F041Suspiciousvalidator: blocked
Image File Execution Options debugger on sethc.exe
Sticky Keys debugger IFEO persistence (sethc.exe)
Analyst narrative
Registry persistence fact shows a Debugger value set under Image File Execution Options for sethc.exe, a classic accessibility-tool backdoor / privilege escalation. cand-0102 (registry_persistence_fact-0003198).
Claims asserted
pathimage file execution options sethc.exe debugger
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs