File name:

powershell_ise.exe

Full analysis: https://app.any.run/tasks/dc3cb3fc-70ac-4e2f-afa8-a7d9557685a3
Verdict: Malicious activity
Analysis date: February 14, 2024, 07:47:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

38AD174F78F04B3F92CFF53BFC221183

SHA1:

453EAE8B23A66FECE4FED0D3325C763CFCF1ACB3

SHA256:

A79E47618A8E236F104FD0076C6EE1494DDA346132309FEB7EE87046E395FAF4

SSDEEP:

6144:2NyseVVVV7rhoc6VVVVi8GKerVVVVVVVVVVV1VVVVVVX:2NyseVVVVHCc6VVVVi8X6VVVVVVVVVVX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • powershell_ise.exe (PID: 3700)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • powershell_ise.exe (PID: 3700)

    • Starts a Microsoft application from unusual location

      • powershell_ise.exe (PID: 3700)

    • Checks Windows Trust Settings

      • powershell_ise.exe (PID: 3700)

    • Reads security settings of Internet Explorer

      • powershell_ise.exe (PID: 3700)

    • Reads the Internet Settings

      • powershell_ise.exe (PID: 3700)

    • Reads settings of System Certificates

      • powershell_ise.exe (PID: 3700)

  • INFO

    • Checks supported languages

      • powershell_ise.exe (PID: 3700)

    • Reads the computer name

      • powershell_ise.exe (PID: 3700)

    • Creates files or folders in the user directory

      • powershell_ise.exe (PID: 3700)

    • Reads the machine GUID from the registry

      • powershell_ise.exe (PID: 3700)

    • Create files in a temporary directory

      • powershell_ise.exe (PID: 3700)

    • Reads the software policy settings

      • powershell_ise.exe (PID: 3700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2104:11:16 05:59:20+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 71168
InitializedDataSize: 141824
UninitializedDataSize: -
EntryPoint: 0x13466
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 10.0.22621.1
ProductVersionNumber: 10.0.22621.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Windows PowerShell ISE
FileVersion: 10.0.22621.1 (WinBuild.160101.0800)
InternalName: POWERSHELL_ISE
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: powershell_ise.EXE
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.22621.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell_ise.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3700"C:\Users\admin\AppData\Local\Temp\powershell_ise.exe" C:\Users\admin\AppData\Local\Temp\powershell_ise.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell ISE
Exit code:
0
Version:
10.0.22621.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\powershell_ise.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
5 642
Read events
5 619
Write events
23
Delete events
0

Modification events

(PID) Process:(3700) powershell_ise.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3700) powershell_ise.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3700) powershell_ise.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3700) powershell_ise.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3700) powershell_ise.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
powershell_ise.exe
(PID) Process:(3700) powershell_ise.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
0
Suspicious files
2
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
3700powershell_ise.exeC:\Users\admin\AppData\Local\Temp\jabyx3k1.5a1.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3700powershell_ise.exeC:\Users\admin\AppData\Local\Temp\djbysxfp.pws.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3700powershell_ise.exeC:\Users\admin\AppData\Local\Temp\WPF\uiysaxwr.lppbinary
MD5:F04A2805F60770668268454EDFC499FA
SHA256:AB3A68D162953659E8C02DBD5C13121DF9DB824D404824450FD38134E32F5ADF
3700powershell_ise.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ISE\S-1-5-5-0-67545\PowerShellISEPipeName_0_14f5bb3d-3ca8-48e5-8566-a152ecdb30a4text
MD5:A5EA0AD9260B1550A14CC58D2C39B03D
SHA256:F1B2F662800122BED0FF255693DF89C4487FBDCF453D3524A42D4EC20C3D9C04
3700powershell_ise.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:DE3E389E155C6845D43C07185A11ACF1
SHA256:6761E2D1F087BBAA8A8DB8B1294E66088FDBE0B9B7FC6E43476D8B2ABDB79E56
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
powershell_ise.exe