Edit tour

Windows Analysis Report
BloxStrap-v2.5.4.exe

Overview

General Information

Sample name:	BloxStrap-v2.5.4.exe
Analysis ID:	1397849
MD5:	5a00d26fb5a91ed9aaa18b63a855ae86
SHA1:	99e15f5c635f20f6423af6d4d9ddaea8ce5fbe68
SHA256:	2c70eaecc9c8ee5084aae91a55116e11c57d63bcbc539392cc764b8580d1e5b7
Tags:	exe
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

BloxStrap-v2.5.4.exe (PID: 3428 cmdline: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe MD5: 5A00D26FB5A91ED9AAA18B63A855AE86)

conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5256 cmdline: powershell.exe MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5332 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cleanup

Sigma Signatures

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe, CommandLine: powershell.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe, ParentImage: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe, ParentProcessId: 3428, ParentProcessName: BloxStrap-v2.5.4.exe, ProcessCommandLine: powershell.exe, ProcessId: 5256, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Source: BloxStrap-v2.5.4.exe

Static PE information: certificate valid

Source: BloxStrap-v2.5.4.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Administrator\source\repos\Swing\Swing\obj\Debug\BloxStrap.pdb source: BloxStrap-v2.5.4.exe

Source: BloxStrap-v2.5.4.exe	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: BloxStrap-v2.5.4.exe	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q
Source: BloxStrap-v2.5.4.exe	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: BloxStrap-v2.5.4.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: BloxStrap-v2.5.4.exe	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: powershell.exe, 00000003.00000002.2139051106.0000014818D59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: BloxStrap-v2.5.4.exe	String found in binary or memory: http://ocsps.ssl.com0
Source: BloxStrap-v2.5.4.exe	String found in binary or memory: http://ocsps.ssl.com0?
Source: powershell.exe, 00000003.00000002.2122991081.0000014808FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2122991081.0000014808FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: BloxStrap-v2.5.4.exe, 00000001.00000002.2156378616.0000028AD2111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2122991081.0000014808CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.2122991081.0000014808FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000003.00000002.2122991081.0000014808FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.2145224164.00000148211D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2146266671.000001482141C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: BloxStrap-v2.5.4.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: powershell.exe, 00000003.00000002.2122991081.0000014808CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000003.00000002.2122991081.0000014808CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000003.00000002.2122991081.0000014808CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6xG
Source: powershell.exe, 00000003.00000002.2122991081.000001480A957000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.2122991081.000001480A957000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.2122991081.000001480A957000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.2122991081.0000014808FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2139051106.0000014818D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2122991081.000001480A957000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: BloxStrap-v2.5.4.exe	String found in binary or memory: https://www.ssl.com/repository0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD34896DB0	3_2_00007FFD34896DB0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD34896E30	3_2_00007FFD34896E30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD34896045	3_2_00007FFD34896045
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD3489C93B	3_2_00007FFD3489C93B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD348941F2	3_2_00007FFD348941F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD3489CA35	3_2_00007FFD3489CA35
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD3489DA22	3_2_00007FFD3489DA22
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD3489CA90	3_2_00007FFD3489CA90
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD3489F458	3_2_00007FFD3489F458

Source: BloxStrap-v2.5.4.exe

Static PE information: No import functions for PE file found

Source: BloxStrap-v2.5.4.exe, 00000001.00000000.2077783477.0000028AD0314000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBloxStrap.exe4 vs BloxStrap-v2.5.4.exe
Source: BloxStrap-v2.5.4.exe	Binary or memory string: OriginalFilenameBloxStrap.exe4 vs BloxStrap-v2.5.4.exe

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: classification engine

Classification label: mal48.winEXE@6/6@0/0

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BloxStrap-v2.5.4.exe.log

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5936:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_goneh5ql.wtd.ps1

Jump to behavior

Source: BloxStrap-v2.5.4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: BloxStrap-v2.5.4.exe

Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe C:\Users\user\Desktop\BloxStrap-v2.5.4.exe
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe	Jump to behavior

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: BloxStrap-v2.5.4.exe

Static PE information: certificate valid

Source: BloxStrap-v2.5.4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: BloxStrap-v2.5.4.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: BloxStrap-v2.5.4.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: BloxStrap-v2.5.4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Administrator\source\repos\Swing\Swing\obj\Debug\BloxStrap.pdb source: BloxStrap-v2.5.4.exe

Source: BloxStrap-v2.5.4.exe

Static PE information: 0xDE722363 [Mon Apr 5 16:48:35 2088 UTC]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD3477D2A5 pushad ; iretd	3_2_00007FFD3477D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD348A04DD push esp; retf	3_2_00007FFD348A04DE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD3489D640 push eax; ret	3_2_00007FFD3489D649
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD3489776A push eax; iretd	3_2_00007FFD3489786D

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Memory allocated: 28AD0560000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Memory allocated: 28AEA110000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4933			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3998			Jump to behavior

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe TID: 5696	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2836	Thread sleep count: 4933 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2836	Thread sleep count: 3998 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3060	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: BloxStrap-v2.5.4.exe, 00000001.00000002.2155110525.0000028AD05E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}M
Source: BloxStrap-v2.5.4.exe, 00000001.00000002.2156032136.0000028AD063D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: BloxStrap-v2.5.4.exe, 00000001.00000002.2156032136.0000028AD063D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}G

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe

Jump to behavior

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Queries volume information: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	32 Virtualization/Sandbox Evasion	Security Account Manager	32 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	11 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BloxStrap-v2.5.4.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://contoso.com/	0%	URL Reputation	safe
http://ocsps.ssl.com0?	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://ocsps.ssl.com0	0%	URL Reputation	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.2139051106.0000014818D59000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	BloxStrap-v2.5.4.exe	false		high
http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q	BloxStrap-v2.5.4.exe	false		high
http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0	BloxStrap-v2.5.4.exe	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.2122991081.0000014808FA2000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.2122991081.0000014808FA2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.2122991081.0000014808FA2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.2122991081.0000014808FA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000003.00000002.2122991081.000001480A957000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.2139051106.0000014818D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2122991081.000001480A957000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ssl.com/repository0	BloxStrap-v2.5.4.exe	false		high
http://ocsps.ssl.com0?	BloxStrap-v2.5.4.exe	false	URL Reputation: safe	unknown
http://www.microsoft.co	powershell.exe, 00000003.00000002.2145224164.00000148211D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2146266671.000001482141C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000003.00000002.2122991081.000001480A957000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0	BloxStrap-v2.5.4.exe	false		high
https://aka.ms/pscore6xG	powershell.exe, 00000003.00000002.2122991081.0000014808CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000003.00000002.2122991081.000001480A957000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q	BloxStrap-v2.5.4.exe	false		high
http://ocsps.ssl.com0	BloxStrap-v2.5.4.exe	false	URL Reputation: safe	unknown
https://aka.ms/pscore6	powershell.exe, 00000003.00000002.2122991081.0000014808CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000003.00000002.2122991081.0000014808CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	BloxStrap-v2.5.4.exe, 00000001.00000002.2156378616.0000028AD2111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2122991081.0000014808CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0	BloxStrap-v2.5.4.exe	false		high
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.2122991081.0000014808FA2000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1397849
Start date and time:	2024-02-23 17:58:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BloxStrap-v2.5.4.exe
Detection:	MAL
Classification:	mal48.winEXE@6/6@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 69% Number of executed functions: 24 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target BloxStrap-v2.5.4.exe, PID 3428 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5256 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
VT rate limit hit for: BloxStrap-v2.5.4.exe

Simulations

Behavior and APIs

Time	Type	Description
17:59:00	API Interceptor	22x Sleep call for process: powershell.exe modified

Process:	C:\Users\user\Desktop\BloxStrap-v2.5.4.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.355760272568367
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2FDkwIyp1v:Q3La/KDLI4MWuPXcp1v
MD5:	FC3575D5BE1A5405683DC33B66D36243
SHA1:	1C816D34B7D5B96E077DC3EF640BA8C7BA370502
SHA-256:	1D7F7FBA862417A1D0351C1BF454F1A9BB0ED7FFD5DF1112EED802C01BDDA50C
SHA-512:	68914FE00F8550A623074F9ACC31ACEF8A3F6DFDDBD9FDA23512079BEC5E8A4D4E82BC8CD8D536E6C88F4DA3A704AC376785B44343BD3BED83E440857A3C0164
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	3000
Entropy (8bit):	5.470295800121604
Encrypted:	false
SSDEEP:	48:/izsSU4y4RQmFoUeCamfg9qr9t5/78NfRrigxJZKaVEouYAgwd64rHLjtv8:/izlHyIFKL2I9qrh7KfRxJ5Eo9Adrx8
MD5:	665209CC62E842011D30330261A3455F
SHA1:	AD5468B159D2612272D4DDBC721628ACB8F4D9C3
SHA-256:	2D7C2547443774F9D1994CE4D75DD22C5ABED605A22C26C5A32DCE1CA7A3108C
SHA-512:	8BAA4F808E933E5CF3D78C4A5960491580C8DA0987E034CE7E0B522906FB6A3C55B3369639116D8BA85BAB1D99E8E704D49D0875D24D860FAC8A540B5DDF9944
Malicious:	false
Reputation:	low
Preview:	@...e...........................................................H..............@-....f.J.\|.7h8..+.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0rb1zono.yim.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fsiaprhi.k4h.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_goneh5ql.wtd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_markb1bx.euz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.610456036637309
TrID:	Win64 Executable Console Net Framework (206006/5) 48.58% Win64 Executable Console (202006/5) 47.64% Win64 Executable (generic) (12005/4) 2.83% Generic Win/DOS Executable (2004/3) 0.47% DOS Executable Generic (2002/1) 0.47%
File name:	BloxStrap-v2.5.4.exe
File size:	121'192 bytes
MD5:	5a00d26fb5a91ed9aaa18b63a855ae86
SHA1:	99e15f5c635f20f6423af6d4d9ddaea8ce5fbe68
SHA256:	2c70eaecc9c8ee5084aae91a55116e11c57d63bcbc539392cc764b8580d1e5b7
SHA512:	bb675ed7c9965e421ab5975156571a28e3502b3e448c5f7ae52760c91a945d30fab3c25520be4fed196cab0ab8021901eecea6d14606e87b022eafc8254f0124
SSDEEP:	3072:9fk29dliNETddwY0JwsR4TbswYqkX5bEdGDOjESHhddJWjjY/ffIg0ju2UBs5CqS:9F9dXHqS
TLSH:	C2C3C5FD6C456034C2F7417445F26D26E2286A8C9FC97112333CB6EEABBB8585643B93
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...c#r..........."...0.................. .....@..... ....................................`...@......@............... .....

File Icon


Icon Hash:	0d718d925244412f

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xDE722363 [Mon Apr 5 16:48:35 2088 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=SSL.com Code Signing Intermediate CA RSA R1, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	14/09/2023 21:00:47 13/09/2024 21:00:47
Subject Chain	CN=Raecomm Services Ltd, O=Raecomm Services Ltd, L=Rowlands Gill, S=England, C=GB
Version:	3
Thumbprint MD5:	FD10F61314EF50BDF5F137564C4014F4
Thumbprint SHA-1:	C650164579439A7BC20B4A73F70335D67663DCEA
Thumbprint SHA-256:	928953EA05FBF99EF21CAAC9289343E0E219BBB36EA473CAFFB4BD893CF01148
Serial:	4071BFD40B15020A57FAD20E1A50D3A7

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x1a1b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1b400	0x2568	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2e14	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xeac	0x1000	457616a5e1548dcc08b6822ea615acf8	False	0.517578125	data	5.085976412777356	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x1a1b0	0x1a200	3ff2fcbe1ebd92a0f93b556a02e08d39	False	0.29979066985645936	data	5.281989404743481	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x41a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0, resolution 5668 x 5668 px/m	0.8102836879432624
RT_ICON	0x4618	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0, resolution 5668 x 5668 px/m	0.669672131147541
RT_ICON	0x4fb0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0, resolution 5668 x 5668 px/m	0.5651969981238274
RT_ICON	0x6068	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0, resolution 5668 x 5668 px/m	0.4327800829875519
RT_ICON	0x8620	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0, resolution 5668 x 5668 px/m	0.35468823807274447
RT_ICON	0xc858	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0, resolution 5668 x 5668 px/m	0.2291346267597303
RT_GROUP_ICON	0x1d090	0x5a	data	0.7555555555555555
RT_VERSION	0x1d0fc	0x34c	data	0.41824644549763035
RT_MANIFEST	0x1d458	0xd53	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.38463793608912344

• BloxStrap-v2.5.4.exe
• conhost.exe
• powershell.exe
• conhost.exe
• WmiPrvSE.exe

Click to jump to process

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• BloxStrap-v2.5.4.exe
• conhost.exe
• powershell.exe
• conhost.exe
• WmiPrvSE.exe

Click to jump to process

Target ID:	1
Start time:	17:58:58
Start date:	23/02/2024
Path:	C:\Users\user\Desktop\BloxStrap-v2.5.4.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\BloxStrap-v2.5.4.exe
Imagebase:	0x28ad0310000
File size:	121'192 bytes
MD5 hash:	5A00D26FB5A91ED9AAA18B63A855AE86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:58:58
Start date:	23/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:58:58
Start date:	23/02/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:58:58
Start date:	23/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:59:02
Start date:	23/02/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Function 00007FFD348A0611 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2157129472.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348a0000_BloxStrap-v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29929519f63e91decedbef988b1516d3593a5ca0c615720ab17ff36ab73ef808
Instruction ID: af2832b15b37d7ea369185006cfe25b0890bf5501af19223f0c9c19376686711
Opcode Fuzzy Hash: 29929519f63e91decedbef988b1516d3593a5ca0c615720ab17ff36ab73ef808
Instruction Fuzzy Hash: 0B01B582B0F6DA0FF7969B7C08F51A41F91DFA7290B1845F6C188CB0E3D84C68076362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348A0D5D Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2157129472.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348a0000_BloxStrap-v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32b3fcb81700ffa077f2639fbf587c9f8d38b510d7066da14c3ba409e61a10e
Instruction ID: 71850cc248b6aad0b86828a9894dcd1010ccbc98ad384e00f003d038b680f917
Opcode Fuzzy Hash: b32b3fcb81700ffa077f2639fbf587c9f8d38b510d7066da14c3ba409e61a10e
Instruction Fuzzy Hash: 6D01C026A1DAC94EE752DB6848611E97BA1EF47200B0845F6D98CD71D3CE28691A8392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348A09BD Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2157129472.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348a0000_BloxStrap-v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65518945ae92d3fe1c60aedf85c32354ffe019d061c421c93c3a04c5f6e6972a
Instruction ID: 51258e1c7113f98ac15940a1c490eb82b1a1681512113e3b4483082772a45a97
Opcode Fuzzy Hash: 65518945ae92d3fe1c60aedf85c32354ffe019d061c421c93c3a04c5f6e6972a
Instruction Fuzzy Hash: D921803071984A8FD7C5EB2CC0A5BA9BBE1FF5A304F0801A5D14DC3293CFA8A8529790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348A0FF5 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2157129472.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348a0000_BloxStrap-v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49aebec89551ef53c94f8afa6d39413c81c3381c28b895ba5f73d4999ce37f57
Instruction ID: 932c86594f576c4fbae1b0e2074110e74da17441602cb46d42fe4ee1005b81c9
Opcode Fuzzy Hash: 49aebec89551ef53c94f8afa6d39413c81c3381c28b895ba5f73d4999ce37f57
Instruction Fuzzy Hash: E911323664E6D54FD703936858616E5BFB0EF43300F0D02E7D098CB193CA2C6A1683E2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348A0AA9 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2157129472.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348a0000_BloxStrap-v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a33f4aba4058d47da5e1b5337645ca57952803969b64935e65d31244b610273
Instruction ID: 2191993589c1aeb2ecb94188bb6600493eeb7b350f50fdf9f42bf75b869a0eb2
Opcode Fuzzy Hash: 5a33f4aba4058d47da5e1b5337645ca57952803969b64935e65d31244b610273
Instruction Fuzzy Hash: 86014535A4E5C95FD7429B7818264EA3FE0DF07315B0D02E3E08CDB183C92C2A9687B2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348A08BD Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2157129472.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348a0000_BloxStrap-v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ace3f6b8c8d19881160819eb5bae9cf5d8c56de8a71f8feaf2f10129885f536
Instruction ID: cd7bad813384ed4665419cdd1601b3f3e2176a80c4032afbd5550e1e8ff9b0a7
Opcode Fuzzy Hash: 3ace3f6b8c8d19881160819eb5bae9cf5d8c56de8a71f8feaf2f10129885f536
Instruction Fuzzy Hash: 35F0F683B0FA9A0FF392A76C09A41A85B91EF97290B1C01F7C18CC70D7DC4C680A6361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348A0919 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2157129472.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348a0000_BloxStrap-v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c12d1898f32f053b9c35ef939f7bb2169c0db36a546ecbe9f09c2ca328829fe
Instruction ID: 7111aab860c4749c9ebcf69dccbfa2bbf8577783b0e02637d8a70c2b63e17d3f
Opcode Fuzzy Hash: 3c12d1898f32f053b9c35ef939f7bb2169c0db36a546ecbe9f09c2ca328829fe
Instruction Fuzzy Hash: 7AF0A73580F6C85FD782DF3488715A5BFB0EF47200B0D41EAD188CB153C669551487A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348A0A72 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2157129472.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348a0000_BloxStrap-v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7494f7d7c1878651df7b840ccbd73f7406203d50f9844b478d8c0c38f0d09f
Instruction ID: fd8680ecf56f37c731458803073a932448a047292e461db74a2c11d9dc3cceb7
Opcode Fuzzy Hash: 3c7494f7d7c1878651df7b840ccbd73f7406203d50f9844b478d8c0c38f0d09f
Instruction Fuzzy Hash: E7E0CD3664DD8C4BDB44EF59AC114D67BA4FBCA30CF0005ABE65CC7241D6259951C351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348A0899 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2157129472.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348a0000_BloxStrap-v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69fdc846b5c47db7ea065eae0d4881e99e5ff1e2afb6c4dccdd97a9a3477e88
Instruction ID: b8a1bb91084c4c9d8725cae98fc13cf331e9e2679affc30f75f6c8563db7a1ee
Opcode Fuzzy Hash: b69fdc846b5c47db7ea065eae0d4881e99e5ff1e2afb6c4dccdd97a9a3477e88
Instruction Fuzzy Hash: 1FC00208E4F40705E8D43BE518E20F825407F4726CFD604B0EA8CD15839DCE25956176

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 5256, Parent PID: 3428COMMON

Executed Functions

Function 00007FFD34896DB0 Relevance: 5.0, Strings: 3, Instructions: 1258COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD3489C594
pN_H, xrefs: 00007FFD3489CE3D
ZN_H, xrefs: 00007FFD3489CA6D

Memory Dump Source

Source File: 00000003.00000002.2147901794.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID: ZN_H$d$pN_H
API String ID: 0-4005496264
Opcode ID: 66655f93dfa94fa26a559dadda1b294f195dfe8490aabe43ec8554bd2c0cfef6
Instruction ID: 67961800500253503ba96819f0f8d5f501f72f4cdd5bd1688459ff18a83e426f
Opcode Fuzzy Hash: 66655f93dfa94fa26a559dadda1b294f195dfe8490aabe43ec8554bd2c0cfef6
Instruction Fuzzy Hash: 5B823531B1DE8A4FE759DB6884A56B97BD1FF57310B0442BEC18EC7192DE2DA8438780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34896E30 Relevance: 2.0, Strings: 1, Instructions: 750COMMON

Download Yara Rule

Strings

ZN_H, xrefs: 00007FFD3489CA6D

Memory Dump Source

Source File: 00000003.00000002.2147901794.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID: ZN_H
API String ID: 0-3134461993
Opcode ID: 2a0b69b618ac8f72f47958fd7c1bbfe5cf1be058d21e073ad7dc384f95a3f8a3
Instruction ID: 2eadd7b2f57223452a328c9094f463d9cb55bc72e05ee10c210c54aca39f2d21
Opcode Fuzzy Hash: 2a0b69b618ac8f72f47958fd7c1bbfe5cf1be058d21e073ad7dc384f95a3f8a3
Instruction Fuzzy Hash: 24223871B1DE8A4FE759DF6884662B9BBD1FF56310B4442BED04EC7192DE3CA8428780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3489C93B Relevance: 1.7, Strings: 1, Instructions: 474COMMON

Download Yara Rule

Strings

ZN_H, xrefs: 00007FFD3489CA6D

Memory Dump Source

Source File: 00000003.00000002.2147901794.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID: ZN_H
API String ID: 0-3134461993
Opcode ID: d30c9fb357c6b31c80c8421457305f91a9257df04db07fcdc3b5f47dc7ff8a5a
Instruction ID: bbbc71f1f5661404c6aa37c263a6779d276a5e770378b13ae486a7dedb18f802
Opcode Fuzzy Hash: d30c9fb357c6b31c80c8421457305f91a9257df04db07fcdc3b5f47dc7ff8a5a
Instruction Fuzzy Hash: F2E11871B1DE8A4FE799DB7884652A97BD1FF96310B4441BED04EC7292DD3CAC428780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3489CA35 Relevance: 1.6, Strings: 1, Instructions: 368COMMON

Download Yara Rule

Strings

ZN_H, xrefs: 00007FFD3489CA6D

Memory Dump Source

Source File: 00000003.00000002.2147901794.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID: ZN_H
API String ID: 0-3134461993
Opcode ID: 163fa2d18b25289879f5f9630f05c1f6a834634856ac044a67349200f79c62a8
Instruction ID: 7ab9e5f09469881aff5e7072e97c795c7b4118276c220a3fbcc64dfc93ab3dda
Opcode Fuzzy Hash: 163fa2d18b25289879f5f9630f05c1f6a834634856ac044a67349200f79c62a8
Instruction Fuzzy Hash: 3BB12671B1DE864FE759DB78446A2A9BBD1EF96360B4441BEC04EC7292DD2CAC438740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3489CA90 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2147901794.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3066386b53e0a1484f16032cbbbe78da6c6b2bf4cd628a81f70dcd73c0079be
Instruction ID: 145850b7749ee892c2a02ec7f33cc8b1e5dff114be814d9c274143c100fe818f
Opcode Fuzzy Hash: c3066386b53e0a1484f16032cbbbe78da6c6b2bf4cd628a81f70dcd73c0079be
Instruction Fuzzy Hash: 6CA11631B1DE864FE759DB78447A2A97BD1EF96360B4841BEC04EC72A2DD2CAC438341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3496164A Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2148748625.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 874179930e18e46ffc24b038f58366a1b58ac9a8655a0ff0c6d0ce84d8c6ee16
Instruction ID: 192a92fbec1d1d9c2a9b2b3ff06ce5a94f415345cae18a2043ba69b24b13ae0b
Opcode Fuzzy Hash: 874179930e18e46ffc24b038f58366a1b58ac9a8655a0ff0c6d0ce84d8c6ee16
Instruction Fuzzy Hash: 70022422B0DB890FE79A972858B61B47BE1EF97220B4801FFD58DC7197ED1CAC069351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD349666AC Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2148748625.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8437ca51b1fb68f0c92f33e531797c3eb76c527a44218bedb30dd27037196da7
Instruction ID: 105b2af1eb89522c1a3a75ff061a34b995f81494b707c5e957a7b50509be3285
Opcode Fuzzy Hash: 8437ca51b1fb68f0c92f33e531797c3eb76c527a44218bedb30dd27037196da7
Instruction Fuzzy Hash: D5C1E422A0E7C50FE766972858755A47FE0EF97230B0941FFD588CB1A7D91CAC0AC362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3489E87F Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2147901794.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86ccc45846614427726e1d14ced87dd3370d11cf52dde464aa17c17290c1c94
Instruction ID: d57e8e070dbe1c8b3a2d6f52fd4a9c83baba54218e912c088fc8a646c6f63bb6
Opcode Fuzzy Hash: e86ccc45846614427726e1d14ced87dd3370d11cf52dde464aa17c17290c1c94
Instruction Fuzzy Hash: 9181073070CE494FE798EB6CA4A56B57BD1EF9A310B1401BED58EC72A7DD28EC428741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34966433 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2148748625.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7896ccf04a682ff29e93e094820fa23f98b34a8aebf45e49ca85919c573f4652
Instruction ID: 2815b84b52da92fade8c627e61f3221051f62529c90eda833a285827f4bdc2c7
Opcode Fuzzy Hash: 7896ccf04a682ff29e93e094820fa23f98b34a8aebf45e49ca85919c573f4652
Instruction Fuzzy Hash: D351E432B0DA460FEBA99A1C54A11B477D2EF96330B5800BEC64DC71ABDE2DFC058351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3477E380 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2147168255.00007FFD3477D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3477D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd3477d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e927ad7bcce1693fcb9b544762d767d7861de7dcac4d052d6d85835d15b03958
Instruction ID: d55d10f9939a848967c0a3752bcacbf5ead8db049cbe8aa4b24081d5c5c952e7
Opcode Fuzzy Hash: e927ad7bcce1693fcb9b544762d767d7861de7dcac4d052d6d85835d15b03958
Instruction Fuzzy Hash: 3B41E2B140DBC48FE7568B2898959623FB0EF53214B1945EFD08CCB1A3D669B846C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3496647F Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2148748625.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf8c4745f1325fe7ad7046d46f37a50e57e179b5a761ec21a74fefe17d233cc3
Instruction ID: 554b6e77cf259d46a23bf466648963f2ad4b9d6908534b07be37b519213cbf46
Opcode Fuzzy Hash: bf8c4745f1325fe7ad7046d46f37a50e57e179b5a761ec21a74fefe17d233cc3
Instruction Fuzzy Hash: B621DD32B0EA860FE7A59A1854F117466D2EF56330B5900BEDA5EC71BACE2DFC059311

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3496676C Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2148748625.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91979350274c464799836e25620582e0c360d4eba35b86db306ba264c7da96cf
Instruction ID: 70126004a223e5ca34bdde53992c05950f169184b34357ea0cdd69ae4a639cf7
Opcode Fuzzy Hash: 91979350274c464799836e25620582e0c360d4eba35b86db306ba264c7da96cf
Instruction Fuzzy Hash: 5511E032A0E6450FE6A4D71894B4AB43AD0EF82230B4900BED14DC70AADA2DBC049350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34968BCE Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2148748625.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c6cd2ff5f34b6f8f75a3b959003c93a1a51f1120edcc6334c8dbf4028e67cc7
Instruction ID: 4ccfe0597d5c26dd1747f06000452cbc379e24daae50edd901b366b4a2cb6152
Opcode Fuzzy Hash: 1c6cd2ff5f34b6f8f75a3b959003c93a1a51f1120edcc6334c8dbf4028e67cc7
Instruction Fuzzy Hash: A0110231B0E6894FEB65DAA880A41B87BD1FF4A320F1400FFC94DCB097DA2DA845C321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34898711 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2147901794.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3e120cf12ca3b19f9ad4472ff26b906c90fa4d11cfb8b59ade052393be4d25
Instruction ID: a8fa42127a3969b0100704111cf87c23bcd0db475d613db705224d78ba6269be
Opcode Fuzzy Hash: 5a3e120cf12ca3b19f9ad4472ff26b906c90fa4d11cfb8b59ade052393be4d25
Instruction Fuzzy Hash: C111C261A59E8A1FD7A6A7A888752E87BD1EF06320F4405FAD04DC75E3CE2D2942C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34895205 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2147901794.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c5ba4d19f014bcabf9d223ca1c6d25cd2b7a867aa46d9d13cd86c99b339d50
Instruction ID: f1f1293b91fc34b83aa55a7b10f075b4b3899130bf8852da0d3eb3399d68cee0
Opcode Fuzzy Hash: f4c5ba4d19f014bcabf9d223ca1c6d25cd2b7a867aa46d9d13cd86c99b339d50
Instruction Fuzzy Hash: 8401677125CB0C4FD748EF4CE491AA6B7E0FB99364F10056DE58AC3651D636E881CB45

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD3489DA22 Relevance: 1.1, Instructions: 1073COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2147901794.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5624bd67d99b177da2fcaedc1989da1458ae694cdd6fb758423b603cf3f48947
Instruction ID: 0264ac8677532b9894c85b02c3ecff83713fee742f22118dcaa202dd2cb8976e
Opcode Fuzzy Hash: 5624bd67d99b177da2fcaedc1989da1458ae694cdd6fb758423b603cf3f48947
Instruction Fuzzy Hash: 5472F921B0EB864FEB969B7848752657BE1EF47220B1941FFC489CB1A3DD5CAC46C381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34896045 Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2147901794.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b121f0ea3d8491dd1882b00a1b43d120fec8e52f7c1355542d06046b8df8ca
Instruction ID: 5985e10f1080b62abc1344c08604c1f600882d3c3c11818438dd758212eec410
Opcode Fuzzy Hash: d6b121f0ea3d8491dd1882b00a1b43d120fec8e52f7c1355542d06046b8df8ca
Instruction Fuzzy Hash: B702970BB0DA925BE22177FD78B61EA6F54CF8337571C41B7C3C8DA0A3A85C244A92D5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3489F458 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2147901794.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f49d1afd2ea2e740780b189b8ed6ebee30dd73668550043b10222e584ee0c975
Instruction ID: 94b0d6a03cb382cca28a88563a39ab59dcf9aa363116a261b4b6061f68e3ad13
Opcode Fuzzy Hash: f49d1afd2ea2e740780b189b8ed6ebee30dd73668550043b10222e584ee0c975
Instruction Fuzzy Hash: 4202E831B1CA454BE768A76894B26B5B3C2FF8A344F54417EE54EC32C3DD2DBC428681

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348941F2 Relevance: .5, Instructions: 488COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2147901794.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc03fff116aee795cb0f09f093a7e8df032a1f1d1cf27d15ebd704843d40e30c
Instruction ID: 4e2204810b62646aa9d2a0e2f902121f5e2bcb69781a40948dc144bf10b88667
Opcode Fuzzy Hash: bc03fff116aee795cb0f09f093a7e8df032a1f1d1cf27d15ebd704843d40e30c
Instruction Fuzzy Hash: 1DE1B847A0FEC21BE75653BC28B51E96FA0EF9772470C01F7D5C8CB49BA81CA84A9345

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BloxStrap-v2.5.4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BloxStrap-v2.5.4.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0rb1zono.yim.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fsiaprhi.k4h.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_goneh5ql.wtd.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_markb1bx.euz.psm1

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: BloxStrap-v2.5.4.exePID: 3428, Parent PID: 4004

Windows Analysis Report
BloxStrap-v2.5.4.exe