F001MEDIUMBenign / FPvalidator: passed

PowerShell process with multiple RWX memory regions indicating code injection

powershell.exe (PID 8712)

Analyst narrative

PowerShell.exe (PID 8712) contains multiple VAD regions with PAGE_EXECUTE_READWRITE protection, indicative of process injection or runtime code modification. Supported by vol_malfind showing 3 distinct RWX regions (fact_ids: memory_injection_fact-0000003, memory_injection_fact-0000004, memory_injection_fact-0000005). This is a core execution (TA0002) finding combined with defense evasion (TA0005) via code injection.

Claims asserted

pid-vol_malfindvol_psscanvol_pstree

user_account-vol_handles

Proof chain · 50 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

⊞

handle facthandle:pid:8712:event:4

vol_handles

›

Raw tool output · d31ae8a834d43783bb778450a3e1026c5d82cb00

{"GrantedAccess": 2031619, "HandleValue": 4, "Name": null, "Offset": 154518682726720, "PID": 8712, "Process": "powershell.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:iocompletion:12

vol_handles

›

Raw tool output · c828ae074b5fa5e14fbf5a0e6738f0221d4fb757

{"GrantedAccess": 2031619, "HandleValue": 12, "Name": null, "Offset": 154518681102848, "PID": 8712, "Process": "powershell.exe", "Type": "IoCompletion", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:tpworkerfactory:16

vol_handles

›

Raw tool output · 88f49d19492618679c92f52643068785586c75c1

{"GrantedAccess": 983295, "HandleValue": 16, "Name": null, "Offset": 154518770886784, "PID": 8712, "Process": "powershell.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:irtimer:20

vol_handles

›

Raw tool output · d2f88e78a3aedb97d2c19033ccc7d3e351ca6633

{"GrantedAccess": 1048578, "HandleValue": 20, "Name": null, "Offset": 154518723790832, "PID": 8712, "Process": "powershell.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:waitcompletionpacket:24

vol_handles

›

Raw tool output · 835ff46e46da459545ce36fbf4797deb5e8392be

{"GrantedAccess": 1, "HandleValue": 24, "Name": null, "Offset": 154518684816896, "PID": 8712, "Process": "powershell.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:irtimer:28

vol_handles

›

Raw tool output · 04488ddec0f9b4d6c97420392a89e6b0bd31c1e8

{"GrantedAccess": 1048578, "HandleValue": 28, "Name": null, "Offset": 154518701700320, "PID": 8712, "Process": "powershell.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:waitcompletionpacket:32

vol_handles

›

Raw tool output · cc3f037d6c4d264f4ff804b3cf2bfcc88274676d

{"GrantedAccess": 1, "HandleValue": 32, "Name": null, "Offset": 154518755072448, "PID": 8712, "Process": "powershell.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:etwregistration:36

vol_handles

›

Raw tool output · f8140501a75494adaac5af01de291956825e7d33

{"GrantedAccess": 2052, "HandleValue": 36, "Name": null, "Offset": 154518755260960, "PID": 8712, "Process": "powershell.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:etwregistration:40

vol_handles

›

Raw tool output · 13776e313c5be691f63d2e4360a69bba4411d618

{"GrantedAccess": 2052, "HandleValue": 40, "Name": null, "Offset": 154518790687872, "PID": 8712, "Process": "powershell.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:etwregistration:44

vol_handles

›

Raw tool output · d3f4e13a7e31eb5aee86eb872f08a39ecee17b23

{"GrantedAccess": 2052, "HandleValue": 44, "Name": null, "Offset": 154518710468720, "PID": 8712, "Process": "powershell.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:directory:knowndlls

vol_handles

›

Raw tool output · f925cd0891f860804a041764e08c5b57b2c53dad

{"GrantedAccess": 3, "HandleValue": 48, "Name": "KnownDlls", "Offset": 229276702421120, "PID": 8712, "Process": "powershell.exe", "Type": "Directory", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:event:52

vol_handles

›

Raw tool output · b48536153232a29d49bc92374094d9149ef65360

{"GrantedAccess": 2031619, "HandleValue": 52, "Name": null, "Offset": 154518772864720, "PID": 8712, "Process": "powershell.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:event:56

vol_handles

›

Raw tool output · fedbe6fb3f0857a90de5e98a114ab070f2b21fa6

{"GrantedAccess": 2031619, "HandleValue": 56, "Name": null, "Offset": 154518772424288, "PID": 8712, "Process": "powershell.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:file:\device\harddiskvolume2\windows\system32

vol_handles

›

Raw tool output · 330276164e5ed5e6885beede7708288d6016ca1b

{"GrantedAccess": 1048608, "HandleValue": 60, "Name": "\\Device\\HarddiskVolume2\\Windows\\System32", "Offset": 154518765509040, "PID": 8712, "Process": "powershell.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:file:\device\condrv\connect

vol_handles

›

Raw tool output · ed5c6627ef4687d136fed27326968f380c2569de

{"GrantedAccess": 1180063, "HandleValue": 64, "Name": "\\Device\\ConDrv\\Connect", "Offset": 154518681636992, "PID": 8712, "Process": "powershell.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:file:\device\condrv\reference

vol_handles

›

Raw tool output · 71e9b3428f3c0bfc0eaa5f313ab411ceba8134a2

{"GrantedAccess": 1180063, "HandleValue": 68, "Name": "\\Device\\ConDrv\\Reference", "Offset": 154518721322736, "PID": 8712, "Process": "powershell.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:alpc port:72

vol_handles

›

Raw tool output · a091483b491005d34fce23c2f07e4af299da528d

{"GrantedAccess": 2031617, "HandleValue": 72, "Name": null, "Offset": 154518754951600, "PID": 8712, "Process": "powershell.exe", "Type": "ALPC Port", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:file:\device\condrv\input

vol_handles

›

Raw tool output · 242dff6958d3670ab7a3111db4d4f0d4a9542f2c

{"GrantedAccess": 1180063, "HandleValue": 76, "Name": "\\Device\\ConDrv\\Input", "Offset": 154518799199552, "PID": 8712, "Process": "powershell.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:file:\device\condrv\output

vol_handles

›

Raw tool output · 9353e6594eca9a4b6c0578ad25f4d108cb3a8428

{"GrantedAccess": 1180063, "HandleValue": 80, "Name": "\\Device\\ConDrv\\Output", "Offset": 154518715712880, "PID": 8712, "Process": "powershell.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:etwregistration:88

vol_handles

›

Raw tool output · f4a238e8670fa615efa57982eb27c00cfbdfbe1d

{"GrantedAccess": 2052, "HandleValue": 88, "Name": null, "Offset": 154518799227152, "PID": 8712, "Process": "powershell.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:etwregistration:92

vol_handles

›

Raw tool output · a0619236225f3609a6829cf03b4f8a5d6a8defa6

{"GrantedAccess": 2052, "HandleValue": 92, "Name": null, "Offset": 154518754106112, "PID": 8712, "Process": "powershell.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:iocompletion:96

vol_handles

›

Raw tool output · 73e1c03546249a0816b74e18608dfb57195012de

{"GrantedAccess": 2031619, "HandleValue": 96, "Name": null, "Offset": 154518673472576, "PID": 8712, "Process": "powershell.exe", "Type": "IoCompletion", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:tpworkerfactory:100

vol_handles

›

Raw tool output · 8c4de8c01134c231a17950cd2351fcd78661686e

{"GrantedAccess": 983295, "HandleValue": 100, "Name": null, "Offset": 154518731171472, "PID": 8712, "Process": "powershell.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:irtimer:104

vol_handles

›

Raw tool output · b765b264205bd0c3ebab27553a72ad3760becb71

{"GrantedAccess": 1048578, "HandleValue": 104, "Name": null, "Offset": 154518681730304, "PID": 8712, "Process": "powershell.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:waitcompletionpacket:108

vol_handles

›

Raw tool output · 6dfb88ea2be2071f1b5cbcf9b2dc4546e11cb3b2

{"GrantedAccess": 1, "HandleValue": 108, "Name": null, "Offset": 154518684006768, "PID": 8712, "Process": "powershell.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:irtimer:112

vol_handles

›

Raw tool output · 3c59779a1e95abb8773527c3ecabaecd46ec174d

{"GrantedAccess": 1048578, "HandleValue": 112, "Name": null, "Offset": 154518753162384, "PID": 8712, "Process": "powershell.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:waitcompletionpacket:116

vol_handles

›

Raw tool output · 3d5bd51456895aa87e37560987adc2b4446f0517

{"GrantedAccess": 1, "HandleValue": 116, "Name": null, "Offset": 154518675467104, "PID": 8712, "Process": "powershell.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:key:machine\system\controlset001\control\session manager

vol_handles

›

Raw tool output · e9f46affca01f18a89602bdab87ecb064981c973

{"GrantedAccess": 1, "HandleValue": 120, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER", "Offset": 229276789021408, "PID": 8712, "Process": "powershell.exe", "Type": "Key", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:key:machine\system\controlset001\control\nls\sorting\versions

vol_handles

›

Raw tool output · 46110e729c77d474f136ce4437b074957db5f35c

{"GrantedAccess": 131097, "HandleValue": 124, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\SORTING\\VERSIONS", "Offset": 229276797178384, "PID": 8712, "Process": "powershell.exe", "Type": "Key", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:etwregistration:128

vol_handles

›

Raw tool output · b18bb453cbee8e1b5153fbc5248c3c6cdbc4f3b5

{"GrantedAccess": 2052, "HandleValue": 128, "Name": null, "Offset": 154518727150656, "PID": 8712, "Process": "powershell.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:key:machine\software\microsoft\windows nt\currentversion\image file execution options

vol_handles

›

Raw tool output · e50a3ad317e21fc8edc761dbc174212da60f3ba3

{"GrantedAccess": 9, "HandleValue": 132, "Name": "MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS", "Offset": 229276805465104, "PID": 8712, "Process": "powershell.exe", "Type": "Key", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:event:136

vol_handles

›

Raw tool output · 24145a073d724bdbd7b786ff4781249a5e048e7c

{"GrantedAccess": 2031619, "HandleValue": 136, "Name": null, "Offset": 154518722711520, "PID": 8712, "Process": "powershell.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:iocompletion:140

vol_handles

›

Raw tool output · dcd1ee7b40d5edb10fe34a0e627c10a185d6e204

{"GrantedAccess": 2031619, "HandleValue": 140, "Name": null, "Offset": 154518787508672, "PID": 8712, "Process": "powershell.exe", "Type": "IoCompletion", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:windowstation:service-0x0-6abe62$

vol_handles

›

Raw tool output · 084dc0956c4ca1b49af71bc43451ca4edc857aa7

{"GrantedAccess": 983406, "HandleValue": 144, "Name": "Service-0x0-6abe62$", "Offset": 154518680644928, "PID": 8712, "Process": "powershell.exe", "Type": "WindowStation", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:desktop:default

vol_handles

›

Raw tool output · a0558950618d9ca24ea8134681db60294a1994c0

{"GrantedAccess": 983247, "HandleValue": 148, "Name": "Default", "Offset": 154518724150560, "PID": 8712, "Process": "powershell.exe", "Type": "Desktop", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:file:\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\en-us\powershell.exe.mui

vol_handles

›

Raw tool output · a44b339e0b030d0910ca74d6cea660c651cec6fe

{"GrantedAccess": 1179785, "HandleValue": 156, "Name": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui", "Offset": 154518784044784, "PID": 8712, "Process": "powershell.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:etwregistration:160

vol_handles

›

Raw tool output · 16b0d921818402bf90e1b847cbc10ded959a65ca

{"GrantedAccess": 2052, "HandleValue": 160, "Name": null, "Offset": 154518767764128, "PID": 8712, "Process": "powershell.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:etwregistration:164

vol_handles

›

Raw tool output · 591bba65c9484751b4b2a0c0667883318761a61a

{"GrantedAccess": 2052, "HandleValue": 164, "Name": null, "Offset": 154518771311808, "PID": 8712, "Process": "powershell.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:etwregistration:168

vol_handles

›

Raw tool output · e604241e5eb2f6867730f4c91560867f66832d8e

{"GrantedAccess": 2052, "HandleValue": 168, "Name": null, "Offset": 154518692702592, "PID": 8712, "Process": "powershell.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:key:machine

vol_handles

›

Raw tool output · 3e549f2f85239675f5683cf18127e44b36f5d763

{"GrantedAccess": 131097, "HandleValue": 172, "Name": "MACHINE", "Offset": 229276804056960, "PID": 8712, "Process": "powershell.exe", "Type": "Key", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:file:\device\cng

vol_handles

›

Raw tool output · aaf2b513d69116908b0edab65381672356b537f8

{"GrantedAccess": 1048577, "HandleValue": 176, "Name": "\\Device\\CNG", "Offset": 154518682969088, "PID": 8712, "Process": "powershell.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:key:machine\software\microsoft\ole

vol_handles

›

Raw tool output · 035c4d333c2736ece436da592eaae902180c4d8e

{"GrantedAccess": 131097, "HandleValue": 180, "Name": "MACHINE\\SOFTWARE\\MICROSOFT\\OLE", "Offset": 229276804878720, "PID": 8712, "Process": "powershell.exe", "Type": "Key", "TreeDepth": 0}

⊞

handle facthandle:pid:8712:event:184

vol_handles

›

Raw tool output · c263f170c628b247e040bd3d3929806ec464032f

{"GrantedAccess": 2031619, "HandleValue": 184, "Name": null, "Offset": 154518678391632, "PID": 8712, "Process": "powershell.exe", "Type": "Event", "TreeDepth": 0}

▣

memory injection factpid:8712

vol_malfind

›

Raw tool output · 3599b46dc0f9098686bb5ea8ac0a641a29996480

{"CommitCharge": 8, "Disasm": "\"00 00 00 00 00 00 00 00 de 86 57 19 7a ea 00 01 ee ff ee ff 02 00 00 00 20 01 1a ce b4 01 00 00 20 01 1a ce b4 01 00 00 00 00 1a ce b4 01 00 00 00 00 1a ce b4 01 00 00 0f 00 00 00 00 00 00 00\"", "End VPN": 1876063617023, "File output": "Disabled", "Hexdump": "00 00 00 00 00 00 00 00 de 86 57 19 7a ea 00 01 ee ff ee ff 02 00 00 00 20 01 1a ce b4 01 00 00 20 01 1a ce b4 01 00 00 00 00 1a ce b4 01 00 00 00 00 1a ce b4 01 00 00 0f 00 00 00 00 00 00 00", "Notes": null, "PID": 8712, "PrivateMemory": 1, "Process": "powershell.exe", "Protection": "PAGE_EXECUTE_READWRI

▣

memory injection factpid:8712

vol_malfind

›

Raw tool output · 81d2d46df4061c0505cc9fc9d057b77bfec2628e

{"CommitCharge": 1, "Disasm": "\"00 00 00 00 00 00 00 00 30 77 1a ce b4 01 00 00 30 77 1a ce b4 01 00 00 00 00 1a ce b4 01 00 00 e0 0d 30 ce b4 01 00 00 00 10 30 ce b4 01 00 00 00 d0 30 ce b4 01 00 00 01 00 00 00 00 00 00 00\"", "End VPN": 1876065046527, "File output": "Disabled", "Hexdump": "00 00 00 00 00 00 00 00 30 77 1a ce b4 01 00 00 30 77 1a ce b4 01 00 00 00 00 1a ce b4 01 00 00 e0 0d 30 ce b4 01 00 00 00 10 30 ce b4 01 00 00 00 d0 30 ce b4 01 00 00 01 00 00 00 00 00 00 00", "Notes": null, "PID": 8712, "PrivateMemory": 1, "Process": "powershell.exe", "Protection": "PAGE_EXECUTE_READWRI

▣

memory injection factpid:8712

vol_malfind

›

Raw tool output · e4742ee9c1484e669d1898c1b3a993b67218c89e

{"CommitCharge": 2, "Disasm": "\"00 00 00 00 00 00 00 00 d9 d8 19 31 c9 8b 00 01 ee ff ee ff 02 00 00 00 20 01 53 ce b4 01 00 00 20 01 53 ce b4 01 00 00 00 00 53 ce b4 01 00 00 00 00 53 ce b4 01 00 00 0f 00 00 00 00 00 00 00\"", "End VPN": 1876067352575, "File output": "Disabled", "Hexdump": "00 00 00 00 00 00 00 00 d9 d8 19 31 c9 8b 00 01 ee ff ee ff 02 00 00 00 20 01 53 ce b4 01 00 00 20 01 53 ce b4 01 00 00 00 00 53 ce b4 01 00 00 00 00 53 ce b4 01 00 00 0f 00 00 00 00 00 00 00", "Notes": null, "PID": 8712, "PrivateMemory": 1, "Process": "powershell.exe", "Protection": "PAGE_EXECUTE_READWRI

▣

process factpid:8712

vol_psscanvol_pstree

›

Raw tool output · d429693874c80756dafac0082eaa8eac7f718308

{"CreateTime": "2018-08-30T16:43:36+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "powershell.exe", "Offset(V)": 154518771437696, "PID": 8712, "PPID": 2876, "SessionId": 0, "Threads": 11, "Wow64": false, "TreeDepth": 0}

▣

process relationship factpid:5848->pid:8712

vol_psscanvol_pstree

›

Raw tool output · 23438b155003d92b69218219bd947b9ff676a5b4

{"CreateTime": "2018-08-30T16:43:42+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "powershell.exe", "Offset(V)": 154518694315200, "PID": 5848, "PPID": 8712, "SessionId": 0, "Threads": 9, "Wow64": true, "TreeDepth": 0}

▣

process relationship factpid:1740->pid:8712

vol_psscanvol_pstree

›

Raw tool output · 0706b29b2490179af3fe1d8024aa8860d7482d40

{"CreateTime": "2018-08-30T16:43:36+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "conhost.exe", "Offset(V)": 154518716031104, "PID": 1740, "PPID": 8712, "SessionId": 0, "Threads": 4, "Wow64": false, "TreeDepth": 0}

▣

process relationship factpid:8712->pid:2876

vol_psscanvol_pstree

›

Raw tool output · 143b97d30a8c0f2c84da4a1e5b800e110fb471e1

{"CreateTime": "2018-08-30T16:43:36+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "powershell.exe", "Offset(V)": 154518771437696, "PID": 8712, "PPID": 2876, "SessionId": 0, "Threads": 11, "Wow64": false, "TreeDepth": 0}

Source tools

vol_handlesvol_malfindvol_psscanvol_pstree