# PowerShell Deobfuscation Analysis Report

## Report Metadata
| Field | Value |
|-------|-------|
| Report ID | PS-DEOB-YYYY-NNNN |
| Date | YYYY-MM-DD |
| Sample Hash (SHA-256) | |
| Original Filename | |
| Classification | TLP:AMBER |

## Obfuscation Layers Identified

| Layer | Technique | Description |
|-------|-----------|-------------|
| 1 | | |
| 2 | | |
| 3 | | |

## Deobfuscation Results

### Layer-by-Layer Breakdown
| Layer | Input Size | Output Size | Technique Applied |
|-------|-----------|-------------|-------------------|
| 1 | bytes | bytes | |
| 2 | bytes | bytes | |

### Final Deobfuscated Script Summary
- **Total layers removed**:
- **Final script purpose**:
- **Execution method**:

## Extracted IOCs

### URLs
| URL | Purpose |
|-----|---------|
| | Payload download / C2 |

### IP Addresses
| IP | Context |
|----|---------|
| | |

### File System Artifacts
| Path | Action |
|------|--------|
| | Created / Modified / Deleted |

### Registry Keys
| Key | Action |
|-----|--------|
| | Created / Modified |

## Behavioral Analysis
- **Download behavior**:
- **Persistence mechanism**:
- **Evasion techniques**:
- **Payload type**:

## MITRE ATT&CK Mapping
| Technique | ID | Evidence |
|-----------|-----|---------|
| PowerShell | T1059.001 | Script execution |
| Obfuscated Files | T1027 | Multi-layer encoding |
| | | |