Edit tour

Windows Analysis Report
BloxStrap-v2.5.4.exe

Overview

General Information

Sample name:	BloxStrap-v2.5.4.exe
Analysis ID:	1397849
MD5:	5a00d26fb5a91ed9aaa18b63a855ae86
SHA1:	99e15f5c635f20f6423af6d4d9ddaea8ce5fbe68
SHA256:	2c70eaecc9c8ee5084aae91a55116e11c57d63bcbc539392cc764b8580d1e5b7
Tags:	exe
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

BloxStrap-v2.5.4.exe (PID: 3580 cmdline: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe MD5: 5A00D26FB5A91ED9AAA18B63A855AE86)

conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4388 cmdline: powershell.exe MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5076 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cleanup

Sigma Signatures

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe, CommandLine: powershell.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe, ParentImage: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe, ParentProcessId: 3580, ParentProcessName: BloxStrap-v2.5.4.exe, ProcessCommandLine: powershell.exe, ProcessId: 4388, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Source: BloxStrap-v2.5.4.exe

Static PE information: certificate valid

Source: BloxStrap-v2.5.4.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Administrator\source\repos\Swing\Swing\obj\Debug\BloxStrap.pdb source: BloxStrap-v2.5.4.exe
Source:	Binary string: fll\System.Core.pdb source: powershell.exe, 00000003.00000002.2209924838.000002796DC0B000.00000004.00000020.00020000.00000000.sdmp

Source: BloxStrap-v2.5.4.exe	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: BloxStrap-v2.5.4.exe	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q
Source: powershell.exe, 00000003.00000002.2211251145.000002796DEB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mX14
Source: powershell.exe, 00000003.00000002.2211251145.000002796DF8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: BloxStrap-v2.5.4.exe	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: BloxStrap-v2.5.4.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: BloxStrap-v2.5.4.exe	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: powershell.exe, 00000003.00000002.2200842487.00000279658AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: BloxStrap-v2.5.4.exe	String found in binary or memory: http://ocsps.ssl.com0
Source: BloxStrap-v2.5.4.exe	String found in binary or memory: http://ocsps.ssl.com0?
Source: powershell.exe, 00000003.00000002.2185139788.0000027955AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2185139788.0000027955AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: BloxStrap-v2.5.4.exe, 00000001.00000002.2235210474.000001BC3DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2185139788.0000027955821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.2185139788.0000027955AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000003.00000002.2185139788.0000027955AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.2211251145.000002796DEB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: BloxStrap-v2.5.4.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: powershell.exe, 00000003.00000002.2185139788.0000027955821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000003.00000002.2185139788.0000027955821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000003.00000002.2185139788.0000027955821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6xG
Source: powershell.exe, 00000003.00000002.2200842487.00000279658AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.2200842487.00000279658AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.2200842487.00000279658AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.2185139788.0000027955AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2185139788.0000027957436000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2200842487.00000279658AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: BloxStrap-v2.5.4.exe	String found in binary or memory: https://www.ssl.com/repository0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD348B6DA0	3_2_00007FFD348B6DA0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD348B54F8	3_2_00007FFD348B54F8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD348BD6D3	3_2_00007FFD348BD6D3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD348B6045	3_2_00007FFD348B6045
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD348B41F2	3_2_00007FFD348B41F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD348B53FA	3_2_00007FFD348B53FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD348B63C8	3_2_00007FFD348B63C8

Source: BloxStrap-v2.5.4.exe

Static PE information: No import functions for PE file found

Source: BloxStrap-v2.5.4.exe, 00000001.00000000.2064078680.000001BC3BFA4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBloxStrap.exe4 vs BloxStrap-v2.5.4.exe
Source: BloxStrap-v2.5.4.exe	Binary or memory string: OriginalFilenameBloxStrap.exe4 vs BloxStrap-v2.5.4.exe

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: classification engine

Classification label: mal48.winEXE@6/6@0/0

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BloxStrap-v2.5.4.exe.log

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l0jgtllv.ifm.ps1

Jump to behavior

Source: BloxStrap-v2.5.4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: BloxStrap-v2.5.4.exe

Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe C:\Users\user\Desktop\BloxStrap-v2.5.4.exe
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe	Jump to behavior

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: BloxStrap-v2.5.4.exe

Static PE information: certificate valid

Source: BloxStrap-v2.5.4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: BloxStrap-v2.5.4.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: BloxStrap-v2.5.4.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: BloxStrap-v2.5.4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Administrator\source\repos\Swing\Swing\obj\Debug\BloxStrap.pdb source: BloxStrap-v2.5.4.exe
Source:	Binary string: fll\System.Core.pdb source: powershell.exe, 00000003.00000002.2209924838.000002796DC0B000.00000004.00000020.00020000.00000000.sdmp

Source: BloxStrap-v2.5.4.exe

Static PE information: 0xDE722363 [Mon Apr 5 16:48:35 2088 UTC]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD3479D2A5 pushad ; iretd	3_2_00007FFD3479D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD348C04DD push esp; retf	3_2_00007FFD348C04DE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD348BD5F2 push eax; ret	3_2_00007FFD348BD639
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD348B1DA5 pushfd ; ret	3_2_00007FFD348B1FBA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD348B1DC5 pushfd ; ret	3_2_00007FFD348B1FBA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD348B26BD push E95DB1B9h; ret	3_2_00007FFD348B2799
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD348B776A pushad ; iretd	3_2_00007FFD348B785D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD348B7938 push ebx; retf	3_2_00007FFD348B796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD348B785E push eax; iretd	3_2_00007FFD348B786D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD348B117D push E95DB1B5h; ret	3_2_00007FFD348B1199

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Memory allocated: 1BC3C2F0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Memory allocated: 1BC55CE0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5258			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3577			Jump to behavior

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe TID: 4080	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5272	Thread sleep count: 5258 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5272	Thread sleep count: 3577 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5008	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: BloxStrap-v2.5.4.exe, 00000001.00000002.2233898519.000001BC3C142000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: BloxStrap-v2.5.4.exe, 00000001.00000002.2233898519.000001BC3C142000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}DD

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe

Jump to behavior

Source: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe	Queries volume information: C:\Users\user\Desktop\BloxStrap-v2.5.4.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	32 Virtualization/Sandbox Evasion	Security Account Manager	32 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	11 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BloxStrap-v2.5.4.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
http://ocsps.ssl.com0?	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://ocsps.ssl.com0	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://crl.mX14	0%	Avira URL Cloud	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
http://crl.microso	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.2200842487.00000279658AD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q	BloxStrap-v2.5.4.exe	false		high
http://crl.mX14	powershell.exe, 00000003.00000002.2211251145.000002796DEB0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.2185139788.0000027955AF1000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.2185139788.0000027955AF1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.2185139788.0000027955AF1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsps.ssl.com0?	BloxStrap-v2.5.4.exe	false	URL Reputation: safe	unknown
http://www.microsoft.co	powershell.exe, 00000003.00000002.2211251145.000002796DEB0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000003.00000002.2200842487.00000279658AD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0	BloxStrap-v2.5.4.exe	false		high
https://contoso.com/Icon	powershell.exe, 00000003.00000002.2200842487.00000279658AD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q	BloxStrap-v2.5.4.exe	false		high
http://ocsps.ssl.com0	BloxStrap-v2.5.4.exe	false	URL Reputation: safe	unknown
https://aka.ms/pscore6	powershell.exe, 00000003.00000002.2185139788.0000027955821000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.2185139788.0000027955AF1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	BloxStrap-v2.5.4.exe	false		high
http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0	BloxStrap-v2.5.4.exe	false		high
http://crl.microso	powershell.exe, 00000003.00000002.2211251145.000002796DF8C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.2185139788.0000027955AF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000003.00000002.2200842487.00000279658AD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.2185139788.0000027957436000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2200842487.00000279658AD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ssl.com/repository0	BloxStrap-v2.5.4.exe	false		high
https://aka.ms/pscore6xG	powershell.exe, 00000003.00000002.2185139788.0000027955821000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000003.00000002.2185139788.0000027955821000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	BloxStrap-v2.5.4.exe, 00000001.00000002.2235210474.000001BC3DCE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2185139788.0000027955821000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0	BloxStrap-v2.5.4.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1397849
Start date and time:	2024-02-23 18:03:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BloxStrap-v2.5.4.exe
Detection:	MAL
Classification:	mal48.winEXE@6/6@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 71% Number of executed functions: 17 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsps.ssl.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target BloxStrap-v2.5.4.exe, PID 3580 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4388 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
VT rate limit hit for: BloxStrap-v2.5.4.exe

Process:	C:\Users\user\Desktop\BloxStrap-v2.5.4.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.355760272568367
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2FDkwIyp1v:Q3La/KDLI4MWuPXcp1v
MD5:	FC3575D5BE1A5405683DC33B66D36243
SHA1:	1C816D34B7D5B96E077DC3EF640BA8C7BA370502
SHA-256:	1D7F7FBA862417A1D0351C1BF454F1A9BB0ED7FFD5DF1112EED802C01BDDA50C
SHA-512:	68914FE00F8550A623074F9ACC31ACEF8A3F6DFDDBD9FDA23512079BEC5E8A4D4E82BC8CD8D536E6C88F4DA3A704AC376785B44343BD3BED83E440857A3C0164
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	3000
Entropy (8bit):	5.470295800121604
Encrypted:	false
SSDEEP:	48:/izsSU4y4RQmFoUeCamfg9qr9t5/78NfRrigxJZKaVEouYAgwd64rHLjtv8:/izlHyIFKL2I9qrh7KfRxJ5Eo9Adrx8
MD5:	665209CC62E842011D30330261A3455F
SHA1:	AD5468B159D2612272D4DDBC721628ACB8F4D9C3
SHA-256:	2D7C2547443774F9D1994CE4D75DD22C5ABED605A22C26C5A32DCE1CA7A3108C
SHA-512:	8BAA4F808E933E5CF3D78C4A5960491580C8DA0987E034CE7E0B522906FB6A3C55B3369639116D8BA85BAB1D99E8E704D49D0875D24D860FAC8A540B5DDF9944
Malicious:	false
Reputation:	low
Preview:	@...e...........................................................H..............@-....f.J.\|.7h8..+.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2otg21ap.3rl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4zq1j1ci.ttx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpziz35x.2uo.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l0jgtllv.ifm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.610456036637309
TrID:	Win64 Executable Console Net Framework (206006/5) 48.58% Win64 Executable Console (202006/5) 47.64% Win64 Executable (generic) (12005/4) 2.83% Generic Win/DOS Executable (2004/3) 0.47% DOS Executable Generic (2002/1) 0.47%
File name:	BloxStrap-v2.5.4.exe
File size:	121'192 bytes
MD5:	5a00d26fb5a91ed9aaa18b63a855ae86
SHA1:	99e15f5c635f20f6423af6d4d9ddaea8ce5fbe68
SHA256:	2c70eaecc9c8ee5084aae91a55116e11c57d63bcbc539392cc764b8580d1e5b7
SHA512:	bb675ed7c9965e421ab5975156571a28e3502b3e448c5f7ae52760c91a945d30fab3c25520be4fed196cab0ab8021901eecea6d14606e87b022eafc8254f0124
SSDEEP:	3072:9fk29dliNETddwY0JwsR4TbswYqkX5bEdGDOjESHhddJWjjY/ffIg0ju2UBs5CqS:9F9dXHqS
TLSH:	C2C3C5FD6C456034C2F7417445F26D26E2286A8C9FC97112333CB6EEABBB8585643B93
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...c#r..........."...0.................. .....@..... ....................................`...@......@............... .....

File Icon


Icon Hash:	0d718d925244412f

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xDE722363 [Mon Apr 5 16:48:35 2088 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=SSL.com Code Signing Intermediate CA RSA R1, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	14/09/2023 21:00:47 13/09/2024 21:00:47
Subject Chain	CN=Raecomm Services Ltd, O=Raecomm Services Ltd, L=Rowlands Gill, S=England, C=GB
Version:	3
Thumbprint MD5:	FD10F61314EF50BDF5F137564C4014F4
Thumbprint SHA-1:	C650164579439A7BC20B4A73F70335D67663DCEA
Thumbprint SHA-256:	928953EA05FBF99EF21CAAC9289343E0E219BBB36EA473CAFFB4BD893CF01148
Serial:	4071BFD40B15020A57FAD20E1A50D3A7

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x1a1b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1b400	0x2568	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2e14	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xeac	0x1000	457616a5e1548dcc08b6822ea615acf8	False	0.517578125	data	5.085976412777356	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x1a1b0	0x1a200	3ff2fcbe1ebd92a0f93b556a02e08d39	False	0.29979066985645936	data	5.281989404743481	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x41a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0, resolution 5668 x 5668 px/m	0.8102836879432624
RT_ICON	0x4618	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0, resolution 5668 x 5668 px/m	0.669672131147541
RT_ICON	0x4fb0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0, resolution 5668 x 5668 px/m	0.5651969981238274
RT_ICON	0x6068	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0, resolution 5668 x 5668 px/m	0.4327800829875519
RT_ICON	0x8620	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0, resolution 5668 x 5668 px/m	0.35468823807274447
RT_ICON	0xc858	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0, resolution 5668 x 5668 px/m	0.2291346267597303
RT_GROUP_ICON	0x1d090	0x5a	data	0.7555555555555555
RT_VERSION	0x1d0fc	0x34c	data	0.41824644549763035
RT_MANIFEST	0x1d458	0xd53	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.38463793608912344

• BloxStrap-v2.5.4.exe
• conhost.exe
• powershell.exe
• conhost.exe
• WmiPrvSE.exe

Click to jump to process

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• BloxStrap-v2.5.4.exe
• conhost.exe
• powershell.exe
• conhost.exe
• WmiPrvSE.exe

Click to jump to process

Target ID:	1
Start time:	18:04:03
Start date:	23/02/2024
Path:	C:\Users\user\Desktop\BloxStrap-v2.5.4.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\BloxStrap-v2.5.4.exe
Imagebase:	0x1bc3bfa0000
File size:	121'192 bytes
MD5 hash:	5A00D26FB5A91ED9AAA18B63A855AE86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:04:03
Start date:	23/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:04:04
Start date:	23/02/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:04:04
Start date:	23/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:04:07
Start date:	23/02/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 00007FFD348A0611 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2235937055.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348a0000_BloxStrap-v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3411c9902f1055571aa4964ee6354504b37dc0c9576e6031943a0844d122d8b5
Instruction ID: 6c20c6f006ae7af1587b84af1939a93576e170b9c6698a249a829c495f26ab33
Opcode Fuzzy Hash: 3411c9902f1055571aa4964ee6354504b37dc0c9576e6031943a0844d122d8b5
Instruction Fuzzy Hash: 75015282B0F6DA0FF796A73C08F50A45B91DF97290B1845F6D188CB0E7D84C68076362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348A0D5D Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2235937055.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348a0000_BloxStrap-v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d543f2313ea6f40382611079fc00ec2e62c91f1ffb11b4407394f6c0f01da14
Instruction ID: 8107660e5e82d98f5b57c298acfa34a65e6b4b6fa72b626c707f7814e2609a20
Opcode Fuzzy Hash: 2d543f2313ea6f40382611079fc00ec2e62c91f1ffb11b4407394f6c0f01da14
Instruction Fuzzy Hash: FE01F526B1DACE4FEB52EB6844611E97BE1EF47300F0841F6D948C71D3CE596C198392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348A09BD Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2235937055.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348a0000_BloxStrap-v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f006025cfd8002e04fce1d5f5b9423a51706916a917c287b83aba19a966ab8
Instruction ID: 085001174b157a0d721cebc8271a49ddff5932986a694d6da4a1fa0e4079095e
Opcode Fuzzy Hash: 16f006025cfd8002e04fce1d5f5b9423a51706916a917c287b83aba19a966ab8
Instruction Fuzzy Hash: 00215E3071984A9FDBC5EB2CC0A5BA9B7E1FF9A304F050169D10DC3293CFA9A8529791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348A0FF5 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2235937055.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348a0000_BloxStrap-v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975c691e1e4fc1f1c87053ed89ed5d0ea2ad3f5ade098dc7e9fe72c6327ec7f2
Instruction ID: fbed1afabaa71e1851fcf05cfa69decc152b5e371de94ed8b8e654cc4f5c6384
Opcode Fuzzy Hash: 975c691e1e4fc1f1c87053ed89ed5d0ea2ad3f5ade098dc7e9fe72c6327ec7f2
Instruction Fuzzy Hash: D111023265E6D65FD712A36858626E5BBB0EF43314F0902E7D058C7193CA1D295683E2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348A0AA9 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2235937055.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348a0000_BloxStrap-v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4816554a2f6ff5a1cbacf44aca915ae3b956c28b790cee9fba51d009f3629a4
Instruction ID: dc1615cf8bc0d7cc840652b73bdd1273e70a3732e2e0b00f2995e54bae2fa482
Opcode Fuzzy Hash: d4816554a2f6ff5a1cbacf44aca915ae3b956c28b790cee9fba51d009f3629a4
Instruction Fuzzy Hash: 34012831A495895FDB41ABA458260EA37E4EF03319F0901A7E80CCB292D96C7A9583A3

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348A08BD Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2235937055.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348a0000_BloxStrap-v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70b976abd56263d8d95f7d794c5f204cbb277625e3fc79f9aa62a434be1ccd5
Instruction ID: f48c745f9879be322be86044ea668d5dfe01a4a06ae6b077805ba0dfab1f694e
Opcode Fuzzy Hash: d70b976abd56263d8d95f7d794c5f204cbb277625e3fc79f9aa62a434be1ccd5
Instruction Fuzzy Hash: 5FF0F682B0FA9A0FF396E72C09A50685B91EFD7250B1C02F7C1C8C70D7DC4C680A5362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348A0919 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2235937055.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348a0000_BloxStrap-v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7437b4be140890ffc62c6003669b5c453e7efcd20fceec36c58a07f5d98b25f9
Instruction ID: ce05253cdd7a7d2b7874b57e29fc927b2e775aaa92c87a40fba71762b4b18977
Opcode Fuzzy Hash: 7437b4be140890ffc62c6003669b5c453e7efcd20fceec36c58a07f5d98b25f9
Instruction Fuzzy Hash: 87F0A03190A1886FDB81DF6488615A5BBA0EF47304F0941EAD9488B153CA69A51487D2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348A0A72 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2235937055.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348a0000_BloxStrap-v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7494f7d7c1878651df7b840ccbd73f7406203d50f9844b478d8c0c38f0d09f
Instruction ID: fd8680ecf56f37c731458803073a932448a047292e461db74a2c11d9dc3cceb7
Opcode Fuzzy Hash: 3c7494f7d7c1878651df7b840ccbd73f7406203d50f9844b478d8c0c38f0d09f
Instruction Fuzzy Hash: E7E0CD3664DD8C4BDB44EF59AC114D67BA4FBCA30CF0005ABE65CC7241D6259951C351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348A0899 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2235937055.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348a0000_BloxStrap-v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69fdc846b5c47db7ea065eae0d4881e99e5ff1e2afb6c4dccdd97a9a3477e88
Instruction ID: b8a1bb91084c4c9d8725cae98fc13cf331e9e2679affc30f75f6c8563db7a1ee
Opcode Fuzzy Hash: b69fdc846b5c47db7ea065eae0d4881e99e5ff1e2afb6c4dccdd97a9a3477e88
Instruction Fuzzy Hash: 1FC00208E4F40705E8D43BE518E20F825407F4726CFD604B0EA8CD15839DCE25956176

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 4388, Parent PID: 3580COMMON

Executed Functions

Function 00007FFD348B6DA0 Relevance: 3.8, Strings: 2, Instructions: 1316COMMON

Download Yara Rule

Strings

ZL_H, xrefs: 00007FFD348BCA6D
d, xrefs: 00007FFD348BC594

Memory Dump Source

Source File: 00000003.00000002.2228063387.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID: ZL_H$d
API String ID: 0-3607410705
Opcode ID: 53922e8bf5ec66801a5a652afcfb172ea3701940df30e9215113e8b3101a8587
Instruction ID: 43f66c6d1f577ffbfc0a37b69678436a4746a8c63e6d60ce9864bfd33c85a7a9
Opcode Fuzzy Hash: 53922e8bf5ec66801a5a652afcfb172ea3701940df30e9215113e8b3101a8587
Instruction Fuzzy Hash: 8F823631B0CA4A4FE799DB2884A56B577E1FF96310B1446BED44EC7292DE78FC428780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34981669 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2228894613.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc216c417929ac8e07d45b91d952f5a01063af0d8fe0693b81d347f42c04d846
Instruction ID: 6ad3cf7a3766af697af349f18551a8bc63fe3c7e3bd8cae6334b177b480d7987
Opcode Fuzzy Hash: dc216c417929ac8e07d45b91d952f5a01063af0d8fe0693b81d347f42c04d846
Instruction Fuzzy Hash: 1DE12322B0DA890FE796972C98B61B43BE1EF93210B4801FFD58DC7197ED1DAC068352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348B871D Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2228063387.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bfa0e23509907f31be611ca98a5f8486c51c2f8f95c1813b77c98765117cf1a
Instruction ID: 56101f6a184647f2c804eb33fb0662c5c237aafc8e1636f185a2723755c6760a
Opcode Fuzzy Hash: 1bfa0e23509907f31be611ca98a5f8486c51c2f8f95c1813b77c98765117cf1a
Instruction Fuzzy Hash: 0B61C331B0998A4FEBA6DB6888757E87BB1EF5A300F4405F6D44CE7193CE386D858781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34986433 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2228894613.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2950fc6917278f4730b0952416c117665e1eda198c9043abd1aa6b2f3fbb8a10
Instruction ID: a8148ec38aa74549471619441e1b557b924a8d69cf558ebacbe154f0c7841891
Opcode Fuzzy Hash: 2950fc6917278f4730b0952416c117665e1eda198c9043abd1aa6b2f3fbb8a10
Instruction Fuzzy Hash: BA511C22B0DA4A4FE7D5962C54B117477D2EF96320B5800BEC25DCB1ABDE29FC05D351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3479E380 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227503714.00007FFD3479D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3479D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd3479d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e179fe28b6e199503b2bbc1fd2883d9caae92ffd1a8892c1557c41b0e171d2
Instruction ID: 700e59fd10601c3643912a24407fe0007eae4315c5ff25c484689ef7129ab720
Opcode Fuzzy Hash: b5e179fe28b6e199503b2bbc1fd2883d9caae92ffd1a8892c1557c41b0e171d2
Instruction Fuzzy Hash: 0441F2B190DBC48FE7568B2898959523FB0EF53320B1905EFD088CB1A3D629B846C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3498647F Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2228894613.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe78944702574c4e1f987ad6d4c70cf77386425be59fb6f33cfcad4822293b22
Instruction ID: 0a92e2a03bcd86b75859e684c78983dedf9ddd0d5a4d3589a70285564f14e60e
Opcode Fuzzy Hash: fe78944702574c4e1f987ad6d4c70cf77386425be59fb6f33cfcad4822293b22
Instruction Fuzzy Hash: A821E423B0DA4A4FE7E59A2C54F517826C2EF56320B5800BED64ECB1BACE2CFC059311

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348B5205 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2228063387.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95890e5213647db337d92989b6b09eb74e2064676fe54cf01c074ab2b684c87d
Instruction ID: 105946cc6e102a6a94eebb99fa9955092470018a24266b41bb46d3a4bfecc010
Opcode Fuzzy Hash: 95890e5213647db337d92989b6b09eb74e2064676fe54cf01c074ab2b684c87d
Instruction Fuzzy Hash: B101677125CB0C4FD744EF4CE451AA6B7E0FB99364F10056DE58AC3651DA36E881CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD349867B0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2228894613.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd34980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbea5d5cf112fe1a4513a7fa867447f83114ed4d7d3b27ff87d2db885dd9340
Instruction ID: f95930f29a8da982982711053a4ea13012527fa58dc964ce32f26995db1ce4ae
Opcode Fuzzy Hash: 5cbea5d5cf112fe1a4513a7fa867447f83114ed4d7d3b27ff87d2db885dd9340
Instruction Fuzzy Hash: EFF08232B0D6488FDB94EB5CE4915E877E0FF4632075440BAE15DCB4A7DA2AEC44C790

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD348B6045 Relevance: 1.7, Strings: 1, Instructions: 418COMMON

Download Yara Rule

Strings

?H_L, xrefs: 00007FFD348FE571

Memory Dump Source

Source File: 00000003.00000002.2228063387.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID: ?H_L
API String ID: 0-3050088371
Opcode ID: 432ecbd95b4632a1a2af2415ee5a79627f117c669540bc59ecc768492648c876
Instruction ID: f500636115ea737bdbe91954069656f593894944eaef447bdce9da90c1df331e
Opcode Fuzzy Hash: 432ecbd95b4632a1a2af2415ee5a79627f117c669540bc59ecc768492648c876
Instruction Fuzzy Hash: 0BC1B816B0D6D21FE72267BC68B60F63BA4DF5336570C41B7D1C9DA0A3EC5C284A82D6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348B63C8 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD348B6401

Memory Dump Source

Source File: 00000003.00000002.2228063387.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID: L_^
API String ID: 0-3811526842
Opcode ID: 87460f7437a5ef4d9376de3228bc95f0e3fd391e83e664da118183771aee609b
Instruction ID: 3d5cee31ccf63391a085bc2e215a1ed924cec474ef4b22f164c99e687e389fc8
Opcode Fuzzy Hash: 87460f7437a5ef4d9376de3228bc95f0e3fd391e83e664da118183771aee609b
Instruction Fuzzy Hash: 77614A07B0D9522AD21177FD78720FE3B64DF8337671C5277C28CDA063AC69648A52D6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348BD6D3 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

mL_^, xrefs: 00007FFD348BD701

Memory Dump Source

Source File: 00000003.00000002.2228063387.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID: mL_^
API String ID: 0-544782606
Opcode ID: 35364ae17634f7272b3b3761a6da3b032ff71ae6758393f1601b8749378d75d2
Instruction ID: 30c017d15edbd2664c82910fa0db289e827ef8a5812824cb8d08e8d52ba03847
Opcode Fuzzy Hash: 35364ae17634f7272b3b3761a6da3b032ff71ae6758393f1601b8749378d75d2
Instruction Fuzzy Hash: 75418217A0E6D66FE712573C58B50D97FE0DE4326970851B3CAE4CA093EE1D180BA2D2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348B41F2 Relevance: .5, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2228063387.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc6c8c659d1fc8992580f0f2cfb3088feb0dcdee7965d22f05841eeb85182a3
Instruction ID: 422120bd6183ccf33282909e396fb6f3e4d4c7f65e2e089d8731bf193d52757b
Opcode Fuzzy Hash: dbc6c8c659d1fc8992580f0f2cfb3088feb0dcdee7965d22f05841eeb85182a3
Instruction Fuzzy Hash: 6DE1A243A0FAC21FE75253AC28B60F96FA4DF5372470C41F7E588DA097AC5CAD0A9381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348B54F8 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2228063387.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d428c23fb3037d749ab14a93f6ff319176b4ba52c011f9afabd3733a1fdc09c1
Instruction ID: d4b75b90adde858c8c19f391b4e09a337bf2ab4f5c8f7a5fd12a1f54b3c1e602
Opcode Fuzzy Hash: d428c23fb3037d749ab14a93f6ff319176b4ba52c011f9afabd3733a1fdc09c1
Instruction Fuzzy Hash: 1D71A647B1E7D21EF6A2536C68F60EA3F94DE532B974D10B3C785CA493AC4D280B91D2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348B53FA Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2228063387.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b19f04ca3057248195591c1aa4872d486b995c1ae524f460e1cf1e30c1f9faa
Instruction ID: fcebd754663d8054c1b757d4ac03d2012352749a77721907733edb4d7a985303
Opcode Fuzzy Hash: 5b19f04ca3057248195591c1aa4872d486b995c1ae524f460e1cf1e30c1f9faa
Instruction Fuzzy Hash: 0E418647B0E7A21FE291536D5CB60FA3BA0DF5327A70911F3C6D8C64939D8D180B65E1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BloxStrap-v2.5.4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BloxStrap-v2.5.4.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2otg21ap.3rl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4zq1j1ci.ttx.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpziz35x.2uo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l0jgtllv.ifm.ps1

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: BloxStrap-v2.5.4.exePID: 3580, Parent PID: 4004

Windows Analysis Report
BloxStrap-v2.5.4.exe