Veritas
F002MEDIUMSuspiciousvalidator: passed

PowerShell process memory injection (reflective load)

PowerShell process with RWX injected memory region (reflective load)

⚖ The AI did not get the final word
Model / ReAct proposed
Confirmed malicious
Veritas (deterministic) verdict
Suspicious
Promotion withheld because
  • gate:confirmed_ineligible[rwx_memory_region_uncorroborated,weak_alone_signal_uncorroborated]
  • MALICIOUS_SEMANTIC_GATE=FAIL
  • RWX_REQUIRES_CORROBORATION_GATE=FAIL
Analyst narrative

powershell.exe PID 8712 (parent WmiPrvSE.exe PID 2876) has multiple PAGE_EXECUTE_READWRITE VadS regions in private memory indicating reflective code injection. Candidate cand-0001/cand-0002 fact_ids=memory_injection_fact-0000003,0000004,0000005.

Claims asserted

pid-vol_malfindvol_psscanvol_pstree
user_accountspsql

Proof chain · 50 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

handle facthandle:pid:2876:event:4
vol_handles
Raw tool output · d29b5493556e0bb75ec7196f40d33b3eafddb5b3
{"GrantedAccess": 2031619, "HandleValue": 4, "Name": null, "Offset": 154518758722992, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:2876:waitcompletionpacket:8
vol_handles
Raw tool output · c8f2b9c7b11aea881539181738adb6964af154bc
{"GrantedAccess": 1, "HandleValue": 8, "Name": null, "Offset": 154518758694240, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:2876:iocompletion:12
vol_handles
Raw tool output · 1bfe2c87ea1bd27e7b75c081488c5410e7dfac28
{"GrantedAccess": 2031619, "HandleValue": 12, "Name": null, "Offset": 154518758125440, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "IoCompletion", "TreeDepth": 0}
handle facthandle:pid:2876:tpworkerfactory:16
vol_handles
Raw tool output · 6be089fa2d3009a018cedc9ed53d6d2062b418b0
{"GrantedAccess": 983295, "HandleValue": 16, "Name": null, "Offset": 154518758266992, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}
handle facthandle:pid:2876:irtimer:20
vol_handles
Raw tool output · a379e063e0f6bad1f82ff848a85fe6fe069efd30
{"GrantedAccess": 1048578, "HandleValue": 20, "Name": null, "Offset": 154518750006864, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:2876:waitcompletionpacket:24
vol_handles
Raw tool output · f9eccd9cae8c95ae5bdb1ff1f55adf6e922760dd
{"GrantedAccess": 1, "HandleValue": 24, "Name": null, "Offset": 154518758766112, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:2876:irtimer:28
vol_handles
Raw tool output · 8f5150abb6ad040837ffec329a166bc57f19a52f
{"GrantedAccess": 1048578, "HandleValue": 28, "Name": null, "Offset": 154518758406400, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:2876:waitcompletionpacket:32
vol_handles
Raw tool output · ddec52d0d3a219a348cecdafc90d3ce0b94cb97e
{"GrantedAccess": 1, "HandleValue": 32, "Name": null, "Offset": 154518758798912, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:2876:etwregistration:36
vol_handles
Raw tool output · bc62c9c1249fc81bd3ebb446ce88dd37fad887e8
{"GrantedAccess": 2052, "HandleValue": 36, "Name": null, "Offset": 154518758567264, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:2876:etwregistration:40
vol_handles
Raw tool output · 70e1cc3fa0ee6fc6acf3212b978034c73108e9a5
{"GrantedAccess": 2052, "HandleValue": 40, "Name": null, "Offset": 154518758140960, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:2876:etwregistration:44
vol_handles
Raw tool output · cfb3354f52f3813a1fc1c043ac485f784760afdf
{"GrantedAccess": 2052, "HandleValue": 44, "Name": null, "Offset": 154518758141184, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:2876:directory:knowndlls
vol_handles
Raw tool output · 9c739467224979c5857411aef148f8df260089ab
{"GrantedAccess": 3, "HandleValue": 48, "Name": "KnownDlls", "Offset": 229276702421120, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Directory", "TreeDepth": 0}
handle facthandle:pid:2876:event:52
vol_handles
Raw tool output · 49bd70a099058016b0c2795c8742448952448c80
{"GrantedAccess": 2031619, "HandleValue": 52, "Name": null, "Offset": 154518758631728, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:2876:event:56
vol_handles
Raw tool output · 702416160359f6a4efe519e4d606db0b507b92ec
{"GrantedAccess": 2031619, "HandleValue": 56, "Name": null, "Offset": 154518758801376, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:2876:file:\device\harddiskvolume2\windows\system32
vol_handles
Raw tool output · c263763d1f55f0cf3b8c2cf4853bf8049158f5f2
{"GrantedAccess": 1048608, "HandleValue": 60, "Name": "\\Device\\HarddiskVolume2\\Windows\\System32", "Offset": 154518758570480, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "File", "TreeDepth": 0}
handle facthandle:pid:2876:etwregistration:64
vol_handles
Raw tool output · eb266ecd502a79c21394cf51826d90febcce712d
{"GrantedAccess": 2052, "HandleValue": 64, "Name": null, "Offset": 154518758221568, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:2876:etwregistration:68
vol_handles
Raw tool output · 8e9e7a1e55ef0f72d66c13f290e82df995f98df0
{"GrantedAccess": 2052, "HandleValue": 68, "Name": null, "Offset": 154518758221792, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:2876:alpc port:72
vol_handles
Raw tool output · a9c76971d5dc93f31799c050383524ecb1765727
{"GrantedAccess": 2031617, "HandleValue": 72, "Name": null, "Offset": 154518758809712, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "ALPC Port", "TreeDepth": 0}
handle facthandle:pid:2876:iocompletion:76
vol_handles
Raw tool output · 74bab965cd765d70384ec6f92b62ec7100c25bf3
{"GrantedAccess": 2031619, "HandleValue": 76, "Name": null, "Offset": 154518714304448, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "IoCompletion", "TreeDepth": 0}
handle facthandle:pid:2876:tpworkerfactory:80
vol_handles
Raw tool output · 4b2dc743c5e6d4ba4207391b9019a3290f419cfe
{"GrantedAccess": 983295, "HandleValue": 80, "Name": null, "Offset": 154518758812208, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}
handle facthandle:pid:2876:irtimer:84
vol_handles
Raw tool output · a36c6a3a723667268b52d7de7e5ea52500806407
{"GrantedAccess": 1048578, "HandleValue": 84, "Name": null, "Offset": 154518750242400, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:2876:waitcompletionpacket:88
vol_handles
Raw tool output · ef946201a23a25fee45722283ee1f579e9e4e5de
{"GrantedAccess": 1, "HandleValue": 88, "Name": null, "Offset": 154518758774160, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:2876:irtimer:92
vol_handles
Raw tool output · 163555ddc8e9ca120c8c4da08197000c7f687017
{"GrantedAccess": 1048578, "HandleValue": 92, "Name": null, "Offset": 154518732897200, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:2876:waitcompletionpacket:96
vol_handles
Raw tool output · 1bf6b5b386d1aa40fb059364c1dd658c780db67b
{"GrantedAccess": 1, "HandleValue": 96, "Name": null, "Offset": 154518758812000, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:2876:key:machine\system\controlset001\control\session manager
vol_handles
Raw tool output · f159df50ec1d9b1a3fca36257f5a18408a0d10cb
{"GrantedAccess": 1, "HandleValue": 100, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER", "Offset": 229276731836288, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Key", "TreeDepth": 0}
handle facthandle:pid:2876:key:machine\system\controlset001\control\nls\sorting\versions
vol_handles
Raw tool output · ab19507216f24bd122e077e97cbd0d37c42aa985
{"GrantedAccess": 131097, "HandleValue": 104, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\SORTING\\VERSIONS", "Offset": 229276744481616, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Key", "TreeDepth": 0}
handle facthandle:pid:2876:etwregistration:108
vol_handles
Raw tool output · 55bc8aabf453a4602dccd72bd1790ea46f3b0952
{"GrantedAccess": 2052, "HandleValue": 108, "Name": null, "Offset": 154518758176544, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:2876:key:machine
vol_handles
Raw tool output · cfd07f9c76599c395c68d37b2bfaa19455385e9e
{"GrantedAccess": 131097, "HandleValue": 112, "Name": "MACHINE", "Offset": 229276744154640, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Key", "TreeDepth": 0}
handle facthandle:pid:2876:file:\device\cng
vol_handles
Raw tool output · ee60d8772f05f799cb74c9f02c0e4b5ce9f1608e
{"GrantedAccess": 1048577, "HandleValue": 116, "Name": "\\Device\\CNG", "Offset": 154518758716688, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "File", "TreeDepth": 0}
handle facthandle:pid:2876:key:machine\software\microsoft\ole
vol_handles
Raw tool output · a0cfd3b929ec14fcb4ed848c77e4c151ae683b2b
{"GrantedAccess": 131097, "HandleValue": 124, "Name": "MACHINE\\SOFTWARE\\MICROSOFT\\OLE", "Offset": 229276744773136, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Key", "TreeDepth": 0}
handle facthandle:pid:2876:event:128
vol_handles
Raw tool output · cf28ce584e4a6d7dd847ea525e8b97696bc4e6db
{"GrantedAccess": 2031619, "HandleValue": 128, "Name": null, "Offset": 154518758201344, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:2876:etwregistration:132
vol_handles
Raw tool output · 7077239fb197266a0edfdbdf25d7df22f4825592
{"GrantedAccess": 2052, "HandleValue": 132, "Name": null, "Offset": 154518750597008, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:2876:etwregistration:136
vol_handles
Raw tool output · 1166f7213d977aa0a7a11fae2c5d7bea6cdefdd1
{"GrantedAccess": 2052, "HandleValue": 136, "Name": null, "Offset": 154518758224960, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:2876:etwregistration:140
vol_handles
Raw tool output · 824d35aae2dc62fa95539ea7fae130049baab63d
{"GrantedAccess": 2052, "HandleValue": 140, "Name": null, "Offset": 154518758858160, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:2876:event:144
vol_handles
Raw tool output · 797425162da831cf78ac6e6935ff84474d3b2fb4
{"GrantedAccess": 2031619, "HandleValue": 144, "Name": null, "Offset": 154518758597408, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:2876:event:148
vol_handles
Raw tool output · 652d120337c05bc9cc8397a7808c26e48ea3ba93
{"GrantedAccess": 2031619, "HandleValue": 148, "Name": null, "Offset": 154518758201216, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:2876:event:152
vol_handles
Raw tool output · 2944b1158ca44b890dfb908983d5ffee39c3805a
{"GrantedAccess": 2031619, "HandleValue": 152, "Name": null, "Offset": 154518758597536, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:2876:event:156
vol_handles
Raw tool output · f71fd164e8f3b88d57e4b474b58accf2d6b5bd7a
{"GrantedAccess": 2031619, "HandleValue": 156, "Name": null, "Offset": 154518758856224, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:2876:event:160
vol_handles
Raw tool output · e520d82b0410e538d7e81ad2e72b5533a99806fe
{"GrantedAccess": 2031619, "HandleValue": 160, "Name": null, "Offset": 154518758856096, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:2876:event:164
vol_handles
Raw tool output · 00a33b97a0fa30cc7e50ebc040e579a1c90933ee
{"GrantedAccess": 2031619, "HandleValue": 164, "Name": null, "Offset": 154518758200768, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:2876:etwregistration:168
vol_handles
Raw tool output · 0f2621195c756559b86a59d0dc7866daffa4e1bf
{"GrantedAccess": 2052, "HandleValue": 168, "Name": null, "Offset": 154518758793328, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:2876:directory:basenamedobjects
vol_handles
Raw tool output · e23784c4b0338bebfb04e3faa201fe55a2d976a3
{"GrantedAccess": 15, "HandleValue": 172, "Name": "BaseNamedObjects", "Offset": 229276810769120, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Directory", "TreeDepth": 0}
handle facthandle:pid:2876:etwregistration:176
vol_handles
Raw tool output · 10194e7ff243bc9379828065a029898709678474
{"GrantedAccess": 2052, "HandleValue": 176, "Name": null, "Offset": 154518758794064, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:2876:etwregistration:180
vol_handles
Raw tool output · a58d958ed561934220f5b376234fa0f32b731b71
{"GrantedAccess": 2052, "HandleValue": 180, "Name": null, "Offset": 154518758793840, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:2876:etwregistration:184
vol_handles
Raw tool output · 911e5498c9836c1ee158a3fdc94f9c1d1e61f772
{"GrantedAccess": 2052, "HandleValue": 184, "Name": null, "Offset": 154518758793616, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:2876:etwregistration:188
vol_handles
Raw tool output · 9c49beb02a18f78ce5db98c96db5bec3f46e043a
{"GrantedAccess": 2052, "HandleValue": 188, "Name": null, "Offset": 154518758772848, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}
process factpid:2876
vol_psscan
Raw tool output · fda7556e5f7ae9df2b483f98858223a4a0cd9f2b
{"CreateTime": "2018-08-30T13:52:26+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "WmiPrvSE.exe", "Offset(V)": 154518718150016, "PID": 2876, "PPID": 868, "SessionId": 0, "Threads": 10, "Wow64": false, "TreeDepth": 0}
process relationship factpid:2876->pid:868
vol_psscanvol_pstree
Raw tool output · 9ec674d7663c65e93582baec418c4287f4e41e8c
{"CreateTime": "2018-08-30T13:52:26+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "WmiPrvSE.exe", "Offset(V)": 154518718150016, "PID": 2876, "PPID": 868, "SessionId": 0, "Threads": 10, "Wow64": false, "TreeDepth": 0}
process relationship factpid:8712->pid:2876
vol_psscanvol_pstree
Raw tool output · 143b97d30a8c0f2c84da4a1e5b800e110fb471e1
{"CreateTime": "2018-08-30T16:43:36+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "powershell.exe", "Offset(V)": 154518771437696, "PID": 8712, "PPID": 2876, "SessionId": 0, "Threads": 11, "Wow64": false, "TreeDepth": 0}
psxview factpsxview:pid:2876
vol_psxview
Raw tool output · f0dae9b60eadf0a12ae65a0c72499f9b860c4986
{"Exit Time": "", "Name": "WmiPrvSE.exe", "Offset(Virtual)": 154518718150016, "PID": 2876, "csrss": true, "pslist": true, "psscan": true, "thrdscan": true, "TreeDepth": 0}

Source tools

vol_malfindvol_psscanvol_pstree