| File name: | HtlxSpammer.hta |
| Full analysis: | https://app.any.run/tasks/f4c421aa-7384-4b12-aa43-bd326696120e |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | January 12, 2024, 23:00:42 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/html |
| File info: | HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators |
| MD5: | EFD64DAC7E8BAF937D0AA72D439B0E51 |
| SHA1: | 6C5C406560B20217310EF8622CD6A07217ED77B3 |
| SHA256: | 22D237AFEC68101ED2BDE08223559B314A79A73BAF4E2AF7563268B309641B6C |
| SSDEEP: | 6144:iJFK4Y1ZbsLLA60oG/rw5j3KJsdQZ2uyqv6TJwyU6kaCAFFtuLs/DjZ5MQqtKpY1:iJFfZSF |
MALICIOUS
Uses base64 encoding (SCRIPT)
- mshta.exe (PID: 2488)
Starts Visual C# compiler
- powershell.exe (PID: 2500)
Drops the executable file immediately after the start
- csc.exe (PID: 1484)
- powershell.exe (PID: 2500)
Actions looks like stealing of personal data
- RegAsm.exe (PID: 3036)
Request from PowerShell that ran from MSHTA.EXE
- powershell.exe (PID: 2500)
Steals credentials from Web Browsers
- RegAsm.exe (PID: 3036)
SUSPICIOUS
Reads the Internet Settings
- mshta.exe (PID: 2488)
- powershell.exe (PID: 2500)
- rundll32.exe (PID: 3040)
Creates XML DOM element (SCRIPT)
- mshta.exe (PID: 2488)
Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)
- mshta.exe (PID: 2488)
Sets XML DOM element text (SCRIPT)
- mshta.exe (PID: 2488)
Reads data from a binary Stream object (SCRIPT)
- mshta.exe (PID: 2488)
Changes charset (SCRIPT)
- mshta.exe (PID: 2488)
Writes binary data to a Stream object (SCRIPT)
- mshta.exe (PID: 2488)
Possibly malicious use of IEX has been detected
- mshta.exe (PID: 2488)
Runs shell command (SCRIPT)
- mshta.exe (PID: 2488)
Starts POWERSHELL.EXE for commands execution
- mshta.exe (PID: 2488)
Found IP address in command line
- powershell.exe (PID: 2500)
Uses .NET C# to load dll
- powershell.exe (PID: 2500)
The Powershell connects to the Internet
- powershell.exe (PID: 2500)
Executable content was dropped or overwritten
- csc.exe (PID: 1484)
Unusual connection from system programs
- powershell.exe (PID: 2500)
Connects to the server without a host name
- powershell.exe (PID: 2500)
Connects to unusual port
- RegAsm.exe (PID: 3036)
Reads browser cookies
- RegAsm.exe (PID: 3036)
INFO
Application launched itself
- iexplore.exe (PID: 2184)
- iexplore.exe (PID: 392)
- firefox.exe (PID: 3056)
- firefox.exe (PID: 2752)
- firefox.exe (PID: 2828)
Manual execution by a user
- explorer.exe (PID: 2296)
- mshta.exe (PID: 2488)
- rundll32.exe (PID: 3040)
- firefox.exe (PID: 2828)
Reads Internet Explorer settings
- mshta.exe (PID: 2488)
Create files in a temporary directory
- csc.exe (PID: 1484)
- cvtres.exe (PID: 948)
Reads the machine GUID from the registry
- csc.exe (PID: 1484)
- cvtres.exe (PID: 948)
Checks supported languages
- cvtres.exe (PID: 948)
- RegAsm.exe (PID: 3036)
- csc.exe (PID: 1484)
Reads the computer name
- RegAsm.exe (PID: 3036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .htm/html | | | HyperText Markup Language with DOCTYPE (80.6) |
|---|---|---|
| .html | | | HyperText Markup Language (19.3) |
EXIF
HTML
| ContentType: | text/html; charset=UTF-8 |
|---|---|
| Title: | c# - How do I remedy "The breakpoint will not currently be hit. No symbols have been loaded for this document." warning? - Stack Overflow |
| Viewport: | width=device-width, height=device-height, initial-scale=1.0, minimum-scale=1.0 |
| TwitterCard: | summary |
| TwitterDomain: | stackoverflow.com |
| TwitterTitle: | How do I remedy "The breakpoint will not currently be hit. No symbols have been loaded for this document." warning? |
| TwitterDeh1ion: | A C# desktop application (on the Visual Studio Express edition) worked, but then it didn't work 5 seconds later. I tried the following: Ensure debug configuration, debug flag, and full debug infor... |
| HTTPEquivOriginTrial: | A6OdGH3fVf4eKRDbXb4thXA4InNqDJDRhZ8U533U/roYjp4Yau0T3YSuc63vmAs/8ga1cD0E3A7LEq6AXk1uXgsAAACTeyJvcmlnaW4iOiJodHRwczovL2dvb2dsZXN5bmRpY2F0aW9uLmNvbTo0NDMiLCJmZWF0dXJlIjoiRmxlZGdlQmlkZGluZ0FuZEF1Y3Rpb25TZXJ2ZXIiLCJleHBpcnkiOjE3MTkzNTk5OTksImlzU3ViZG9tYWluIjp0cnVlLCJpc1RoaXJkUGFydHkiOnRydWV9 |
Total processes
60
Monitored processes
22
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 268 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2184 CREDAT:398593 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 392 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2184 CREDAT:144385 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 492 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2752.6.435680336\999855612" -childID 5 -isForBrowser -prefsHandle 4076 -prefMapHandle 4072 -prefsLen 34336 -prefMapSize 244195 -jsInitHandle 904 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {840a5cd0-4e3e-4163-92df-496538858b96} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 4128 21702c90 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 115.0.2 Modules
| |||||||||||||||
| 848 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2752.5.814956940\103727053" -childID 4 -isForBrowser -prefsHandle 3936 -prefMapHandle 3940 -prefsLen 29209 -prefMapSize 244195 -jsInitHandle 904 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c3b2753-4bed-4965-b31e-5b912d2b10f9} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 3960 21702110 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 115.0.2 Modules
| |||||||||||||||
| 948 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESDF1.tmp" "c:\Users\admin\AppData\Local\Temp\CSCCFC53687B89E42B9A969DCC37433710.TMP" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 14.10.25028.0 built by: VCTOOLSD15RTM Modules
| |||||||||||||||
| 1484 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\i350fn0z.cmdline" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 4.8.3761.0 built by: NET48REL1 Modules
| |||||||||||||||
| 1972 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2752.4.1197025668\1537628603" -childID 3 -isForBrowser -prefsHandle 3816 -prefMapHandle 3812 -prefsLen 29209 -prefMapSize 244195 -jsInitHandle 904 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c959f8c6-3545-4b90-b514-506c24ec08d8} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 3844 1dddcc90 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 115.0.2 Modules
| |||||||||||||||
| 2184 | "C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\admin\AppData\Local\Temp\HtlxSpammer.hta.htm" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 2296 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2340 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2752.7.278287152\1935585408" -childID 6 -isForBrowser -prefsHandle 4248 -prefMapHandle 4244 -prefsLen 29313 -prefMapSize 244195 -jsInitHandle 904 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3beafcf8-6ee7-4669-925f-ca413c3f5b69} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 4264 230089b0 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 115.0.2 Modules
| |||||||||||||||
Total events
22 257
Read events
21 967
Write events
287
Delete events
3
Modification events
| (PID) Process: | (2184) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
| Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 0 | |||
| (PID) Process: | (2184) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
| Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 30847387 | |||
| (PID) Process: | (2184) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
| Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30847437 | |||
| (PID) Process: | (2184) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (2184) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (2184) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (2184) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (2184) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2184) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2184) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
Executable files
1
Suspicious files
85
Text files
28
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2184 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | compressed | |
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89 | SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8 | |||
| 2184 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFDD2D78783019A790.TMP | binary | |
MD5:739F75EE2578FD00A6E0424538182606 | SHA256:DEC20DE1FF5D7C3855EE954FD7E13C556A5FCC77732558F9986A2A06ED3FC4FF | |||
| 2184 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | image | |
MD5:DA597791BE3B6E732F0BC8B20E38EE62 | SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07 | |||
| 2184 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[2].ico | image | |
MD5:DA597791BE3B6E732F0BC8B20E38EE62 | SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07 | |||
| 2184 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{42C873D0-1D90-11EB-BA2C-12A9866C77DE}.dat | binary | |
MD5:514EC7BEC52C83F1CEAB4EF7EB258602 | SHA256:3937D09D8F01EDCBE9167EC8472565ECAF681725420CC6B67B2802A35AABD307 | |||
| 2184 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A | der | |
MD5:3651EFE3C0DEAC400E323005E136EEE5 | SHA256:9C928745D7E2F5561C5E5FAFE5281CA741FAEA3EB895D4A508D47ECB7AC4A148 | |||
| 2184 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A | binary | |
MD5:AD6D17F21363A4A08FB21E9FC32E95AE | SHA256:C4D164DA3200A3D1353BC2817D6114AFD0C4D1DF0D821C10BE6764F7A70AC2A9 | |||
| 2500 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7QU7WK3MUIU4MXD57ASZ.temp | binary | |
MD5:F500255BDC0DD45A0934243E38529D10 | SHA256:AD4304402753CEF71770C63692428001309617BDA00D87E229D197721D29496E | |||
| 2184 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | binary | |
MD5:B6D367FA1129A614A6CE6D7A1D2D50FA | SHA256:6CB6671A73DA4DF55D996C0793A5ACB17EFCD84AD3FDDBE2A390602E1FBF922C | |||
| 2184 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF02413238E67FBF07.TMP | binary | |
MD5:A5D730B965DCD41A52B23FF96EE8044B | SHA256:518889CC6082D9BDB8B275235249EC0D4E0B869393B73F7E22A28BDF92FC7300 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
38
DNS requests
75
Threats
10
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2184 | iexplore.exe | GET | 200 | 92.122.244.9:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ed92cde4cb766a79 | unknown | compressed | 4.66 Kb | unknown |
2184 | iexplore.exe | GET | 200 | 92.122.244.9:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?56a48ccbaf965781 | unknown | compressed | 4.66 Kb | unknown |
2184 | iexplore.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D | unknown | binary | 313 b | unknown |
1080 | svchost.exe | GET | 304 | 184.24.77.202:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?34275567a5b520f7 | unknown | — | — | unknown |
2184 | iexplore.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | binary | 471 b | unknown |
2500 | powershell.exe | GET | 200 | 166.1.160.10:80 | http://166.1.160.10/k/loader.txt | unknown | text | 636 b | unknown |
2500 | powershell.exe | GET | 200 | 166.1.160.10:80 | http://166.1.160.10/k/file.bin | unknown | binary | 328 Kb | unknown |
2500 | powershell.exe | GET | 200 | 166.1.160.10:80 | http://166.1.160.10/k/file1.bin | unknown | executable | 6.00 Kb | unknown |
2752 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/canonical.html | unknown | text | 90 b | unknown |
2752 | firefox.exe | POST | 200 | 184.24.77.45:80 | http://r3.o.lencr.org/ | unknown | binary | 503 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2184 | iexplore.exe | 92.123.104.33:443 | www.bing.com | Akamai International B.V. | DE | unknown |
2184 | iexplore.exe | 92.122.244.9:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
2184 | iexplore.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
2184 | iexplore.exe | 152.199.19.161:443 | r20swj13mr.microsoft.com | EDGECAST | US | whitelisted |
1080 | svchost.exe | 184.24.77.202:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
2500 | powershell.exe | 166.1.160.10:80 | — | SPRINTLINK | US | unknown |
3036 | RegAsm.exe | 45.144.232.99:6666 | — | Garant-G Ltd. | RU | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
detectportal.firefox.com |
| whitelisted |
prod.detectportal.prod.cloudops.mozgcp.net |
| whitelisted |
example.org |
| whitelisted |
ipv4only.arpa |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2500 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
2500 | powershell.exe | Misc activity | ET HUNTING Suspicious Windows Executable CreateRemoteThread |
2500 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2500 | powershell.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
2500 | powershell.exe | Misc activity | ET HUNTING Suspicious Windows Executable WriteProcessMemory |
2500 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
4 ETPRO signatures available at the full report