F036MEDIUMInconclusivevalidator: passed
Credential dumping tool deployment (PWDumpX.exe, SysInternal tools)
PWDumpX.exe in C:\Windows\Temp\perfmon\
Analyst narrative
PWDumpX.exe and related credential-dumping utilities staged in C:\Windows\Temp\perfmon\ with ShimCache execution evidence. Combined with PsExec and PowerShell reflection patterns, indicates comprehensive offensive toolkit deployment for credential theft and lateral movement.
Claims asserted
hashPWDumpX.exe
e78b845045f7522c02e463a9b22db48e61ec0e54get_amcacherun_appcompatcacheparserextract_mft_timelineProof chain · 1 fact
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
•file execution factsha1:e78b845045f7522c02e463a9b22db48e61ec0e54get_amcache›
file execution fact
sha1:e78b845045f7522c02e463a9b22db48e61ec0e54get_amcache
Raw tool output · e4f9a4ff463a3c8d1007fa30a616983a3f1e9ab4
{"path": "C:\\Windows\\Temp\\perfmon\\PWDumpX.exe", "sha1": "e78b845045f7522c02e463a9b22db48e61ec0e54", "first_run": "", "publisher": null, "file_size": null}Source tools
extract_mft_timelineget_amcacherun_appcompatcacheparser