powershell_ise.exe

  • File Path: C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe
  • Description: Windows PowerShell ISE

Screenshot

powershell_ise.exe

Hashes

Type Hash
MD5 9577A63626D2536E7416494F09F0EEC2
SHA1 044CA0FECF2436AAC3F9E7ACC3C97B30588C594D
SHA256 77B4C0F9929073CE132223F3169349F3E7A626C392B7DBC1A39FA89265C2C6BF
SHA384 677980CAF0309103FD3DE0AB26B08814926235E8F427ACB24AD409927A2F1613CEFA18BCD14EF76E8B2D02DE2036D6D4
SHA512 5098BBA829A795C2AEFA85A583388B71690F588DDA92BB85B5304FD698E1AA77A610FE98EF93767803FC6FA11A46F94711BF1A4F9E0B7DC464CE61823B9E8763
SSDEEP 3072:KDEkVjGPsw40vLkVjqP4w6U+ToIuWNXmmZTWl/jC7gDooMLa6:K4kSuZToIuUXmmZbgDooMz
PESHA1 6D8E1F84FD8DBD336C84593169B6FAF9868E1B48
PE256 5F22050604E95FCC7F8D93F85E9BB1EB7B732CDDA10E2EF36804F768C56BC22E

Runtime Data

Child Processes:

explorer.exe

Window Title:

Windows PowerShell ISE

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\imageres.dll.mui File
(R-D) C:\Windows\System32\en-US\winnlsres.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567 File
...\Cor_SxSPublic_IPCBlock Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\Cor_Private_IPCBlock_v4_4760 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme2131664586 Section
\Windows\Theme966197582 Section

Loaded Modules:

Path
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\8ebae32cd8bf9bc337e933a45adb2ffa\Microsoft.PowerShell.ISECommon.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\5543cca0df435801e2303ff46a482ed5\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\f29b1120627489754c4b8dd317bbe950\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\6c6bbae87386b6a33957366eae0e4470\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bb0ca52db926eaec4a94a8b656f61a94\System.Management.Automation.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\23c1e20aa87eccaf2c33ba9f47d2319e\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System\6885802f40fd803e49150d8a2b43a09b\System.ni.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\bcrypt.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CRYPT32.dll
C:\Windows\SYSTEM32\CRYPTBASE.dll
C:\Windows\System32\CRYPTSP.dll
C:\Windows\system32\dwmapi.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\IMM32.DLL
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.dll
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\MSASN1.dll
C:\Windows\SYSTEM32\MSCOREE.DLL
C:\Windows\System32\MSCTF.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\SYSTEM32\MSVCR120_CLR0400.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\SYSTEM32\ntmarta.dll
C:\Windows\System32\ole32.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\psapi.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\system32\rsaenh.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\SHCORE.dll
C:\Windows\System32\SHLWAPI.dll
C:\Windows\System32\TextInputFramework.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\system32\uxtheme.dll
C:\Windows\SYSTEM32\VERSION.dll
C:\Windows\System32\win32u.dll
C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe
C:\Windows\SYSTEM32\wintypes.dll
C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567\comctl32.dll

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: powershell_ise.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/77b4c0f9929073ce132223f3169349f3e7a626c392b7dbc1a39fa89265c2c6bf/detection/

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.exe 90
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.exe 90
C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe 86
C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe 90
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe 90
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe 96
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe 90
C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe 90
C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe 90

Possible Misuse

The following table contains possible examples of powershell_ise.exe being misused. While powershell_ise.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_in_memory_powershell.yml - '\powershell_ise.exe' DRL 1.0
sigma pipe_created_alternate_powershell_hosts_pipe.yml - '\powershell_ise.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'powershell_ise.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\powershell_ise.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - 'powershell_ise.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - '\powershell_ise.exe' DRL 1.0
sigma proc_creation_win_renamed_powershell.yml - '\powershell_ise.exe' DRL 1.0
sigma proc_creation_win_susp_bitstransfer.yml - '\powershell_ise.exe' DRL 1.0
atomic-red-team T1059.001.md 1. Open Powershell_ise as a Privileged Account MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

PowerShell_ise

Windows PowerShell Integrated Scripting Environment (ISE) is a graphical host application that enables you to read, write, run, debug, and test scripts and modules in a graphic-assisted environment. Key features such as IntelliSense, Show-Command, snippets, tab completion, syntax-coloring, visual debugging, and context-sensitive Help provide a rich scripting experience.

Using PowerShell.exe

The PowerShell_ISE.exe tool starts a Windows PowerShell ISE session. When you use PowerShell_ISE.exe, you can use its optional parameters to open files in Windows PowerShell ISE or to start a Windows PowerShell ISE session with no profile or with a multithreaded apartment.

  • To start a Windows PowerShell ISE session in a Command Prompt window, in Windows PowerShell, or at the Start menu, type:

    PowerShell_Ise.exe

  • To open a script (.ps1), script module (.psm1), module manifest (.psd1), XML file, or any other supported file in Windows PowerShell ISE, type:

    PowerShell_Ise.exe <filepath>

    In Windows PowerShell 3.0, you can use the optional File parameter as follows:

    PowerShell_Ise.exe -file <filepath>

  • To start a Windows PowerShell ISE session without your Windows PowerShell profiles, use the NoProfile parameter. (The NoProfile parameter is introduced in Windows PowerShell 3.0.), type:

    PowerShell_Ise.exe -NoProfile

  • To see the PowerShell_ISE.exe help file, type:

      PowerShell_Ise.exe -help
  PowerShell_Ise.exe -?
  PowerShell_Ise.exe /?

Remarks

  • For a complete list of the PowerShell_ISE.exe command-line parameters, see about_PowerShell_Ise.Exe.

  • For information about other ways to start Windows PowerShell, see Starting Windows PowerShell.

  • Windows PowerShell runs on the Server Core installation option of Windows Server operating systems. However, because Windows PowerShell ISE requires a graphic user interface, it does not run on Server Core installations.

Additional References

MIT License. Copyright (c) 2020-2021 Strontic.