Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-05-16 02:55:31 2019-05-16 02:56:07 36 seconds Show Options Show Log
route = internet
procdump = 1
arguments = "Invoke-Dump Invoke-MimiK"
2019-05-16 03:55:34,000 [root] INFO: Date set to: 05-16-19, time set to: 02:55:34, timeout set to: 200
2019-05-16 03:55:34,015 [root] DEBUG: Starting analyzer from: C:\zxtsca
2019-05-16 03:55:34,015 [root] DEBUG: Storing results at: C:\csFXbysV
2019-05-16 03:55:34,015 [root] DEBUG: Pipe server name: \\.\PIPE\uQEhpuSVE
2019-05-16 03:55:34,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-05-16 03:55:34,015 [root] INFO: Automatically selected analysis package "exe"
2019-05-16 03:55:34,576 [root] DEBUG: Started auxiliary module Browser
2019-05-16 03:55:34,576 [root] DEBUG: Started auxiliary module Curtain
2019-05-16 03:55:34,576 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-05-16 03:55:35,075 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-05-16 03:55:35,075 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-05-16 03:55:35,075 [root] DEBUG: Started auxiliary module DigiSig
2019-05-16 03:55:35,092 [root] DEBUG: Started auxiliary module Disguise
2019-05-16 03:55:35,092 [root] DEBUG: Started auxiliary module Human
2019-05-16 03:55:35,092 [root] DEBUG: Started auxiliary module Screenshots
2019-05-16 03:55:35,092 [root] DEBUG: Started auxiliary module Sysmon
2019-05-16 03:55:35,092 [root] DEBUG: Started auxiliary module Usage
2019-05-16 03:55:35,092 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-05-16 03:55:35,092 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-05-16 03:55:35,170 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\PowerPole.exe" with arguments ""Invoke-Dump Invoke-MimiK"" with pid 1860
2019-05-16 03:55:35,309 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 03:55:35,309 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-16 03:55:35,309 [lib.api.process] INFO: Option 'arguments' with value '"Invoke-Dump Invoke-MimiK"' sent to monitor
2019-05-16 03:55:35,309 [lib.api.process] INFO: 64-bit DLL to inject is C:\zxtsca\dll\zftQkcE.dll, loader C:\zxtsca\bin\CDxhpGOb.exe
2019-05-16 03:55:35,325 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\uQEhpuSVE.
2019-05-16 03:55:35,325 [root] DEBUG: Loader: Injecting process 1860 (thread 1460) with C:\zxtsca\dll\zftQkcE.dll.
2019-05-16 03:55:35,325 [root] DEBUG: Process image base: 0x0000000000900000
2019-05-16 03:55:35,325 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2019-05-16 03:55:35,325 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2019-05-16 03:55:35,325 [root] DEBUG: Successfully injected DLL C:\zxtsca\dll\zftQkcE.dll.
2019-05-16 03:55:35,325 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1860
2019-05-16 03:55:37,338 [lib.api.process] INFO: Successfully resumed process with pid 1860
2019-05-16 03:55:37,338 [root] INFO: Added new process to list with pid: 1860
2019-05-16 03:55:37,354 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-05-16 03:55:37,354 [root] DEBUG: Process dumps enabled.
2019-05-16 03:55:37,354 [root] DEBUG: CAPE debug - unrecognised key arguments.
2019-05-16 03:55:37,400 [root] WARNING: Unable to place hook on LockResource
2019-05-16 03:55:37,400 [root] WARNING: Unable to hook LockResource
2019-05-16 03:55:37,463 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1860 at 0x0000000074460000, image base 0x0000000000900000, stack from 0x00000000005F5000-0x0000000000600000
2019-05-16 03:55:37,463 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\PowerPole.exe" "Invoke-Dump Invoke-MimiK".
2019-05-16 03:55:37,463 [root] INFO: Monitor successfully loaded in process with pid 1860.
2019-05-16 03:55:37,493 [root] DEBUG: DLL loaded at 0x000007FEF2F10000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-05-16 03:55:37,509 [root] DEBUG: DLL loaded at 0x000007FEF2570000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-05-16 03:55:37,509 [root] DEBUG: DLL loaded at 0x00000000747D0000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-05-16 03:55:37,540 [root] INFO: Disabling sleep skipping.
2019-05-16 03:55:37,555 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-05-16 03:55:37,572 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-05-16 03:55:37,588 [root] DEBUG: DLL loaded at 0x000007FEF1690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-05-16 03:55:37,602 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-05-16 03:55:37,618 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-05-16 03:55:37,618 [root] DEBUG: DLL loaded at 0x000007FEF1500000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-05-16 03:55:37,634 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00160000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2019-05-16 03:55:37,680 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1860
2019-05-16 03:55:37,680 [root] DEBUG: GetHookCallerBase: thread 1460 (handle 0x0), return address 0x00000000744D5008, allocation base 0x0000000074460000.
2019-05-16 03:55:37,680 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000000900000.
2019-05-16 03:55:37,697 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000000900000.
2019-05-16 03:55:37,697 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000000000.
2019-05-16 03:55:37,697 [root] DEBUG: DumpProcess: There was a problem reading one or more sections, the dump may be incomplete.
2019-05-16 03:55:37,789 [root] INFO: Added new CAPE file to list with path: C:\csFXbysV\CAPE\1860_104078880237351216452019
2019-05-16 03:55:37,789 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x9a6200.
2019-05-16 03:55:37,822 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-05-16 03:55:37,836 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-05-16 03:55:37,836 [root] DEBUG: DLL unloaded from 0x000007FEF2570000.
2019-05-16 03:55:37,836 [root] DEBUG: DLL unloaded from 0x000007FEF2F10000.
2019-05-16 03:55:37,836 [root] INFO: Notified of termination of process with pid 1860.
2019-05-16 03:55:38,351 [root] INFO: Process with pid 1860 has terminated
2019-05-16 03:55:43,421 [root] INFO: Process list is empty, terminating analysis.
2019-05-16 03:55:44,436 [root] INFO: Created shutdown mutex.
2019-05-16 03:55:45,450 [root] INFO: Shutting down package.
2019-05-16 03:55:45,450 [root] INFO: Stopping auxiliary modules.
2019-05-16 03:55:45,450 [root] INFO: Finishing auxiliary modules.
2019-05-16 03:55:45,450 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-05-16 03:55:45,450 [root] WARNING: File at path "C:\csFXbysV\debugger" does not exist, skip.
2019-05-16 03:55:45,450 [root] INFO: Analysis completed.

MalScore

5.1

Suspicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-05-16 02:55:33 2019-05-16 02:56:06

File Details

File Name PowerPole.exe
File Size 10118656 bytes
File Type PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
MD5 158b6b60973f5313855eb89a6de7d565
SHA1 99c9499a7a89f664562d5a6de940fbcb8c9ab332
SHA256 7e6b49dbdef9ea7c5bd6067a1744ce9be3dec4997635aad86b5c329c15697824
SHA512 390fe4a5deaa425f1ff12c4a3de5873db3c8fbad35febbe88ee02cb22b66d097c53dab96a34f717aabbddffa7bb380ff0a7db883bc18a3f279365c4cfe02a76f
CRC32 116A2015
Ssdeep 49152:hhlPzmh2uJbPlMP6PWO+ta10R6Jqoc7q1jhy+4kQR56OiVYa0NFzzgBuJGh:
TrID
  • 33.6% (.EXE) OS/2 Executable (generic) (2029/13)
  • 33.1% (.EXE) Generic Win/DOS Executable (2002/3)
  • 33.1% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: PowerPole.exe, PID 1860
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: KERNEL32.dll/FindActCtxSectionStringW
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/_CorExeMain
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: MSCOREE.DLL/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: MSCOREE.DLL/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: MSCOREE.DLL/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: MSCOREE.DLL/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/AddVectoredContinueHandler
DynamicLoader: KERNEL32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/GetWriteWatch
DynamicLoader: KERNEL32.dll/ResetWriteWatch
DynamicLoader: KERNEL32.dll/CreateMemoryResourceNotification
DynamicLoader: KERNEL32.dll/QueryMemoryResourceNotification
DynamicLoader: KERNEL32.dll/GlobalMemoryStatusEx
DynamicLoader: KERNEL32.dll/GetVersionEx
DynamicLoader: KERNEL32.dll/GetVersionExW
DynamicLoader: KERNEL32.dll/GetVersionEx
DynamicLoader: KERNEL32.dll/GetVersionExW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: MSCOREE.DLL/GetMetaDataInternalInterface
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface_RetAddr
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface
DynamicLoader: mscorwks.dll/GetMetaDataInternalInterface
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: MSCOREE.DLL/IEE
DynamicLoader: KERNEL32.dll/GetUserDefaultUILanguage
DynamicLoader: KERNEL32.dll/GetStdHandle
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/WriteFile
DynamicLoader: KERNEL32.dll/GetConsoleOutputCP
DynamicLoader: KERNEL32.dll/UnmapViewOfFile
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
Anomalous binary characteristics
anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Windows\sysnative\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework64\*
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
C:\Users\user\AppData\Local\Temp\PowerPole.exe.config
C:\Users\user\AppData\Local\Temp\PowerPole.exe
C:\Users\user\AppData\Local\Temp\PowerPole.exe.Local\
C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6
C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\msvcr80.dll
C:\Windows
C:\Windows\winsxs
C:\Windows\Microsoft.NET\Framework64\v4.0.30319
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fusion.localgac
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_64\index169.dat
C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni.dll
C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows\sysnative\l_intl.nls
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ole32.dll
\Device\KsecDD
C:\Users\user\AppData\Local\Temp\PowerPole.INI
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit.dll
C:\Windows\Globalization\en-gb.nlp
C:\Windows\Globalization\en-us.nlp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.1860.37777138
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.1860.37777138
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.1860.37777169
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
C:\Users\user\AppData\Local\Temp\PowerPole.exe.config
C:\Users\user\AppData\Local\Temp\PowerPole.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll
C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\msvcr80.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_64\index169.dat
C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni.dll
C:\Windows\sysnative\l_intl.nls
\Device\KsecDD
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.1860.37777138
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.1860.37777138
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.1860.37777169
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\standards\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PowerPole.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\index169
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\index169\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\index169\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82\LastModTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,AMD64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\71ab4479\1c5fc439
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CseOn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\TailCallOpt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\PInvokeInline
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\PInvokeCalliOpt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NewGCCalc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\TURNOFFDEBUGINFO
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableHotCold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\internal\jit\Perf
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\index169\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\index169\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\NI\181938c6\7950e2c5\82\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_64\IL\7950e2c5\19b8f67f\82\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,AMD64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CseOn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\TailCallOpt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\PInvokeInline
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\PInvokeCalliOpt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NewGCCalc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\TURNOFFDEBUGINFO
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableHotCold
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
kernel32.dll.InitializeCriticalSectionAndSpinCount
msvcrt.dll._set_error_mode
msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.GetSystemWindowsDirectoryW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
mscorwks.dll._CorExeMain
mscorwks.dll.GetCLRFunction
advapi32.dll.RegisterTraceGuidsW
advapi32.dll.UnregisterTraceGuids
advapi32.dll.GetTraceLoggerHandle
advapi32.dll.GetTraceEnableLevel
advapi32.dll.GetTraceEnableFlags
advapi32.dll.TraceEvent
mscoree.dll.IEE
mscoreei.dll.IEE
mscorwks.dll.IEE
mscoree.dll.GetStartupFlags
mscoreei.dll.GetStartupFlags
mscoree.dll.GetHostConfigurationFile
mscoreei.dll.GetHostConfigurationFile
mscoreei.dll.GetCORVersion
mscoree.dll.GetCORSystemDirectory
mscoreei.dll.GetCORSystemDirectory_RetAddr
mscoreei.dll.CreateConfigStream
ntdll.dll.RtlVirtualUnwind
kernel32.dll.IsWow64Process
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.FlsSetValue
kernel32.dll.FlsGetValue
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.AddVectoredContinueHandler
kernel32.dll.RemoveVectoredContinueHandler
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.GetWriteWatch
kernel32.dll.ResetWriteWatch
kernel32.dll.CreateMemoryResourceNotification
kernel32.dll.QueryMemoryResourceNotification
kernel32.dll.GlobalMemoryStatusEx
kernel32.dll.GetVersionExW
kernel32.dll.GetFullPathNameW
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
advapi32.dll.CryptAcquireContextA
advapi32.dll.CryptReleaseContext
advapi32.dll.CryptCreateHash
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptHashData
advapi32.dll.CryptGetHashParam
advapi32.dll.CryptImportKey
advapi32.dll.CryptExportKey
advapi32.dll.CryptGenKey
advapi32.dll.CryptGetKeyParam
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptVerifySignatureA
advapi32.dll.CryptSignHashA
advapi32.dll.CryptGetProvParam
advapi32.dll.CryptGetUserKey
advapi32.dll.CryptEnumProvidersA
mscoree.dll.GetMetaDataInternalInterface
mscoreei.dll.GetMetaDataInternalInterface
mscorwks.dll.GetMetaDataInternalInterface
mscorjit.dll.getJit
kernel32.dll.GetUserDefaultUILanguage
kernel32.dll.GetStdHandle
kernel32.dll.CloseHandle
kernel32.dll.WriteFile
kernel32.dll.GetConsoleOutputCP
kernel32.dll.UnmapViewOfFile
ole32.dll.CoUninitialize
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW
Global\CLR_CASOFF_MUTEX

PE Information

Image Base 0x00400000
Entry Point 0x00400000
Reported Checksum 0x00000000
Actual Checksum 0x009b069b
Minimum OS Version 4.0
PDB Path c:\software\PowerLine\PowerLine\PowerLineTemplate\obj\x64\Release\PowerLine.pdb
Compile Time 2019-03-04 23:52:00

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00002000 0x009a5f74 0x009a6000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 3.66
.rsrc 0x009a8000 0x00000370 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.83

.text
`.rsrc
@.reloc
v2.0.50727
#Strings
#GUID
#Blob
<Module>
PowerLine.exe
Functions
PowerLine
MyPSHost
MyPSHostUI
MyPSHostRawUI
PowerLineMain
Sample
MyCode
mscorlib
System
Object
System.Management.Automation
System.Management.Automation.Host
PSHost
PSHostUserInterface
PSHostRawUserInterface
System.Configuration.Install
Installer
System.Collections.Generic
Dictionary`2
Funcs
InitDictionary
.ctor
_hostId
get_InstanceId
get_Name
Version
get_Version
get_UI
System.Globalization
CultureInfo
get_CurrentCulture
get_CurrentUICulture
EnterNestedPrompt
ExitNestedPrompt
NotifyBeginApplication
NotifyEndApplication
SetShouldExit
InstanceId
CurrentCulture
CurrentUICulture
_rawui
List`1
get_RawUI
PSObject
System.Collections.ObjectModel
Collection`1
FieldDescription
Prompt
get_Output
ChoiceDescription
PromptForChoice
PSCredential
PromptForCredential
PSCredentialTypes
PSCredentialUIOptions
ReadLine
System.Security
SecureString
ReadLineAsSecureString
Write
ConsoleColor
WriteDebugLine
WriteErrorLine
WriteLine
ProgressRecord
WriteProgress
WriteVerboseLine
WriteWarningLine
RawUI
Output
_bgColor
_fgColor
_bufSize
get_BackgroundColor
set_BackgroundColor
get_BufferSize
set_BufferSize
Coordinates
get_CursorPosition
set_CursorPosition
get_CursorSize
set_CursorSize
get_ForegroundColor
set_ForegroundColor
get_KeyAvailable
get_MaxPhysicalWindowSize
get_MaxWindowSize
get_WindowPosition
set_WindowPosition
get_WindowSize
set_WindowSize
get_WindowTitle
set_WindowTitle
FlushInputBuffer
BufferCell
Rectangle
GetBufferContents
KeyInfo
ReadKeyOptions
ReadKey
ScrollBufferContents
SetBufferContents
BackgroundColor
BufferSize
CursorPosition
CursorSize
ForegroundColor
KeyAvailable
MaxPhysicalWindowSize
MaxWindowSize
WindowPosition
WindowSize
WindowTitle
SW_HIDE
SW_SHOW
GetConsoleWindow
ShowWindow
System.Collections
IDictionary
Uninstall
StartHere
ExecuteFunc
ShowScripts
decodeString
encodeString
System.Reflection
AssemblyFileVersionAttribute
AssemblyVersionAttribute
System.Runtime.InteropServices
GuidAttribute
ComVisibleAttribute
AssemblyCultureAttribute
AssemblyTrademarkAttribute
AssemblyCopyrightAttribute
AssemblyProductAttribute
AssemblyCompanyAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
AssemblyTitleAttribute
System.Diagnostics
DebuggableAttribute
DebuggingModes
System.Runtime.CompilerServices
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
NewGuid
System.Threading
Thread
get_CurrentThread
exitCode
caption
message
descriptions
choices
defaultChoice
userName
targetName
allowedCredentialTypes
options
value
foregroundColor
backgroundColor
String
Concat
sourceId
record
NotImplementedException
rectangle
source
destination
origin
contents
DllImportAttribute
kernel32.dll
user32.dll
nCmdShow
ToLower
op_Equality
System.ComponentModel
RunInstallerAttribute
savedState
System.IO
StreamReader
TextReader
Console
ContainsKey
get_Item
System.Management.Automation.Runspaces
RunspaceFactory
Runspace
CreateRunspace
Pipeline
CreatePipeline
CommandCollection
get_Commands
AddScript
Command
PipelineResultTypes
MergeMyResults
InvokeAsync
get_Count
Sleep
PipelineStateInfo
get_PipelineStateInfo
PipelineState
get_State
Enumerator
GetEnumerator
KeyValuePair`2
get_Current
get_Key
MoveNext
IDisposable
Dispose
Convert
FromBase64String
System.Text
Encoding
get_UTF8
GetString
GetBytes
ToBase64String
1.0.0.0
$a4990544-3228-4bb9-9651-b05f516e0b71
Microsoft 2017
PowerLineTemplate
Microsoft
c:\software\PowerLine\PowerLine\PowerLineTemplate\obj\x64\Release\PowerLine.pdb
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
CompanyName
Microsoft
FileDescription
PowerLineTemplate
FileVersion
1.0.0.0
InternalName
PowerLine.exe
LegalCopyright
Microsoft 2017
OriginalFilename
PowerLine.exe
ProductName
PowerLineTemplate
ProductVersion
1.0.0.0
Assembly Version
1.0.0.0
This file is not on VirusTotal.

Process Tree


PowerPole.exe, PID: 1860, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\PowerPole.exe
Command Line: "C:\Users\user\AppData\Local\Temp\PowerPole.exe" "Invoke-Dump Invoke-MimiK"

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name PowerPole.exe
PID 1860
Dump Size 10117632 bytes
Module Path C:\Users\user\AppData\Local\Temp\PowerPole.exe
Type PE image: 64-bit executable
MD5 538141532ead5aa390b86b0451794afb
SHA1 6a4aea4b187522a9eb76a2ad352eff9f305fdc9c
SHA256 5d93a3db75751e41c6a2b68433dbecfba64e98420c5be4874f196f44a3cdf6b1
CRC32 2BA5635A
Ssdeep 49152:ehlPzmh2uJbPlMP6PWO+ta10R6Jqoc7q1jhy+4kQR56OiVYa0NFzzgBuJGh:
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 5d93a3db75751e41c6a2b68433dbecfba64e98420c5be4874f196f44a3cdf6b1
Download

Comments



No comments posted

Processing ( 1221.617 seconds )

  • 1198.46 Strings
  • 8.065 CAPE
  • 6.395 Static
  • 4.004 TargetInfo
  • 3.98 ProcDump
  • 0.511 TrID
  • 0.088 BehaviorAnalysis
  • 0.069 static_dotnet
  • 0.032 Deduplicate
  • 0.007 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.068 seconds )

  • 0.011 antiav_detectreg
  • 0.005 infostealer_ftp
  • 0.004 antiav_detectfile
  • 0.004 ransomware_files
  • 0.003 persistence_autorun
  • 0.003 stealth_timeout
  • 0.003 infostealer_bitcoin
  • 0.003 infostealer_im
  • 0.003 ransomware_extensions
  • 0.002 api_spamming
  • 0.002 decoy_document
  • 0.002 antianalysis_detectreg
  • 0.002 antivm_vbox_files
  • 0.002 browser_security
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 Doppelganging
  • 0.001 Extraction
  • 0.001 injection_createremotethread
  • 0.001 betabot_behavior
  • 0.001 InjectionCreateRemoteThread
  • 0.001 InjectionProcessHollowing
  • 0.001 antivm_generic_scsi
  • 0.001 dynamic_function_loading
  • 0.001 cerber_behavior
  • 0.001 injection_runpe
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 disables_browser_warn

Reporting ( 0.001 seconds )

  • 0.001 CompressResults
Task ID 74099
Mongo ID 5cdcd611f284885ccdcee939
Cuckoo release 1.3-CAPE
Delete