F013MEDIUMSuspiciousvalidator: passed

cmd.exe spawning suspicious p.exe from temporary directory

cmd.exe process spawning temp\perfmon\p.exe

⚖ The AI did not get the final word

Model / ReAct proposed

Confirmed malicious

→

Veritas (deterministic) verdict

Suspicious

Promotion withheld because

✕gate:confirmed_ineligible[weak_alone_signal_uncorroborated]
✕MALICIOUS_SEMANTIC_GATE=FAIL

Analyst narrative

cmd.exe (PID 5948) executed with command line 'C:\WINDOWS\system32\cmd.exe /C c:\windows\temp\perfmon\p.exe', directly invoking suspicious staging-area executable. This indicates attacker command execution chain.

Claims asserted

pid-vol_pstreevol_cmdline

user_accountspsql

Proof chain · 50 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

⊞

handle facthandle:pid:5948:event:4

vol_handles

›

Raw tool output · 742fa23efcf1a5e169792105513baedbe88b7615

{"GrantedAccess": 2031619, "HandleValue": 4, "Name": null, "Offset": 154518791048112, "PID": 5948, "Process": "cmd.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:waitcompletionpacket:8

vol_handles

›

Raw tool output · 80576e28379e03008991d369df0931d071add237

{"GrantedAccess": 1, "HandleValue": 8, "Name": null, "Offset": 154518762998192, "PID": 5948, "Process": "cmd.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:iocompletion:12

vol_handles

›

Raw tool output · a740e7578322462d2b0728f90abddeb8a42f82ed

{"GrantedAccess": 2031619, "HandleValue": 12, "Name": null, "Offset": 154518702466048, "PID": 5948, "Process": "cmd.exe", "Type": "IoCompletion", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:tpworkerfactory:16

vol_handles

›

Raw tool output · c0588a47c03417ae53b9c28e3f1f003e983ccaf3

{"GrantedAccess": 983295, "HandleValue": 16, "Name": null, "Offset": 154518693300944, "PID": 5948, "Process": "cmd.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:irtimer:20

vol_handles

›

Raw tool output · 825448e3938b07849833929d4a6da20b27f5d2b9

{"GrantedAccess": 1048578, "HandleValue": 20, "Name": null, "Offset": 154518752264288, "PID": 5948, "Process": "cmd.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:waitcompletionpacket:24

vol_handles

›

Raw tool output · 92adee1b97a5c9d4d8aaee0f9064c0b2bfa228c3

{"GrantedAccess": 1, "HandleValue": 24, "Name": null, "Offset": 154518783317344, "PID": 5948, "Process": "cmd.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:irtimer:28

vol_handles

›

Raw tool output · 1292d5c09232790bf694ece95a11dfc2806e0b29

{"GrantedAccess": 1048578, "HandleValue": 28, "Name": null, "Offset": 154518681641728, "PID": 5948, "Process": "cmd.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:waitcompletionpacket:32

vol_handles

›

Raw tool output · d80f339836550d74e111bd11a53e178d1c1856cb

{"GrantedAccess": 1, "HandleValue": 32, "Name": null, "Offset": 154518742020560, "PID": 5948, "Process": "cmd.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:etwregistration:36

vol_handles

›

Raw tool output · d328fb9cb35c9542ec6188688c4850f6ba19f24b

{"GrantedAccess": 2052, "HandleValue": 36, "Name": null, "Offset": 154518681909456, "PID": 5948, "Process": "cmd.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:etwregistration:40

vol_handles

›

Raw tool output · aaa81f05e151bf97c97262ecace02801b02d3652

{"GrantedAccess": 2052, "HandleValue": 40, "Name": null, "Offset": 154518761763104, "PID": 5948, "Process": "cmd.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:etwregistration:44

vol_handles

›

Raw tool output · 2de34cda14da2c560b08a75e8495fc575a93fba9

{"GrantedAccess": 2052, "HandleValue": 44, "Name": null, "Offset": 154518767088160, "PID": 5948, "Process": "cmd.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:directory:knowndlls

vol_handles

›

Raw tool output · f99338daae253e91dbf0d5f5486e3223bf0e10ee

{"GrantedAccess": 3, "HandleValue": 48, "Name": "KnownDlls", "Offset": 229276702421120, "PID": 5948, "Process": "cmd.exe", "Type": "Directory", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:event:52

vol_handles

›

Raw tool output · cd5e2de6e192338003a25777388dd26e6ea3125c

{"GrantedAccess": 2031619, "HandleValue": 52, "Name": null, "Offset": 154518724410720, "PID": 5948, "Process": "cmd.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:event:56

vol_handles

›

Raw tool output · 4ea153a687dcb0e0a3f95a86a2f0b149a49425a7

{"GrantedAccess": 2031619, "HandleValue": 56, "Name": null, "Offset": 154518716013248, "PID": 5948, "Process": "cmd.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:file:\device\harddiskvolume2\windows

vol_handles

›

Raw tool output · def4ac734fa5b954195315568cef6d400ced9e1b

{"GrantedAccess": 1048608, "HandleValue": 60, "Name": "\\Device\\HarddiskVolume2\\Windows", "Offset": 154518799347040, "PID": 5948, "Process": "cmd.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:event:64

vol_handles

›

Raw tool output · 933191f1c0e327dfef18a9d9649b3dcf8fa01ed7

{"GrantedAccess": 2031619, "HandleValue": 64, "Name": null, "Offset": 154518716446800, "PID": 5948, "Process": "cmd.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:directory:knowndlls32

vol_handles

›

Raw tool output · d0ba6752855432288bdb21c35f87a575531ad3c2

{"GrantedAccess": 3, "HandleValue": 68, "Name": "KnownDlls32", "Offset": 229276702275152, "PID": 5948, "Process": "cmd.exe", "Type": "Directory", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:waitcompletionpacket:72

vol_handles

›

Raw tool output · f9916c6d2f0faeaa15c3b7a4d4b39aef1d316104

{"GrantedAccess": 1, "HandleValue": 72, "Name": null, "Offset": 154518739245616, "PID": 5948, "Process": "cmd.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:file:\device\condrv\input

vol_handles

›

Raw tool output · c0c4354e9fb71399d5de270cbf34873d16c1b79d

{"GrantedAccess": 1180063, "HandleValue": 76, "Name": "\\Device\\ConDrv\\Input", "Offset": 154518799199552, "PID": 5948, "Process": "cmd.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:file:\device\condrv\output

vol_handles

›

Raw tool output · bf6af7c49831cd276cf9f7d9ea87cf53c101540e

{"GrantedAccess": 1180063, "HandleValue": 80, "Name": "\\Device\\ConDrv\\Output", "Offset": 154518715712880, "PID": 5948, "Process": "cmd.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:iocompletion:88

vol_handles

›

Raw tool output · 2ee13e98600dbf4cff6486259a1b2f83c6349ac4

{"GrantedAccess": 2031619, "HandleValue": 88, "Name": null, "Offset": 154518683547904, "PID": 5948, "Process": "cmd.exe", "Type": "IoCompletion", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:tpworkerfactory:92

vol_handles

›

Raw tool output · 246bd6c7575ae9240a9f8a0c9b53424c29f53e6c

{"GrantedAccess": 983295, "HandleValue": 92, "Name": null, "Offset": 154518679925248, "PID": 5948, "Process": "cmd.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:irtimer:96

vol_handles

›

Raw tool output · 1493afc107e294926838ad6f3e300a6d58e1564b

{"GrantedAccess": 1048578, "HandleValue": 96, "Name": null, "Offset": 154518752843280, "PID": 5948, "Process": "cmd.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:waitcompletionpacket:100

vol_handles

›

Raw tool output · 10b170e09b9ac985a50b8e01c40f329bf0affdb6

{"GrantedAccess": 1, "HandleValue": 100, "Name": null, "Offset": 154518718131904, "PID": 5948, "Process": "cmd.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:irtimer:104

vol_handles

›

Raw tool output · 3d09ee3466171b05b095d76e8eba30de65352c74

{"GrantedAccess": 1048578, "HandleValue": 104, "Name": null, "Offset": 154518771994992, "PID": 5948, "Process": "cmd.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:waitcompletionpacket:108

vol_handles

›

Raw tool output · 7e80c1960d4bcbc7f421f26353974a1a782e8964

{"GrantedAccess": 1, "HandleValue": 108, "Name": null, "Offset": 154518769440432, "PID": 5948, "Process": "cmd.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:etwregistration:112

vol_handles

›

Raw tool output · d88f6ef7777abc2d15b23189dfbde2527104a56c

{"GrantedAccess": 2052, "HandleValue": 112, "Name": null, "Offset": 154518792329696, "PID": 5948, "Process": "cmd.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:etwregistration:116

vol_handles

›

Raw tool output · 55eb6b4becac37e015573b7f317a46e46b9ea0f3

{"GrantedAccess": 2052, "HandleValue": 116, "Name": null, "Offset": 154518789322352, "PID": 5948, "Process": "cmd.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:etwregistration:120

vol_handles

›

Raw tool output · 945ad9405e9ec8579c877da1be45841907209cdb

{"GrantedAccess": 2052, "HandleValue": 120, "Name": null, "Offset": 154518714753760, "PID": 5948, "Process": "cmd.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:event:128

vol_handles

›

Raw tool output · 5d4deb2bbba53126d5d5cd61bb33ec3d20e78448

{"GrantedAccess": 2031619, "HandleValue": 128, "Name": null, "Offset": 154518787625232, "PID": 5948, "Process": "cmd.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:event:132

vol_handles

›

Raw tool output · a75bb7330c9c4388dfd3fd9a4bd2ed7fb62bf34f

{"GrantedAccess": 2031619, "HandleValue": 132, "Name": null, "Offset": 154518788400048, "PID": 5948, "Process": "cmd.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:file:\device\harddiskvolume2\windows\temp\perfmon

vol_handles

›

Raw tool output · bd74223be48512e5cceeeb88f7e94d990c82f759

{"GrantedAccess": 1048608, "HandleValue": 136, "Name": "\\Device\\HarddiskVolume2\\Windows\\Temp\\Perfmon", "Offset": 154518682675376, "PID": 5948, "Process": "cmd.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:file:\device\condrv\connect

vol_handles

›

Raw tool output · a43dd9987fc60e90a7bf07e8381acf8f71cae4c9

{"GrantedAccess": 1180063, "HandleValue": 140, "Name": "\\Device\\ConDrv\\Connect", "Offset": 154518683231792, "PID": 5948, "Process": "cmd.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:file:\device\condrv\reference

vol_handles

›

Raw tool output · d464502d21b3f93fe81af04881fece185ebe7a15

{"GrantedAccess": 1180063, "HandleValue": 144, "Name": "\\Device\\ConDrv\\Reference", "Offset": 154518693115840, "PID": 5948, "Process": "cmd.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:alpc port:148

vol_handles

›

Raw tool output · 3d1f0272adf299ff40379c9a0d6fe3c9674d3a3b

{"GrantedAccess": 2031617, "HandleValue": 148, "Name": null, "Offset": 154518722717776, "PID": 5948, "Process": "cmd.exe", "Type": "ALPC Port", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:etwregistration:156

vol_handles

›

Raw tool output · e528caa645c4bb59eaaf3d100a7d1ea053ebbc65

{"GrantedAccess": 2052, "HandleValue": 156, "Name": null, "Offset": 154518773221040, "PID": 5948, "Process": "cmd.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:etwregistration:160

vol_handles

›

Raw tool output · 2a3bae7aba65380598932cefb5b1ee4b9e4c1ccb

{"GrantedAccess": 2052, "HandleValue": 160, "Name": null, "Offset": 154518771340512, "PID": 5948, "Process": "cmd.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:iocompletion:164

vol_handles

›

Raw tool output · bf0dbbab9e06c371e3f4d707e8b373cd1f204c92

{"GrantedAccess": 2031619, "HandleValue": 164, "Name": null, "Offset": 154518754523648, "PID": 5948, "Process": "cmd.exe", "Type": "IoCompletion", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:tpworkerfactory:168

vol_handles

›

Raw tool output · 7eee45e9913095312831adc1d8f008b43026df15

{"GrantedAccess": 983295, "HandleValue": 168, "Name": null, "Offset": 154518706763088, "PID": 5948, "Process": "cmd.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:irtimer:172

vol_handles

›

Raw tool output · ad5007ad020abbd7bf9ed537d7accd68d75b02d0

{"GrantedAccess": 1048578, "HandleValue": 172, "Name": null, "Offset": 154518789532448, "PID": 5948, "Process": "cmd.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:waitcompletionpacket:176

vol_handles

›

Raw tool output · cccbbdf610ff074138975ae82324095f3bbe54cb

{"GrantedAccess": 1, "HandleValue": 176, "Name": null, "Offset": 154518753440480, "PID": 5948, "Process": "cmd.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:irtimer:180

vol_handles

›

Raw tool output · 68403b363d901445d0e36eba756d1818672043e4

{"GrantedAccess": 1048578, "HandleValue": 180, "Name": null, "Offset": 154518755365344, "PID": 5948, "Process": "cmd.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:waitcompletionpacket:184

vol_handles

›

Raw tool output · 5921f9053b096c37093178bf780f7a849174a431

{"GrantedAccess": 1, "HandleValue": 184, "Name": null, "Offset": 154518705295456, "PID": 5948, "Process": "cmd.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:key:machine\system\controlset001\control\nls\sorting\versions

vol_handles

›

Raw tool output · 9c9c76302b2ec286dfa17c4752a219a37dccceca

{"GrantedAccess": 131097, "HandleValue": 188, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\SORTING\\VERSIONS", "Offset": 229276772826656, "PID": 5948, "Process": "cmd.exe", "Type": "Key", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:thread:tid 4616 pid 5948

vol_handles

›

Raw tool output · 45587c7834c8da8e5cd9e0614585b2c29eef51c2

{"GrantedAccess": 2097151, "HandleValue": 192, "Name": "Tid 4616 Pid 5948", "Offset": 154518739558528, "PID": 5948, "Process": "cmd.exe", "Type": "Thread", "TreeDepth": 0}

⊞

handle facthandle:pid:5948:key:machine\system\controlset001\control\nls\customlocale

vol_handles

›

Raw tool output · 077257c5684942c8dd0773b06f67a9b6dbf7e0af

{"GrantedAccess": 1, "HandleValue": 196, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE", "Offset": 229276791778944, "PID": 5948, "Process": "cmd.exe", "Type": "Key", "TreeDepth": 0}

▣

process factpid:5948

vol_psscan

›

Raw tool output · b1b86f20cce03b077446ef938fcb723be3e584dd

{"CreateTime": "2018-08-30T22:15:18+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "cmd.exe", "Offset(V)": 154518692545920, "PID": 5948, "PPID": 5848, "SessionId": 0, "Threads": 1, "Wow64": true, "TreeDepth": 0}

▣

process relationship factpid:3436->pid:5948

vol_psscanvol_pstree

›

Raw tool output · a60aab2a1ac6dfe8c66fca73a40c9d4150a91da0

{"CreateTime": "2018-08-30T22:15:18+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "conhost.exe", "Offset(V)": 154518683723136, "PID": 3436, "PPID": 5948, "SessionId": 0, "Threads": 3, "Wow64": false, "TreeDepth": 0}

▣

process relationship factpid:8260->pid:5948

vol_psscanvol_pstree

›

Raw tool output · 2c567f366304730a8a4e5861c30fd805cf10a5d4

{"CreateTime": "2018-08-30T22:15:18+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "p.exe", "Offset(V)": 154518685750656, "PID": 8260, "PPID": 5948, "SessionId": 0, "Threads": 2, "Wow64": false, "TreeDepth": 0}

▣

process relationship factpid:5948->pid:5848

vol_psscanvol_pstree

›

Raw tool output · 86d2ea60b3a432594752c3caef5286a8ef6a9cc0

{"CreateTime": "2018-08-30T22:15:18+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "cmd.exe", "Offset(V)": 154518692545920, "PID": 5948, "PPID": 5848, "SessionId": 0, "Threads": 1, "Wow64": true, "TreeDepth": 0}

Source tools

vol_cmdlinevol_pstree