F012MEDIUMInconclusivevalidator: passed
PsExec service infrastructure detected in registry and amcache
PSEXESVC.exe
Analyst narrative
PSEXESVC.exe detected in registry service configuration (HKLM\System\ControlSet001\Services\PSEXESVC\ImagePath and ControlSet002 equivalent) and amcache records. Indicates persistent administrative backdoor via PsExec.
Claims asserted
pathPSEXESVC.exeparse_registry_persistenceget_amcache
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
get_amcacheparse_registry_persistence