powershell_ise.exe

  • File Path: C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe
  • Description: Windows PowerShell ISE

Screenshot

powershell_ise.exe

Hashes

Type Hash
MD5 E05920670516CC96822699E5688A79FA
SHA1 5F2596B6C147E13A32C7D73EF1C1365BA0171687
SHA256 1172951D8B1AA4CF9D0AC9F72AE344C5896CE4286C790A1F0DFF8A6F71A5772E
SHA384 4760816D7369B8DF66C185EC0FCC3DE3361FFDA65CA0F65767DDD7BD9EC837373FB68E34624399C2023F60F54A7519D6
SHA512 1C47B24D04104D0E7291D09AB6DAD2C0433CA4FFA947A051A73159A986A0C0E8634B3701153E54E7D96364F80407E9FCC6D5EB8A9C34D8EA35B86780211F9CFD
SSDEEP 3072:zfkVjGPsw40aLkVjqP4w6U+ToIuWNXmmZTWl/jC7gDooMLdx:zkTuZToIuUXmmZbgDooMb
PESHA1 6DA0DD4D97E6BB31D3098BEDE5C5F055A87F0A90
PE256 30E126A34BB6E9D83642D47C4B21D9154A9CE063C5BD2E8EBD1747B42D3731CE

Runtime Data

Window Title:

Windows PowerShell ISE

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ISECommon\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ISECommon.dll File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll File
(R-D) C:\Windows\System32\en-US\winnlsres.dll.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(RW-) C:\Users\user File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21 File
...\Cor_SxSPublic_IPCBlock Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\Cor_Private_IPCBlock_v4_4644 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme1175649999 Section
\Windows\Theme601709542 Section

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\KERNEL32.dll
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\MSCOREE.DLL
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: powershell_ise.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/1172951d8b1aa4cf9d0ac9f72ae344c5896ce4286c790a1f0dff8a6f71a5772e/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.exe 91
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.exe 91
C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe 88
C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe 90
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe 94
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe 90
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe 93
C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe 91
C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe 91

Possible Misuse

The following table contains possible examples of powershell_ise.exe being misused. While powershell_ise.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_in_memory_powershell.yml - '\powershell_ise.exe' DRL 1.0
sigma pipe_created_alternate_powershell_hosts_pipe.yml - '\powershell_ise.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'powershell_ise.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\powershell_ise.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - 'powershell_ise.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - '\powershell_ise.exe' DRL 1.0
sigma proc_creation_win_renamed_powershell.yml - '\powershell_ise.exe' DRL 1.0
sigma proc_creation_win_susp_bitstransfer.yml - '\powershell_ise.exe' DRL 1.0
atomic-red-team T1059.001.md 1. Open Powershell_ise as a Privileged Account MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

PowerShell_ise

Windows PowerShell Integrated Scripting Environment (ISE) is a graphical host application that enables you to read, write, run, debug, and test scripts and modules in a graphic-assisted environment. Key features such as IntelliSense, Show-Command, snippets, tab completion, syntax-coloring, visual debugging, and context-sensitive Help provide a rich scripting experience.

Using PowerShell.exe

The PowerShell_ISE.exe tool starts a Windows PowerShell ISE session. When you use PowerShell_ISE.exe, you can use its optional parameters to open files in Windows PowerShell ISE or to start a Windows PowerShell ISE session with no profile or with a multithreaded apartment.

  • To start a Windows PowerShell ISE session in a Command Prompt window, in Windows PowerShell, or at the Start menu, type:

    PowerShell_Ise.exe

  • To open a script (.ps1), script module (.psm1), module manifest (.psd1), XML file, or any other supported file in Windows PowerShell ISE, type:

    PowerShell_Ise.exe <filepath>

    In Windows PowerShell 3.0, you can use the optional File parameter as follows:

    PowerShell_Ise.exe -file <filepath>

  • To start a Windows PowerShell ISE session without your Windows PowerShell profiles, use the NoProfile parameter. (The NoProfile parameter is introduced in Windows PowerShell 3.0.), type:

    PowerShell_Ise.exe -NoProfile

  • To see the PowerShell_ISE.exe help file, type:

      PowerShell_Ise.exe -help
  PowerShell_Ise.exe -?
  PowerShell_Ise.exe /?

Remarks

  • For a complete list of the PowerShell_ISE.exe command-line parameters, see about_PowerShell_Ise.Exe.

  • For information about other ways to start Windows PowerShell, see Starting Windows PowerShell.

  • Windows PowerShell runs on the Server Core installation option of Windows Server operating systems. However, because Windows PowerShell ISE requires a graphic user interface, it does not run on Server Core installations.

Additional References

MIT License. Copyright (c) 2020-2021 Strontic.