However, examining the URL history, we observed PowerShell.exe reaching out to the following domains, as shown in Figure 5. Third-stage payload

In the case the MDR team examined, our team did not observe the third stage being successful in reaching a full deployment of GootKit, preventing the download of any additional malicious tooling. This stage typically is where the deployment of additional tools such as Cobalt Strike occurs, or when ransomware is added to the victim’s machine.