Veritas
F005HIGHConfirmed maliciousvalidator: passed

Staged p.exe execution from temp perfmon directory

Staged executable p.exe in temp directory with RWX region

Analyst narrative

p.exe PID 8260 executed from c:\windows\temp\perfmon\p.exe via cmd.exe (PID 5948), parented by powershell.exe (PID 5848). Has RWX VadS region. Candidate cand-0005/cand-0006/cand-0053.

Claims asserted

pid-vol_malfindvol_pstreevol_psscanget_amcacheextract_mft_timeline
pathc:\windows\temp\perfmon\p.exevol_malfindvol_pstreevol_psscanget_amcacheextract_mft_timeline
user_accountspsql

Proof chain · 51 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

handle facthandle:pid:8260:event:4
vol_handles
Raw tool output · ffb5f044fc0cf167dd8aaebc8902b7f82bf1ed6c
{"GrantedAccess": 2031619, "HandleValue": 4, "Name": null, "Offset": 154518695113248, "PID": 8260, "Process": "p.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:8260:waitcompletionpacket:8
vol_handles
Raw tool output · 64c7e2b00c3f491c6c9c3f01ad6a771d58f738cc
{"GrantedAccess": 1, "HandleValue": 8, "Name": null, "Offset": 154518693422640, "PID": 8260, "Process": "p.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:8260:iocompletion:12
vol_handles
Raw tool output · 91eda6a84c7c7420c726272dd3a60d2373652c8b
{"GrantedAccess": 2031619, "HandleValue": 12, "Name": null, "Offset": 154518758375552, "PID": 8260, "Process": "p.exe", "Type": "IoCompletion", "TreeDepth": 0}
handle facthandle:pid:8260:tpworkerfactory:16
vol_handles
Raw tool output · 112ee11ebed720d0309df7602e0aae262c70105a
{"GrantedAccess": 983295, "HandleValue": 16, "Name": null, "Offset": 154518770220080, "PID": 8260, "Process": "p.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}
handle facthandle:pid:8260:irtimer:20
vol_handles
Raw tool output · 5ef278f3f15e0eb2500cb0a726551ba90f3003d3
{"GrantedAccess": 1048578, "HandleValue": 20, "Name": null, "Offset": 154518691094624, "PID": 8260, "Process": "p.exe", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:8260:waitcompletionpacket:24
vol_handles
Raw tool output · 419cb807591f9e08d31bd390b54c662645cc05d6
{"GrantedAccess": 1, "HandleValue": 24, "Name": null, "Offset": 154518784174000, "PID": 8260, "Process": "p.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:8260:irtimer:28
vol_handles
Raw tool output · 537ff1d78660ef40aa8e74754635945141157c0c
{"GrantedAccess": 1048578, "HandleValue": 28, "Name": null, "Offset": 154518713403648, "PID": 8260, "Process": "p.exe", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:8260:waitcompletionpacket:32
vol_handles
Raw tool output · c7af6992de5eac314527645cc7d117b517c973ea
{"GrantedAccess": 1, "HandleValue": 32, "Name": null, "Offset": 154518702849936, "PID": 8260, "Process": "p.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:8260:etwregistration:36
vol_handles
Raw tool output · 67087d6b4224a63c1ec14f57e32c18c6bbcff547
{"GrantedAccess": 2052, "HandleValue": 36, "Name": null, "Offset": 154518684017440, "PID": 8260, "Process": "p.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8260:etwregistration:40
vol_handles
Raw tool output · 2ba4e526512c1f4f76c162d2b647b8deae859058
{"GrantedAccess": 2052, "HandleValue": 40, "Name": null, "Offset": 154518787810560, "PID": 8260, "Process": "p.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8260:etwregistration:44
vol_handles
Raw tool output · 86bc04acfa0a4a9e740cdd49dbcad14aed95c446
{"GrantedAccess": 2052, "HandleValue": 44, "Name": null, "Offset": 154518694658528, "PID": 8260, "Process": "p.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8260:directory:knowndlls
vol_handles
Raw tool output · 7440b9df2948a8cf353f87b25f93a16fccf8f259
{"GrantedAccess": 3, "HandleValue": 48, "Name": "KnownDlls", "Offset": 229276702421120, "PID": 8260, "Process": "p.exe", "Type": "Directory", "TreeDepth": 0}
handle facthandle:pid:8260:event:52
vol_handles
Raw tool output · 3398c0046970ca6bc26ad248cd53a912800ccb8e
{"GrantedAccess": 2031619, "HandleValue": 52, "Name": null, "Offset": 154518771853344, "PID": 8260, "Process": "p.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:8260:event:56
vol_handles
Raw tool output · 626c72c28955e53c72cbfd339f1f63b327a40991
{"GrantedAccess": 2031619, "HandleValue": 56, "Name": null, "Offset": 154518766131760, "PID": 8260, "Process": "p.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:8260:etwregistration:64
vol_handles
Raw tool output · 1e6b791229dcade25ec66e30e3f73df7a105cac2
{"GrantedAccess": 2052, "HandleValue": 64, "Name": null, "Offset": 154518784277792, "PID": 8260, "Process": "p.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8260:etwregistration:68
vol_handles
Raw tool output · 3a88aec1774c6e4d42c476c6194f4b49624d3067
{"GrantedAccess": 2052, "HandleValue": 68, "Name": null, "Offset": 154518762452944, "PID": 8260, "Process": "p.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8260:alpc port:72
vol_handles
Raw tool output · 5f46e772f0a9f1f5d642eea06ce32b845139ad33
{"GrantedAccess": 2031617, "HandleValue": 72, "Name": null, "Offset": 154518693033808, "PID": 8260, "Process": "p.exe", "Type": "ALPC Port", "TreeDepth": 0}
handle facthandle:pid:8260:file:\device\condrv\input
vol_handles
Raw tool output · 2a8f7586eb50db7f270712a2112d40c1d020d69a
{"GrantedAccess": 1180063, "HandleValue": 76, "Name": "\\Device\\ConDrv\\Input", "Offset": 154518799199552, "PID": 8260, "Process": "p.exe", "Type": "File", "TreeDepth": 0}
handle facthandle:pid:8260:file:\device\condrv\output
vol_handles
Raw tool output · 462c4b9d070fe651ae30fa3e89bde364dc34aac5
{"GrantedAccess": 1180063, "HandleValue": 80, "Name": "\\Device\\ConDrv\\Output", "Offset": 154518715712880, "PID": 8260, "Process": "p.exe", "Type": "File", "TreeDepth": 0}
handle facthandle:pid:8260:etwregistration:88
vol_handles
Raw tool output · 1a1d00c6291c02ef0926211739088e8d0d6b63ec
{"GrantedAccess": 2052, "HandleValue": 88, "Name": null, "Offset": 154518754812480, "PID": 8260, "Process": "p.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8260:etwregistration:92
vol_handles
Raw tool output · 0906bdaaebaa4f518476161d99e21ed64d676c1e
{"GrantedAccess": 2052, "HandleValue": 92, "Name": null, "Offset": 154518694423536, "PID": 8260, "Process": "p.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8260:etwregistration:96
vol_handles
Raw tool output · 733ec5853da0ed0107d758d9a8e562f9c8d516aa
{"GrantedAccess": 2052, "HandleValue": 96, "Name": null, "Offset": 154518718052592, "PID": 8260, "Process": "p.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8260:etwregistration:100
vol_handles
Raw tool output · bb89ed338823a37e3ac5dd4c8fe3940037bcf8fc
{"GrantedAccess": 2052, "HandleValue": 100, "Name": null, "Offset": 154518756842064, "PID": 8260, "Process": "p.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8260:etwregistration:104
vol_handles
Raw tool output · 83c7f3f2cbac5adc3cba27a580984eca1cb7fd77
{"GrantedAccess": 2052, "HandleValue": 104, "Name": null, "Offset": 154518766825968, "PID": 8260, "Process": "p.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8260:tpworkerfactory:108
vol_handles
Raw tool output · dfa17e94d046db67641c14fe6d6c1fb6ab233e9f
{"GrantedAccess": 983295, "HandleValue": 108, "Name": null, "Offset": 154518683315808, "PID": 8260, "Process": "p.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}
handle facthandle:pid:8260:iocompletion:112
vol_handles
Raw tool output · 1ad95911ddcc28bef4172f4836e97d392b2f236a
{"GrantedAccess": 2031619, "HandleValue": 112, "Name": null, "Offset": 154518754795968, "PID": 8260, "Process": "p.exe", "Type": "IoCompletion", "TreeDepth": 0}
handle facthandle:pid:8260:irtimer:116
vol_handles
Raw tool output · dc99fdc503716871fe69c82c8ce8019234fc7c96
{"GrantedAccess": 1048578, "HandleValue": 116, "Name": null, "Offset": 154518765055280, "PID": 8260, "Process": "p.exe", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:8260:directory:basenamedobjects
vol_handles
Raw tool output · 1796b1f7f9331b3852dca6e5dfd46db547d32fcb
{"GrantedAccess": 15, "HandleValue": 120, "Name": "BaseNamedObjects", "Offset": 229276810769120, "PID": 8260, "Process": "p.exe", "Type": "Directory", "TreeDepth": 0}
handle facthandle:pid:8260:waitcompletionpacket:124
vol_handles
Raw tool output · 6cd3134558378ae47ed1a0ecf89a200dee41661d
{"GrantedAccess": 1, "HandleValue": 124, "Name": null, "Offset": 154518731324336, "PID": 8260, "Process": "p.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:8260:irtimer:128
vol_handles
Raw tool output · 60f4385bd8b048bf95c2df267e81c13ce6389a49
{"GrantedAccess": 1048578, "HandleValue": 128, "Name": null, "Offset": 154518773626016, "PID": 8260, "Process": "p.exe", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:8260:waitcompletionpacket:132
vol_handles
Raw tool output · 508c833b0dd160c5a54570f8ca16583316b92420
{"GrantedAccess": 1, "HandleValue": 132, "Name": null, "Offset": 154518681672528, "PID": 8260, "Process": "p.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:8260:key:machine\system\controlset001\control\session manager
vol_handles
Raw tool output · 3e4c7880d0df7a954372a8450cd608ecb0be9a7d
{"GrantedAccess": 1, "HandleValue": 136, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER", "Offset": 229276775518320, "PID": 8260, "Process": "p.exe", "Type": "Key", "TreeDepth": 0}
handle facthandle:pid:8260:key:machine\system\controlset001\control\nls\sorting\versions
vol_handles
Raw tool output · 94e7cd97b4387d9c443fb9497bb7b2940805f13b
{"GrantedAccess": 131097, "HandleValue": 140, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\SORTING\\VERSIONS", "Offset": 229276913525280, "PID": 8260, "Process": "p.exe", "Type": "Key", "TreeDepth": 0}
handle facthandle:pid:8260:thread:tid 5420 pid 8260
vol_handles
Raw tool output · 58761d01ec75ea0f1b385baffb86fdd8ffb425d4
{"GrantedAccess": 2097151, "HandleValue": 144, "Name": "Tid 5420 Pid 8260", "Offset": 154518784299136, "PID": 8260, "Process": "p.exe", "Type": "Thread", "TreeDepth": 0}
handle facthandle:pid:8260:thread:tid 5148 pid 8260
vol_handles
Raw tool output · f0e86927eae759b18314bc11ec2708b0c36b4dbc
{"GrantedAccess": 2097151, "HandleValue": 148, "Name": "Tid 5148 Pid 8260", "Offset": 154518693381888, "PID": 8260, "Process": "p.exe", "Type": "Thread", "TreeDepth": 0}
handle facthandle:pid:8260:etwregistration:152
vol_handles
Raw tool output · 0ebc3f9b1e36dc293d86df1a3272bfaf185d679c
{"GrantedAccess": 2052, "HandleValue": 152, "Name": null, "Offset": 154518750722144, "PID": 8260, "Process": "p.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8260:etwregistration:156
vol_handles
Raw tool output · 15e290ea65731d4b633c24e849a7b35ecb887028
{"GrantedAccess": 2052, "HandleValue": 156, "Name": null, "Offset": 154518686225568, "PID": 8260, "Process": "p.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8260:etwregistration:160
vol_handles
Raw tool output · 6883946030d67b23ca37eca6f44770e05533cf1a
{"GrantedAccess": 2052, "HandleValue": 160, "Name": null, "Offset": 154518680981136, "PID": 8260, "Process": "p.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8260:etwregistration:164
vol_handles
Raw tool output · 93ef34785a7a2ab1a698bf1bf9cc523d812e59a0
{"GrantedAccess": 2052, "HandleValue": 164, "Name": null, "Offset": 154518693071536, "PID": 8260, "Process": "p.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8260:etwregistration:168
vol_handles
Raw tool output · 8f268962a96b511ce70514e16bdd172611453178
{"GrantedAccess": 2052, "HandleValue": 168, "Name": null, "Offset": 154518686064336, "PID": 8260, "Process": "p.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8260:etwregistration:172
vol_handles
Raw tool output · 613ae23289314aa2e630f93990cc81496fb15c17
{"GrantedAccess": 2052, "HandleValue": 172, "Name": null, "Offset": 154518766961536, "PID": 8260, "Process": "p.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8260:etwregistration:176
vol_handles
Raw tool output · b30767bb33b91f3629ab081a78653df53a2efb98
{"GrantedAccess": 2052, "HandleValue": 176, "Name": null, "Offset": 154518773785488, "PID": 8260, "Process": "p.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8260:etwregistration:180
vol_handles
Raw tool output · 760b9a657ce2c75ef8fdbe0712230921eb7cfbe4
{"GrantedAccess": 2052, "HandleValue": 180, "Name": null, "Offset": 154518716415888, "PID": 8260, "Process": "p.exe", "Type": "EtwRegistration", "TreeDepth": 0}
memory injection factpid:8260
vol_malfind
Raw tool output · 20096f37ad7a0c1e6993480fd532da17b2fa6cec
{"CommitCharge": 481, "Disasm": "\"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\"", "End VPN": 47976447, "File output": "Disabled", "Hexdump": "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00", "Notes": null, "PID": 8260, "PrivateMemory": 1, "Process": "p.exe", "Protection": "PAGE_EXECUTE_READWRITE", "Start
process factpid:8260
vol_psscan
Raw tool output · 7773b2b2c3d820b1b406272b113f621def290e18
{"CreateTime": "2018-08-30T22:15:18+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "p.exe", "Offset(V)": 154518685750656, "PID": 8260, "PPID": 5948, "SessionId": 0, "Threads": 2, "Wow64": false, "TreeDepth": 0}
process factpid:8260
vol_pstree
Raw tool output · cb977131f95015e391a035506d572d5407fb27b4
{"Audit": "\\Device\\HarddiskVolume2\\Windows\\Temp\\Perfmon\\p.exe", "Cmd": "c:\\windows\\temp\\perfmon\\p.exe", "CreateTime": "2018-08-30T22:15:18+00:00", "ExitTime": null, "Handles": null, "ImageFileName": "p.exe", "Offset(V)": 154518685750656, "PID": 8260, "PPID": 5948, "Path": "c:\\windows\\temp\\perfmon\\p.exe", "SessionId": 0, "Threads": 2, "Wow64": false, "TreeDepth": 10}
process relationship factpid:8260->pid:5948
vol_psscanvol_pstree
Raw tool output · 2c567f366304730a8a4e5861c30fd805cf10a5d4
{"CreateTime": "2018-08-30T22:15:18+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "p.exe", "Offset(V)": 154518685750656, "PID": 8260, "PPID": 5948, "SessionId": 0, "Threads": 2, "Wow64": false, "TreeDepth": 0}
process relationship factpid:1424->pid:8260
vol_psscanvol_pstree
Raw tool output · febc45b9fae5bb08557c5905be612ab65b405f1d
{"CreateTime": "2018-09-06T14:58:41+00:00", "ExitTime": "2018-09-06T14:58:45+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518818256256, "PID": 1424, "PPID": 8260, "SessionId": 0, "Threads": 0, "Wow64": false, "TreeDepth": 0}
process relationship factpid:7552->pid:8260
vol_psscanvol_pstree
Raw tool output · 4d065905ef79674ce31fb702b8df604d89085f68
{"CreateTime": "2018-09-06T17:26:32+00:00", "ExitTime": "2018-09-06T17:26:35+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518825205888, "PID": 7552, "PPID": 8260, "SessionId": 0, "Threads": 0, "Wow64": false, "TreeDepth": 0}
process relationship factpid:5768->pid:8260
vol_psscanvol_pstree
Raw tool output · 7d05d8db57f370ecc0e62ab9820ccff1eda5db2d
{"CreateTime": "2018-09-05T12:01:32+00:00", "ExitTime": "2018-09-05T12:01:40+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518827255040, "PID": 5768, "PPID": 8260, "SessionId": 0, "Threads": 0, "Wow64": false, "TreeDepth": 0}
psxview factpsxview:pid:8260
vol_psxview
Raw tool output · 462b0b95bf94c7b7bac5857b9f265cb7b80e545b
{"Exit Time": "", "Name": "p.exe", "Offset(Virtual)": 154518685750656, "PID": 8260, "csrss": true, "pslist": true, "psscan": true, "thrdscan": true, "TreeDepth": 0}

Source tools

extract_mft_timelineget_amcacherun_stringsvol_cmdlinevol_filescanvol_getsidsvol_handlesvol_malfindvol_privilegesvol_psscanvol_pstreevol_psxview