, dword ptr [esp] 0x00000022 call 00007FE80087F896h 0x00000027 ror edi, 00000000h 0x0000002a sub esp, 10h 0x0000002d jnc 00007FE80087F8EBh 0x0000002f jmp 00007FE80087F8EEh 0x00000031 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A453E7 second address: A452F9 instructions: 0x00000000 rdtsc 0x00000002 inc bx 0x00000004 jmp 00007FE800BB1BAEh 0x00000006 mov dl, byte ptr [esp] 0x00000009 mov eax, ebx 0x0000000b call 00007FE800BB1BB4h 0x00000010 xchg dword ptr [esp+08h], ebp 0x00000014 xchg al, dh 0x00000016 bt dx, dx 0x0000001a mov dl, byte ptr [esp] 0x0000001d jmp 00007FE800BB1BA8h 0x0000001f sub esp, 06h 0x00000022 mov word ptr [esp+03h], di 0x00000027 lea esp, dword ptr [esp+02h] 0x0000002b push dword ptr [esp+0Ch] 0x0000002f retn 0010h 0x00000032 mov bx, A433h 0x00000036 mov al, byte ptr [esp] 0x00000039 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A452F9 second address: A45321 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80087F8F6h 0x00000004 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A45321 second address: A45323 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A45323 second address: A45383 instructions: 0x00000000 rdtsc 0x00000002 xchg bx, ax 0x00000005 setno dh 0x00000008 xchg dx, ax 0x0000000b mov eax, dword ptr [esp] 0x0000000e jmp 00007FE80087F8E9h 0x00000010 setl dh 0x00000013 sub esp, 1Bh 0x00000016 jmp 00007FE80087F901h 0x00000018 jo 00007FE80087F8A5h 0x0000001a rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A54228 second address: A541B0 instructions: 0x00000000 rdtsc 0x00000002 bt ax, bp 0x00000006 jnl 00007FE800BB1B5Ch 0x0000000c rol dx, cl 0x0000000f call 00007FE800BB1C2Fh 0x00000014 mov ebx, dword ptr [esp] 0x00000017 mov dx, word ptr [esp] 0x0000001b shl bh, 00000002h 0x0000001e xchg dword ptr [esp], edx 0x00000021 mov eax, dword ptr [esp] 0x00000024 jmp 00007FE800BB1BBDh 0x00000026 setne bl 0x00000029 not bx 0x0000002c bswap ebx 0x0000002e stc 0x0000002f lea edx, dword ptr [edx-00000024h] 0x00000035 xchg al, bl 0x00000037 jmp 00007FE800BB1BC9h 0x00000039 setl ah 0x0000003c neg bx 0x0000003f btr bx, bx 0x00000043 xchg dword ptr [esp], edx 0x00000046 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A541B0 second address: A5420E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80087F922h 0x00000004 lea edx, dword ptr [eax+esi] 0x00000007 sub esp, 05h 0x0000000a mov ah, byte ptr [esp+04h] 0x0000000e rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A4DDAE second address: A4DE0C instructions: 0x00000000 rdtsc 0x00000002 mov dh, byte ptr [esp] 0x00000005 jmp 00007FE800BB1C41h 0x00000007 sub esi, 04h 0x0000000a mov edx, 3EE98BB8h 0x0000000f rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A4E2EF second address: A4E2D9 instructions: 0x00000000 rdtsc 0x00000002 call 00007FE80087F8D6h 0x00000007 bswap eax 0x00000009 lea edx, dword ptr [00000000h+edx4] 0x00000010 xchg dword ptr [esp], ebp 0x00000013 or dl, dh 0x00000015 cmp dh, ah 0x00000017 jmp 00007FE8008800EBh 0x0000001c shr ah, cl 0x0000001e mov dx, 0888h 0x00000022 lea ebp, dword ptr [ebp-0000001Dh] 0x00000028 inc ah 0x0000002a neg dx 0x0000002d sete ah 0x00000030 jmp 00007FE80087F1D7h 0x00000035 bswap eax 0x00000037 xchg dword ptr [esp], ebp 0x0000003a mov dl, F5h 0x0000003c shl ah, cl 0x0000003e lea edx, dword ptr [00000000h+ebx4] 0x00000045 push dword ptr [esp] 0x00000048 retn 0004h 0x0000004b rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A51675 second address: A453E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE800BB1BB4h 0x00000004 mov edx, esi 0x00000006 mov edi, dword ptr [edx] 0x00000008 mov bl, ch 0x0000000a mov al, bh 0x0000000c not ax 0x0000000f jmp 00007FE800BB1BCFh 0x00000011 add esi, 04h 0x00000014 and eax, eax 0x00000016 jnle 00007FE800BB1C0Eh 0x00000018 mov bl, DAh 0x0000001a jmp 00007FE800BB1BF7h 0x0000001c mov ax, cx 0x0000001f jmp 00007FE800BA585Bh 0x00000024 mov ecx, edi 0x00000026 call 00007FE800BB1C0Bh 0x0000002b shr bl, cl 0x0000002d inc ah 0x0000002f call 00007FE800BB2364h 0x00000034 bswap edx 0x00000036 xchg dword ptr [esp+04h], ebp 0x0000003a xchg bx, dx 0x0000003d jmp 00007FE800BB156Ch 0x00000042 mov bx, EAE9h 0x00000046 neg dx 0x00000049 mov ax, word ptr [esp] 0x0000004d lea ebp, dword ptr [ebp+2Ch] 0x00000050 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A72802 second address: A72804 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A72804 second address: A7280C instructions: 0x00000000 rdtsc 0x00000002 call 00007FE800BB1BF6h 0x00000007 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A58AFA second address: A4E2EF instructions: 0x00000000 rdtsc 0x00000002 call 00007FE80087F8AAh 0x00000007 mov ebx, esi 0x00000009 rol dx, 0002h 0x0000000d jc 00007FE80087F8B4h 0x0000000f jnc 00007FE80087F967h 0x00000015 rcr ax, cl 0x00000018 dec edx 0x00000019 lea eax, dword ptr [00000000h+edx4] 0x00000020 jmp 00007FE80087F834h 0x00000025 sub esi, 04h 0x00000028 lea eax, dword ptr [00000000h+ebp4] 0x0000002f mov eax, dword ptr [esp] 0x00000032 jmp 00007FE80087F913h 0x00000034 mov dword ptr [esi], ebx 0x00000036 setnl dh 0x00000039 mov ax, di 0x0000003c lea edx, dword ptr [00000000h+ebp*4] 0x00000043 jmp 00007FE80087501Dh 0x00000048 not dh 0x0000004a mov dx, word ptr [esp] 0x0000004e bsf dx, si 0x00000052 jnl 00007FE80087F8B0h 0x00000054 jmp 00007FE80087F8FCh 0x00000056 lea ebx, dword ptr [ebp+50h] 0x00000059 sub esp, 1Bh 0x0000005c jnc 00007FE80087F913h 0x0000005e rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A58C10 second address: A58C54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE800BB1BCBh 0x00000004 rol dh, cl 0x00000006 inc al 0x00000008 mov ax, EDEBh 0x0000000c xchg dword ptr [esp+0Ch], esi 0x00000010 bsr ax, sp 0x00000014 jmp 00007FE800BB1C40h 0x00000016 setns dl 0x00000019 mov dx, 02CBh 0x0000001d rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A5904F second address: A58EDF instructions: 0x00000000 rdtsc 0x00000002 call 00007FE80087F81Fh 0x00000007 pop word ptr [esp] 0x0000000b lea esp, dword ptr [esp+02h] 0x0000000f jmp 00007FE80087F806h 0x00000014 inc edi 0x00000015 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A58EDF second address: A58EFF instructions: 0x00000000 rdtsc 0x00000002 bswap eax 0x00000004 mov al, dl 0x00000006 mov dl, 86h 0x00000008 jmp 00007FE800BB1BC9h 0x0000000a rcr eax, cl 0x0000000c jns 00007FE800BB1BD8h 0x0000000e lea edx, dword ptr [esi+ebp] 0x00000011 xchg ax, dx 0x00000013 call 00007FE800BB1C40h 0x00000018 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A58EFF second address: A58F22 instructions: 0x00000000 rdtsc 0x00000002 call 00007FE80087F8B8h 0x00000007 lea esp, dword ptr [esp+01h] 0x0000000b lea eax, dword ptr [edx+esi] 0x0000000e pop ax 0x00000010 lea esp, dword ptr [esp+01h] 0x00000014 jmp 00007FE80087F8E0h 0x00000016 xchg dword ptr [esp], eax 0x00000019 sub edx, eax 0x0000001b lea edx, dword ptr [eax+ecx] 0x0000001e mov dx, di 0x00000021 sub esp, 07h 0x00000024 jmp 00007FE80087F90Ah 0x00000026 lea edx, dword ptr [5A7A1BB0h] 0x0000002c lea esp, dword ptr [esp+03h] 0x00000030 lea eax, dword ptr [eax+69h] 0x00000033 sub esp, 1Dh 0x00000036 lea edx, dword ptr [00000000h+edi*4] 0x0000003d push word ptr [esp+10h] 0x00000042 jmp 00007FE80087F899h 0x00000044 xchg dword ptr [esp+04h], edx 0x00000048 pop word ptr [esp+03h] 0x0000004d lea esp, dword ptr [esp+01h] 0x00000051 xchg dword ptr [esp+20h], eax 0x00000055 mov edx, ebx 0x00000057 push cx 0x00000059 jmp 00007FE80087F90Ah 0x0000005b mov edx, F108C7B0h 0x00000060 mov dl, byte ptr [esp] 0x00000063 lea esp, dword ptr [esp+02h] 0x00000067 push dword ptr [esp+20h] 0x0000006b retn 0024h 0x0000006e lea edx, dword ptr [edx+esi] 0x00000071 mov eax, esi 0x00000073 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A58F22 second address: A590CA instructions: 0x00000000 rdtsc 0x00000002 call 00007FE800BB1C8Fh 0x00000007 mov dh, al 0x00000009 lea eax, dword ptr [edx+edi] 0x0000000c xchg edx, eax 0x0000000e xchg dword ptr [esp], edi 0x00000011 mov ax, word ptr [esp] 0x00000015 call 00007FE800BB1BCCh 0x0000001a jmp 00007FE800BB1C54h 0x0000001c clc 0x0000001d inc dx 0x0000001f lea edi, dword ptr [edi+000000BCh] 0x00000025 mov dh, ah 0x00000027 stc 0x00000028 bsr dx, dx 0x0000002c jmp 00007FE800BB1BCAh 0x0000002e lea eax, dword ptr [edx+ebx] 0x00000031 xchg eax, edx 0x00000032 xchg dword ptr [esp+04h], edi 0x00000036 mov al, dl 0x00000038 ror dh, cl 0x0000003a jmp 00007FE800BB1C0Ch 0x0000003c mov dx, 2A86h 0x00000040 neg dx 0x00000043 push dword ptr [esp+04h] 0x00000047 retn 0008h 0x0000004a ror bl, 00000000h 0x0000004d xchg edx, eax 0x0000004f mov dx, F783h 0x00000053 lea edx, dword ptr [00000000h+edx*4] 0x0000005a jmp 00007FE800BB1D7Ch 0x0000005f mov eax, dword ptr [esp] 0x00000062 neg bl 0x00000064 inc ax 0x00000066 jo 00007FE800BB1B4Ch 0x0000006c jno 00007FE800BB1B28h 0x00000072 bt dx, si 0x00000076 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A52EFC second address: A52F0D instructions: 0x00000000 rdtsc 0x00000002 not ax 0x00000005 mov edx, esi 0x00000007 mov edi, dword ptr [edx] 0x00000009 jmp 00007FE80087F8B1h 0x0000000b bsr ax, si 0x0000000f jbe 00007FE80087F903h 0x00000011 not edx 0x00000013 mov dx, 7CB5h 0x00000017 jmp 00007FE80087F8E5h 0x00000019 add esi, 04h 0x0000001c mov edx, dword ptr [esp] 0x0000001f rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A52F0D second address: A53007 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [00000000h+ebp*4] 0x00000009 jmp 00007FE800BB1C31h 0x0000000b bt edx, edi 0x0000000e je 00007FE800BB1BD7h 0x00000010 jne 00007FE800BB1BD5h 0x00000012 push ebp 0x00000013 inc bh 0x00000015 jnle 00007FE800BB1C20h 0x00000017 jmp 00007FE800BB1BDAh 0x00000019 setnb al 0x0000001c or dl, bl 0x0000001e jmp 00007FE800BB1C19h 0x00000020 push ecx 0x00000021 xchg dx, bp 0x00000024 bsr dx, sp 0x00000028 jc 00007FE800BB1BD2h 0x0000002a jnc 00007FE800BB1C54h 0x0000002c lea eax, dword ptr [edi+00003A49h] 0x00000032 jmp 00007FE800BB1B88h 0x00000034 push esi 0x00000035 mov ah, bh 0x00000037 xchg cx, ax 0x0000003a cmc 0x0000003b jne 00007FE800BB1C25h 0x0000003d jmp 00007FE800BB1C1Eh 0x0000003f mov edx, dword ptr [esp] 0x00000042 mov bl, E9h 0x00000044 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A5A3C1 second address: A5A466 instructions: 0x00000000 rdtsc 0x00000002 dec ah 0x00000004 jmp 00007FE80087F90Bh 0x00000006 sub ebp, 04h 0x00000009 mov ah, 04h 0x0000000b ror al, cl 0x0000000d jnle 00007FE80087F8E5h 0x0000000f jmp 00007FE80087F90Dh 0x00000011 mov dword ptr [ebp+00h], ecx 0x00000014 mov ax, di 0x00000017 mov ax, DDFFh 0x0000001b mov edx, dword ptr [esp] 0x0000001e rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A4F8B0 second address: A4F90E instructions: 0x00000000 rdtsc 0x00000002 not ecx 0x00000004 push esi 0x00000005 jmp 00007FE800BB1C07h 0x00000007 neg dx 0x0000000a jle 00007FE800BB1C07h 0x0000000c stc 0x0000000d call 00007FE800BB1C2Dh 0x00000012 xchg eax, ebx 0x00000013 jmp 00007FE800BB1BB7h 0x00000015 push ebp 0x00000016 mov bh, ch 0x00000018 mov di, 6FF2h 0x0000001c cpuid 0x0000001e call 00007FE800BB1C09h 0x00000023 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A4EE2F second address: A4EF8A instructions: 0x00000000 rdtsc 0x00000002 mov ebx, ecx 0x00000004 jmp 00007FE80087F8B5h 0x00000006 mov edi, dword ptr [esi] 0x00000008 pushfd 0x00000009 mov edx, ebp 0x0000000b sub esp, 15h 0x0000000e jnp 00007FE80087F933h 0x00000010 jmp 00007FE80087F8A4h 0x00000012 cmp dx, cx 0x00000015 lea esp, dword ptr [esp+01h] 0x00000019 jmp 00007FE80087F944h 0x0000001b add esi, 04h 0x0000001e lea ebx, dword ptr [00000000h+esi*4] 0x00000025 bts ebx, edx 0x00000028 jl 00007FE80087F85Bh 0x0000002a jnl 00007FE80087F88Ah 0x0000002c bts ax, bp 0x00000030 rol ebx, 1Fh 0x00000033 jmp 00007FE80087F8B3h 0x00000035 bts dx, di 0x00000039 jmp 00007FE80087FA1Bh 0x0000003e jg 00007FE80087F96Dh 0x00000044 push ebp 0x00000045 mov bp, ax 0x00000048 lea ebx, dword ptr [esp-74B4BB32h] 0x0000004f sub esp, 18h 0x00000052 jnc 00007FE80087F7A1h 0x00000058 jmp 00007FE80087F8BAh 0x0000005a mov bp, EEBEh 0x0000005e jmp 00007FE80087F8FEh 0x00000060 lea edx, dword ptr [eax+64h] 0x00000063 sub esp, 1Bh 0x00000066 jnc 00007FE80087F8B0h 0x00000068 mov al, byte ptr [esp+18h] 0x0000006c jmp 00007FE80087F91Ch 0x0000006e lea esp, dword ptr [esp+03h] 0x00000072 mov dword ptr [esp+14h], ecx 0x00000076 lea esp, dword ptr [esp+14h] 0x0000007a jmp 00007FE80087F8ACh 0x0000007c rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A56FEF second address: A5709C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE800BB1C19h 0x00000004 mov ebx, dword ptr [esi] 0x00000006 mov dx, word ptr [esp] 0x0000000a setnl dh 0x0000000d bsf edx, edi 0x00000010 jc 00007FE800BB1BBDh 0x00000012 jnc 00007FE800BB1BBBh 0x00000014 jmp 00007FE800BB1C27h 0x00000016 mov al, byte ptr [esi+04h] 0x00000019 or dl, FFFFFFD0h 0x0000001c jp 00007FE800BB1BB5h 0x0000001e btr edx, edx 0x00000021 jmp 00007FE800BB1C19h 0x00000023 sub esp, 09h 0x00000026 add esp, 06h 0x00000029 lea esp, dword ptr [esp+03h] 0x0000002d jmp 00007FE800BB1BD0h 0x0000002f sub esi, 02h 0x00000032 bts edx, eax 0x00000035 jc 00007FE800BB1C0Ch 0x00000037 lea edx, dword ptr [edx+000000C2h] 0x0000003d jmp 00007FE800BB1BF6h 0x0000003f mov edx, 8AD7F0E6h 0x00000044 lea edx, dword ptr [00000000h+ecx*4] 0x0000004b jmp 00007FE800BB1C90h 0x00000050 xchg eax, ecx 0x00000051 mov dx, word ptr [esp] 0x00000055 setb dh 0x00000058 shl ebx, cl 0x0000005a jmp 00007FE800BB1B70h 0x0000005f mov dl, byte ptr [esp] 0x00000062 bswap edx 0x00000064 xchg eax, ecx 0x00000065 mov dl, byte ptr [esp] 0x00000068 mov dx, BFCAh 0x0000006c jmp 00007FE800BB1BCDh 0x0000006e mov dword ptr [esi+04h], ebx 0x00000071 mov bh, byte ptr [esp] 0x00000074 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A5709C second address: A5709E instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A5709E second address: A570A0 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A570A0 second address: A54228 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80087F90Dh 0x00000004 pushfd 0x00000005 pop dword ptr [esi] 0x00000007 lea edx, dword ptr [edx+ebx] 0x0000000a xchg ah, bl 0x0000000c jmp 00007FE80087F8A4h 0x0000000e lea eax, dword ptr [00000000h+edx*4] 0x00000015 mov ebx, dword ptr [esp] 0x00000018 jmp 00007FE80087CA33h 0x0000001d rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A5167C second address: A453E7 instructions: 0x00000000 rdtsc 0x00000002 mov ax, word ptr [esp] 0x00000006 mov ax, F87Ah 0x0000000a mov al, 63h 0x0000000c jmp 00007FE800BB1CF8h 0x00000011 lea ebp, dword ptr [ebp-0000C377h] 0x00000017 bswap edx 0x00000019 bsf bx, di 0x0000001d sub ah, FFFFFF9Ah 0x00000020 xchg dword ptr [esp], ebp 0x00000023 mov dx, sp 0x00000026 jmp 00007FE800BB1B18h 0x0000002b xchg eax, ebx 0x0000002c xchg bl, dl 0x0000002e not eax 0x00000030 push dword ptr [esp] 0x00000033 retn 0004h 0x00000036 mov ecx, edi 0x00000038 call 00007FE800BB1C0Bh 0x0000003d shr bl, cl 0x0000003f inc ah 0x00000041 call 00007FE800BB2364h 0x00000046 bswap edx 0x00000048 xchg dword ptr [esp+04h], ebp 0x0000004c xchg bx, dx 0x0000004f jmp 00007FE800BB156Ch 0x00000054 mov bx, EAE9h 0x00000058 neg dx 0x0000005b mov ax, word ptr [esp] 0x0000005f lea ebp, dword ptr [ebp+2Ch] 0x00000062 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A5EDCC second address: A5EC67 instructions: 0x00000000 rdtsc 0x00000002 mov ax, word ptr [esp] 0x00000006 jmp 00007FE80087F807h 0x0000000b xchg ebp, eax 0x0000000d mov al, 48h 0x0000000f mov ebp, edx 0x00000011 xchg dword ptr [esp], ebx 0x00000014 call 00007FE80087F859h 0x00000019 xchg ebx, edx 0x0000001b push word ptr [esp+01h] 0x00000020 jmp 00007FE80087F895h 0x00000022 rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A452BD second address: A453E7 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edi 0x00000004 call 00007FE800BB1C0Bh 0x00000009 shr bl, cl 0x0000000b inc ah 0x0000000d call 00007FE800BB2364h 0x00000012 bswap edx 0x00000014 xchg dword ptr [esp+04h], ebp 0x00000018 xchg bx, dx 0x0000001b jmp 00007FE800BB156Ch 0x00000020 mov bx, EAE9h 0x00000024 neg dx 0x00000027 mov ax, word ptr [esp] 0x0000002b lea ebp, dword ptr [ebp+2Ch] 0x0000002e rdtsc
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	RDTSC instruction interceptor: First address: A75245 second address: A54228 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80087F8D6h 0x00000004 add al, dl 0x00000006 mov ax, ss 0x00000008 mov edx, dword ptr [esp] 0x0000000b mov bl, byte ptr [esp] 0x0000000e jmp 00007FE80087F908h 0x00000010 and edx, 2453CC41h 0x00000016 jne 00007FE80087F8B4h 0x00000018 xchg edx, ebx 0x0000001a call 00007FE80087F964h 0x0000001f bsf ebx, edi 0x00000022 neg ebx 0x00000024 neg bx 0x00000027 not ebx 0x00000029 xchg dword ptr [esp], eax 0x0000002c jmp 00007FE80087F88Ch 0x0000002e mov bh, ah 0x00000030 mov ebx, 2E8230DBh 0x00000035 cmc 0x00000036 pushfd 0x00000037 lea eax, dword ptr [eax+1Fh] 0x0000003a mov bx, DD22h 0x0000003e call 00007FE80087F8AAh 0x00000043 jmp 00007FE80087F8FBh 0x00000045 lea ebx, dword ptr [2917076Ah] 0x0000004b xchg dword ptr [esp+08h], eax 0x0000004f mov bx, 11BCh 0x00000053 and dx, 4BF9h 0x00000058 bsf bx, dx 0x0000005c pushad 0x0000005d jmp 00007FE80087F8FFh 0x0000005f xchg word ptr [esp+17h], bx 0x00000064 push dword ptr [esp+28h] 0x00000068 retn 002Ch 0x0000006b push eax 0x0000006c jmp 00007FE800839FB1h 0x00000071 pop ss 0x00000072 pushfd 0x00000073 jmp 00007FE8008C51F2h 0x00000078 pop dword ptr [esi] 0x0000007a mov bx, word ptr [esp] 0x0000007e inc edx 0x0000007f jno 00007FE80087F942h 0x00000081 neg bh 0x00000083 jmp 00007FE80085E7D8h 0x00000088 rdtsc

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Special instruction interceptor: First address: 11CFDC4 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Special instruction interceptor: First address: 115F75D instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Gsm_X_Team\Avengers\need_files\AdbWinApi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Gsm_X_Team\Avengers\need_files\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Gsm_X_Team\Avengers\cl64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Gsm_X_Team\Avengers\need_files\AdbWinUsbApi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Gsm_X_Team\Avengers\need_files\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Gsm_X_Team\Avengers\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Gsm_X_Team\Avengers\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Gsm_X_Team\Avengers\Avengers.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Gsm_X_Team\Avengers\cl32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CXWk52EmUt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Gsm_X_Team\Avengers\need_files\adb.exe	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe TID: 6528

Thread sleep time: -1470000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: Loader.exe, 00000004.00000003.2545233930.0000000004052000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: Loader.exe, 00000004.00000003.2545233930.0000000004052000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: Loader.exe, 00000004.00000003.2767723161.0000000001BC3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Open window title or class name: regmonclass
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Open window title or class name: filemonclass

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Program Files (x86)\Gsm_X_Team\Avengers\Loader.exe	Process queried: DebugPort	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://xteamzone.blogspot.com/

Jump to behavior

Source: Loader.exe, 00000004.00000003.2559650717.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3300078236.00000000044A4000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: Loader.exe, 00000004.00000002.3283975765.0000000000401000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Shell_TrayWnd
Source: Loader.exe, 00000004.00000003.2559650717.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000004.00000002.3300078236.00000000044A4000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow
Source: Loader.exe, 00000004.00000002.3283975765.0000000000401000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Shell_TrayWndS
Source: Loader.exe, 00000004.00000002.3283975765.0000000000401000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SV

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\CXWk52EmUt.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

ID:	1500389
Product:	CloudBasic
Start time:	11:43:50
Start date:	28.08.2024
Sample:	CXWk52EmUt
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	25841cf541b1b1f7d85cecd00dc260d6
SHA1:	01785395638b15e469b1b3d5a373e639e2177e22
SHA256:	13ca948d23ccdd89891280921149a1cb097cb16ec32ea1461e172badd8e88746
Filetype:	Win32 Executable (generic) a (10002005/4) 99.66%

Windows Analysis Report
CXWk52EmUt.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Phishing

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report CXWk52EmUt.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Phishing

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
CXWk52EmUt.exe