F031LOWSuspiciousvalidator: passed

Nagios NCPA installer executed from temp

ncpa-2.0.4.exe executed from C:\Windows\Temp

Analyst narrative

candidate cand-0048/cand-0088: ncpa-2.0.4.exe executed from Windows\Temp staging path per shimcache and amcache. fact_ids=appcompatcache_execution_fact-0000058, file_execution_fact-0000057

Claims asserted

hashncpa-2.0.4.exe60083cabeaad20fb97938602edf856ae8f2829bcrun_appcompatcacheparserget_amcacheextract_mft_timeline

pathC:\Windows\Temp\ncpa-2.0.4.exerun_appcompatcacheparserget_amcacheextract_mft_timeline

Proof chain · 3 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

▷

appcompatcache execution factappcompatcache:sysvol/windows/temp/ncpa-2.0.4.exe

run_appcompatcacheparser

›

Raw tool output · a77e3b3a90a16efa4308115dfa29cd624f06d409

{"ControlSet": "1", "CacheEntryPosition": "58", "Path": "SYSVOL\\Windows\\Temp\\ncpa-2.0.4.exe", "LastModifiedTimeUTC": "2018-03-14 13:37:42", "Executed": "No", "Duplicate": "False", "SourceFile": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SYSTEM"}

▷

appcompatcache execution factappcompatcache:sysvol/windows/temp/ncpa-2.0.4.exe

run_appcompatcacheparser

›

Raw tool output · 3c5bce536b378587bd55890099d37b67a3e92c87

{"ControlSet": "2", "CacheEntryPosition": "58", "Path": "SYSVOL\\Windows\\Temp\\ncpa-2.0.4.exe", "LastModifiedTimeUTC": "2018-03-14 13:37:42", "Executed": "No", "Duplicate": "True", "SourceFile": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SYSTEM"}

•

file execution factsha1:60083cabeaad20fb97938602edf856ae8f2829bc

get_amcache

›

Raw tool output · 44ee16d1ce50440b887c7b582468e05c7ceffa21

{"path": "C:\\Windows\\Temp\\ncpa-2.0.4.exe", "sha1": "60083cabeaad20fb97938602edf856ae8f2829bc", "first_run": "", "publisher": null, "file_size": null}

Source tools

extract_mft_timelineget_amcacherun_appcompatcacheparser