F039Suspiciousvalidator: blocked
DismHost lateral movement artifacts in temp directories (TA0008: Lateral Movement, TA0002: Execution)
DismHost.exe
Analyst narrative
Multiple DismHost.exe executions detected in AppCompatCache within temporary GUID directories (typical of WinRM or lateral movement staging). 6+ instances found in C:\Windows\Temp and C:\Users\rsydow\AppData\Local\Temp, indicating scripted remote execution.
Claims asserted
pathDismHost.exe multiple instances
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
run_appcompatcacheparser