Veritas
F007HIGHSuspiciousvalidator: passed

cmd.exe launches staged p.exe (Execution)

cmd.exe spawning staged binary

Analyst narrative

cmd.exe PID 5948 with command line 'cmd.exe /C c:\windows\temp\perfmon\p.exe' spawned from powershell.exe PID 5848, demonstrating execution mechanism for the staged payload.

Claims asserted

pid-vol_cmdlinevol_pstreeget_amcache
user_account-vol_handles

Proof chain · 50 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

handle facthandle:pid:5848:event:4
vol_handles
Raw tool output · ccf1d112e5a9db9f9312c0e704193db23c957e65
{"GrantedAccess": 2031619, "HandleValue": 4, "Name": null, "Offset": 154518706177632, "PID": 5848, "Process": "powershell.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:5848:waitcompletionpacket:8
vol_handles
Raw tool output · 2f11c4ce102c52c70ed74e339954ecea6d46cab3
{"GrantedAccess": 1, "HandleValue": 8, "Name": null, "Offset": 154518791779328, "PID": 5848, "Process": "powershell.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:5848:iocompletion:12
vol_handles
Raw tool output · a8d9957dfeb6b0be52247347efeb4b34815a3b9d
{"GrantedAccess": 2031619, "HandleValue": 12, "Name": null, "Offset": 154518733438656, "PID": 5848, "Process": "powershell.exe", "Type": "IoCompletion", "TreeDepth": 0}
handle facthandle:pid:5848:tpworkerfactory:16
vol_handles
Raw tool output · 901d4138f25a7fb9abbe6cf3a371430184575f1b
{"GrantedAccess": 983295, "HandleValue": 16, "Name": null, "Offset": 154518771221936, "PID": 5848, "Process": "powershell.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}
handle facthandle:pid:5848:irtimer:20
vol_handles
Raw tool output · 2867d6eaeee4e5a3539eed6270cf5315edb7ba08
{"GrantedAccess": 1048578, "HandleValue": 20, "Name": null, "Offset": 154518792069440, "PID": 5848, "Process": "powershell.exe", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:5848:waitcompletionpacket:24
vol_handles
Raw tool output · 2810791b1e36ff80921535b45a12fe644fb0f5bb
{"GrantedAccess": 1, "HandleValue": 24, "Name": null, "Offset": 154518716234528, "PID": 5848, "Process": "powershell.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:5848:irtimer:28
vol_handles
Raw tool output · 30212131badd5ff3037777cd2fd92cef9f5f555a
{"GrantedAccess": 1048578, "HandleValue": 28, "Name": null, "Offset": 154518769685648, "PID": 5848, "Process": "powershell.exe", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:5848:waitcompletionpacket:32
vol_handles
Raw tool output · c9e80062d9c02027466852161ab4229b466c8c08
{"GrantedAccess": 1, "HandleValue": 32, "Name": null, "Offset": 154518701300336, "PID": 5848, "Process": "powershell.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:5848:etwregistration:36
vol_handles
Raw tool output · d9dd3ccaf94db39261d65e3202bf65487fc0e5c4
{"GrantedAccess": 2052, "HandleValue": 36, "Name": null, "Offset": 154518681335328, "PID": 5848, "Process": "powershell.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:5848:etwregistration:40
vol_handles
Raw tool output · 93cc5273716a0fbe4ab3718db227749d90304701
{"GrantedAccess": 2052, "HandleValue": 40, "Name": null, "Offset": 154518786911296, "PID": 5848, "Process": "powershell.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:5848:etwregistration:44
vol_handles
Raw tool output · 36a1cd1577d2f9681ceab083f0b4372680f1a636
{"GrantedAccess": 2052, "HandleValue": 44, "Name": null, "Offset": 154518710082832, "PID": 5848, "Process": "powershell.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:5848:directory:knowndlls
vol_handles
Raw tool output · 83a8aa4f5c9a1e8fd0874e87a6fafd4c8c5bffc2
{"GrantedAccess": 3, "HandleValue": 48, "Name": "KnownDlls", "Offset": 229276702421120, "PID": 5848, "Process": "powershell.exe", "Type": "Directory", "TreeDepth": 0}
handle facthandle:pid:5848:event:52
vol_handles
Raw tool output · 2d98b9a2abdbd49781b0a329ae7377665a4c71de
{"GrantedAccess": 2031619, "HandleValue": 52, "Name": null, "Offset": 154518762551984, "PID": 5848, "Process": "powershell.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:5848:event:56
vol_handles
Raw tool output · 6b1202e3a2bb430a037db98c6da13bd5e62015bf
{"GrantedAccess": 2031619, "HandleValue": 56, "Name": null, "Offset": 154518771651648, "PID": 5848, "Process": "powershell.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:5848:file:\device\harddiskvolume2\windows
vol_handles
Raw tool output · 638e08a4fe20e47fbbfc71326e019ce6be3f08de
{"GrantedAccess": 1048608, "HandleValue": 60, "Name": "\\Device\\HarddiskVolume2\\Windows", "Offset": 154518761423728, "PID": 5848, "Process": "powershell.exe", "Type": "File", "TreeDepth": 0}
handle facthandle:pid:5848:event:64
vol_handles
Raw tool output · d3402f94e6b2c3a3a5e8459042267c4a1acfb736
{"GrantedAccess": 2031619, "HandleValue": 64, "Name": null, "Offset": 154518785041328, "PID": 5848, "Process": "powershell.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:5848:directory:knowndlls32
vol_handles
Raw tool output · 55c0129d0556c12718ca42e11cadf932ba5ae7fb
{"GrantedAccess": 3, "HandleValue": 68, "Name": "KnownDlls32", "Offset": 229276702275152, "PID": 5848, "Process": "powershell.exe", "Type": "Directory", "TreeDepth": 0}
handle facthandle:pid:5848:waitcompletionpacket:72
vol_handles
Raw tool output · f85968e20330b3e511c9812986816fd49c06de2c
{"GrantedAccess": 1, "HandleValue": 72, "Name": null, "Offset": 154518749554464, "PID": 5848, "Process": "powershell.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:5848:file:\device\condrv\input
vol_handles
Raw tool output · ed4696742a2dda37fe5a0889fe57af8209bb8c7f
{"GrantedAccess": 1180063, "HandleValue": 76, "Name": "\\Device\\ConDrv\\Input", "Offset": 154518799199552, "PID": 5848, "Process": "powershell.exe", "Type": "File", "TreeDepth": 0}
handle facthandle:pid:5848:file:\device\condrv\output
vol_handles
Raw tool output · 4afd0bb9c3a1e6676fccdd033011d3547c6efc35
{"GrantedAccess": 1180063, "HandleValue": 80, "Name": "\\Device\\ConDrv\\Output", "Offset": 154518715712880, "PID": 5848, "Process": "powershell.exe", "Type": "File", "TreeDepth": 0}
handle facthandle:pid:5848:iocompletion:88
vol_handles
Raw tool output · e364e4296128a74ef0069085264b6d136d88844b
{"GrantedAccess": 2031619, "HandleValue": 88, "Name": null, "Offset": 154518686004480, "PID": 5848, "Process": "powershell.exe", "Type": "IoCompletion", "TreeDepth": 0}
handle facthandle:pid:5848:tpworkerfactory:92
vol_handles
Raw tool output · 783a1d8bbe713c6402221edb4f05d881d6b4e995
{"GrantedAccess": 983295, "HandleValue": 92, "Name": null, "Offset": 154518716535776, "PID": 5848, "Process": "powershell.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}
handle facthandle:pid:5848:irtimer:96
vol_handles
Raw tool output · 67b2368ed3a39e533fd0944fe74badfb26668b3a
{"GrantedAccess": 1048578, "HandleValue": 96, "Name": null, "Offset": 154518718496032, "PID": 5848, "Process": "powershell.exe", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:5848:waitcompletionpacket:100
vol_handles
Raw tool output · d7d5081a7cb3b06365b62bc5426ba2fe3a088623
{"GrantedAccess": 1, "HandleValue": 100, "Name": null, "Offset": 154518740688992, "PID": 5848, "Process": "powershell.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:5848:irtimer:104
vol_handles
Raw tool output · 39d004c113a804231e35774131a1f5fb1cb95818
{"GrantedAccess": 1048578, "HandleValue": 104, "Name": null, "Offset": 154518714312848, "PID": 5848, "Process": "powershell.exe", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:5848:waitcompletionpacket:108
vol_handles
Raw tool output · 7277f1edf98e8c0df2ceb38b8cfe4337d1b991c7
{"GrantedAccess": 1, "HandleValue": 108, "Name": null, "Offset": 154518791917664, "PID": 5848, "Process": "powershell.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:5848:etwregistration:112
vol_handles
Raw tool output · 21363777b504844f73fa4a03012bb70b669d4bf5
{"GrantedAccess": 2052, "HandleValue": 112, "Name": null, "Offset": 154518773874800, "PID": 5848, "Process": "powershell.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:5848:etwregistration:116
vol_handles
Raw tool output · 88980f5f8765177605d56ec14199ec845d02e1af
{"GrantedAccess": 2052, "HandleValue": 116, "Name": null, "Offset": 154518765195152, "PID": 5848, "Process": "powershell.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:5848:etwregistration:120
vol_handles
Raw tool output · 18ca9356467f59fa386074c637fa2d6fa4e8d5aa
{"GrantedAccess": 2052, "HandleValue": 120, "Name": null, "Offset": 154518768900048, "PID": 5848, "Process": "powershell.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:5848:event:128
vol_handles
Raw tool output · eef3774171cd53a26601b5d19813ca2a63e6d087
{"GrantedAccess": 2031619, "HandleValue": 128, "Name": null, "Offset": 154518690084224, "PID": 5848, "Process": "powershell.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:5848:event:132
vol_handles
Raw tool output · 0c15c1882b7d7d9a93b8a6d105a09da0e9c0a768
{"GrantedAccess": 2031619, "HandleValue": 132, "Name": null, "Offset": 154518768477616, "PID": 5848, "Process": "powershell.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:5848:file:\device\condrv\connect
vol_handles
Raw tool output · 76e008b231802a36904df2282c0e69e98e628b41
{"GrantedAccess": 1180063, "HandleValue": 140, "Name": "\\Device\\ConDrv\\Connect", "Offset": 154518740534496, "PID": 5848, "Process": "powershell.exe", "Type": "File", "TreeDepth": 0}
handle facthandle:pid:5848:file:\device\condrv\reference
vol_handles
Raw tool output · bc53d142d4f4868a489ac3b292205309400c299b
{"GrantedAccess": 1180063, "HandleValue": 144, "Name": "\\Device\\ConDrv\\Reference", "Offset": 154518755001008, "PID": 5848, "Process": "powershell.exe", "Type": "File", "TreeDepth": 0}
handle facthandle:pid:5848:alpc port:148
vol_handles
Raw tool output · 128b2b16843661e95969dc7a1b0327aa710f8950
{"GrantedAccess": 2031617, "HandleValue": 148, "Name": null, "Offset": 154518701488768, "PID": 5848, "Process": "powershell.exe", "Type": "ALPC Port", "TreeDepth": 0}
handle facthandle:pid:5848:etwregistration:152
vol_handles
Raw tool output · 2def1b7c6bb842395dd4026b0b7820ce20c3b548
{"GrantedAccess": 2052, "HandleValue": 152, "Name": null, "Offset": 154518790822160, "PID": 5848, "Process": "powershell.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:5848:etwregistration:156
vol_handles
Raw tool output · 3f6cbac19775a2129d6fea055653dc2881b579bb
{"GrantedAccess": 2052, "HandleValue": 156, "Name": null, "Offset": 154518752315056, "PID": 5848, "Process": "powershell.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:5848:iocompletion:160
vol_handles
Raw tool output · 67a8f655c5e5faf885dc125e8a02ea3f8813617c
{"GrantedAccess": 2031619, "HandleValue": 160, "Name": null, "Offset": 154518704335552, "PID": 5848, "Process": "powershell.exe", "Type": "IoCompletion", "TreeDepth": 0}
handle facthandle:pid:5848:tpworkerfactory:164
vol_handles
Raw tool output · 44a464fa37b28ee38402a867900764cb23af33e9
{"GrantedAccess": 983295, "HandleValue": 164, "Name": null, "Offset": 154518683584976, "PID": 5848, "Process": "powershell.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}
handle facthandle:pid:5848:irtimer:168
vol_handles
Raw tool output · 5de0b8748009ea447fbb8ba7e3949c0c12caaf47
{"GrantedAccess": 1048578, "HandleValue": 168, "Name": null, "Offset": 154518773215328, "PID": 5848, "Process": "powershell.exe", "Type": "IRTimer", "TreeDepth": 0}
process factpid:5848
vol_psscan
Raw tool output · 07ad0abe331b20f2d4eedf073cc2279e6ecd6eea
{"CreateTime": "2018-08-30T16:43:42+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "powershell.exe", "Offset(V)": 154518694315200, "PID": 5848, "PPID": 8712, "SessionId": 0, "Threads": 9, "Wow64": true, "TreeDepth": 0}
process relationship factpid:6768->pid:5848
vol_psscanvol_pstree
Raw tool output · d0b8ce336f24ae13c72fc35d440b4f6ca4588998
{"CreateTime": "2018-08-30T18:31:04+00:00", "ExitTime": "2018-08-30T18:31:35+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518691087552, "PID": 6768, "PPID": 5848, "SessionId": 0, "Threads": 0, "Wow64": true, "TreeDepth": 0}
process relationship factpid:5948->pid:5848
vol_psscanvol_pstree
Raw tool output · 86d2ea60b3a432594752c3caef5286a8ef6a9cc0
{"CreateTime": "2018-08-30T22:15:18+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "cmd.exe", "Offset(V)": 154518692545920, "PID": 5948, "PPID": 5848, "SessionId": 0, "Threads": 1, "Wow64": true, "TreeDepth": 0}
process relationship factpid:6572->pid:5848
vol_psscanvol_pstree
Raw tool output · 437b4917b0770c2ee8baebbbb305f2d1bb4e653c
{"CreateTime": "2018-08-30T16:43:42+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "conhost.exe", "Offset(V)": 154518694191232, "PID": 6572, "PPID": 5848, "SessionId": 0, "Threads": 1, "Wow64": false, "TreeDepth": 0}
process relationship factpid:5848->pid:8712
vol_psscanvol_pstree
Raw tool output · 23438b155003d92b69218219bd947b9ff676a5b4
{"CreateTime": "2018-08-30T16:43:42+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "powershell.exe", "Offset(V)": 154518694315200, "PID": 5848, "PPID": 8712, "SessionId": 0, "Threads": 9, "Wow64": true, "TreeDepth": 0}
process relationship factpid:8148->pid:5848
vol_psscanvol_pstree
Raw tool output · b75b35017a67938ecd333973a8fb8a7746a24ee9
{"CreateTime": "2018-08-31T00:56:14+00:00", "ExitTime": "2018-08-31T00:56:30+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518723040640, "PID": 8148, "PPID": 5848, "SessionId": 0, "Threads": 0, "Wow64": true, "TreeDepth": 0}
process relationship factpid:4108->pid:5848
vol_psscanvol_pstree
Raw tool output · 7c8fcd5aa2020cf80db134a6afa10fe76c521087
{"CreateTime": "2018-08-30T22:45:25+00:00", "ExitTime": "2018-08-30T22:45:30+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518742470784, "PID": 4108, "PPID": 5848, "SessionId": 0, "Threads": 0, "Wow64": false, "TreeDepth": 0}
process relationship factpid:5588->pid:5848
vol_psscanvol_pstree
Raw tool output · b229918ad93feaae01651fbf25cf271583d73a24
{"CreateTime": "2018-08-30T21:40:42+00:00", "ExitTime": "2018-08-30T21:40:54+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518742640000, "PID": 5588, "PPID": 5848, "SessionId": 0, "Threads": 0, "Wow64": false, "TreeDepth": 0}
process relationship factpid:5452->pid:5848
vol_psscanvol_pstree
Raw tool output · 6ba9b94599f78cf3d8f66fdebfc83c1b5e01905b
{"CreateTime": "2018-08-30T21:40:18+00:00", "ExitTime": "2018-08-30T21:40:23+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518744397184, "PID": 5452, "PPID": 5848, "SessionId": 0, "Threads": 0, "Wow64": false, "TreeDepth": 0}
process relationship factpid:2216->pid:5848
vol_psscanvol_pstree
Raw tool output · 335b2f5830e2d4f512666924a313d636409c06c5
{"CreateTime": "2018-08-30T22:31:57+00:00", "ExitTime": "2018-08-30T22:32:19+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518744704384, "PID": 2216, "PPID": 5848, "SessionId": 0, "Threads": 0, "Wow64": true, "TreeDepth": 0}
psxview factpsxview:pid:5848
vol_psxview
Raw tool output · f88a3cc0af3c8331fc03b61dc49a1bda4be7226b
{"Exit Time": "", "Name": "powershell.exe", "Offset(Virtual)": 154518694315200, "PID": 5848, "csrss": true, "pslist": true, "psscan": true, "thrdscan": true, "TreeDepth": 0}

Source tools

get_amcachevol_cmdlinevol_handlesvol_pstree