Staged execution artifacts detected in AppCompatCache: PWDumpX, PsExec, DismHost
AppCompatCache execution artifacts: PWDumpX.exe, PsExec.exe, DismHost.exe
Multiple suspicious executables detected in AppCompatCache with Executed flag, indicating prior execution from staging directories: PWDumpX.exe (credential dumping, TA0006), PsExec.exe (lateral movement, TA0008), and DismHost.exe variants from Windows temp directories (exploitation/staging, TA0002). Candidates: cand-0027, cand-0028, cand-0029-0037, cand-0048, cand-0050, cand-0087, cand-0088. These executables show evidence of disk-based staging (TA0005 defense evasion) combined with multiple distinct tactics.
Claims asserted
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.