F031MEDIUMSuspiciousvalidator: passed

PWDumpX credential dumping tool staged in temp directory (TA0006: Credential Access)

C:\Windows\Temp\Perfmon\PWDumpX.exe

Analyst narrative

PWDumpX.exe detected in AppCompatCache with executed flag set, staged in C:\Windows\Temp\Perfmon\PWDumpX.exe. This LOLBIN credential dumping tool was executed, indicating active credential theft attempt.

Claims asserted

pathC:\Windows\Temp\Perfmon\PWDumpX.exerun_appcompatcacheparserget_amcache

Proof chain · 3 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

▷

appcompatcache execution factappcompatcache:sysvol/windows/temp/perfmon/pwdumpx.exe

run_appcompatcacheparser

›

Raw tool output · 9204d499aa6012dabeda2c5cacb1a386a8472706

{"ControlSet": "1", "CacheEntryPosition": "57", "Path": "SYSVOL\\Windows\\Temp\\perfmon\\PWDumpX.exe", "LastModifiedTimeUTC": "2018-09-04 18:20:44", "Executed": "Yes", "Duplicate": "False", "SourceFile": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SYSTEM"}

▷

appcompatcache execution factappcompatcache:sysvol/windows/temp/perfmon/pwdumpx.exe

run_appcompatcacheparser

›

Raw tool output · 7c61597f20e53a7a0a40593dca88e13759b8a40e

{"ControlSet": "2", "CacheEntryPosition": "57", "Path": "SYSVOL\\Windows\\Temp\\perfmon\\PWDumpX.exe", "LastModifiedTimeUTC": "2018-09-04 18:20:44", "Executed": "Yes", "Duplicate": "True", "SourceFile": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SYSTEM"}

•

file execution factsha1:e78b845045f7522c02e463a9b22db48e61ec0e54

get_amcache

›

Raw tool output · e4f9a4ff463a3c8d1007fa30a616983a3f1e9ab4

{"path": "C:\\Windows\\Temp\\perfmon\\PWDumpX.exe", "sha1": "e78b845045f7522c02e463a9b22db48e61ec0e54", "first_run": "", "publisher": null, "file_size": null}

Source tools

get_amcacherun_appcompatcacheparser