F023CRITICALConfirmed maliciousvalidator: passed

PsExec and PWDumpX staging in Windows Temp directory

path:C:\Windows\Temp\perfmon\PsExec.exe

Analyst narrative

PsExec.exe and PWDumpX.exe detected in C:\Windows\Temp\perfmon\ directory via AppCompatCache, indicating staging of remote execution and credential dumping tools.

Claims asserted

pathC:\Windows\Temp\perfmon\PsExec.exeget_amcacheextract_mft_timeline

hashPsExec.exe2013247c1481bb44bbebbb927a153b42e73b499fget_amcacheextract_mft_timeline

Proof chain · 3 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

▷

appcompatcache execution factappcompatcache:sysvol/windows/temp/perfmon/psexec.exe

run_appcompatcacheparser

›

Raw tool output · 2e08d33bdab71d9da42fa09e09c39ce8f59c9c31

{"ControlSet": "1", "CacheEntryPosition": "46", "Path": "SYSVOL\\Windows\\Temp\\perfmon\\PsExec.exe", "LastModifiedTimeUTC": "2018-09-04 18:31:47", "Executed": "Yes", "Duplicate": "False", "SourceFile": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SYSTEM"}

▷

appcompatcache execution factappcompatcache:sysvol/windows/temp/perfmon/psexec.exe

run_appcompatcacheparser

›

Raw tool output · cef1b2648bbc7f775c88961b036487eec1f0457e

{"ControlSet": "2", "CacheEntryPosition": "46", "Path": "SYSVOL\\Windows\\Temp\\perfmon\\PsExec.exe", "LastModifiedTimeUTC": "2018-09-04 18:31:47", "Executed": "Yes", "Duplicate": "True", "SourceFile": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SYSTEM"}

•

file execution factsha1:2013247c1481bb44bbebbb927a153b42e73b499f

get_amcache

›

Raw tool output · 3a50aa38d43a9b92c571c2602736480c34a30207

{"path": "C:\\Windows\\Temp\\perfmon\\PsExec.exe", "sha1": "2013247c1481bb44bbebbb927a153b42e73b499f", "first_run": "", "publisher": null, "file_size": null}

Source tools

extract_mft_timelineget_amcacheparse_userassistrun_appcompatcacheparser