Malware Execution Analysis

Tracing malware from initial download through execution is one of the most common DFIR workflows. This guide walks through using IRFlow Timeline to reconstruct the full chain -- from a user downloading a malicious file, to process execution, persistence installation, and network callbacks -- using correlated Windows forensic artifacts.

Features Used

• Process Inspector -- visualize the parent-child execution chain
• Color Rules -- highlight suspicious processes and paths at a glance
• IOC Matching -- scan timeline data against known malicious hashes and IPs
• Search and Filtering -- isolate specific events and artifacts
• Histogram -- identify temporal clusters of malicious activity
• Bookmarks and Tags -- mark key evidence for reporting
• Stacking -- identify outlier processes and rare execution paths

Scenario

A user on workstation WS-PC0142 reported unusual behavior after opening an email attachment. Your triage collection (via KAPE) includes Sysmon EVTX logs, MFT, Prefetch, and Amcache artifacts. You need to determine what was executed, how it persisted, and whether it made network connections.

Step-by-Step Workflow

1. Load Artifacts into Separate Tabs

Open each parsed artifact source in its own tab using Multi-Tab:

Tab	Source File	Parser Used
Sysmon	EvtxECmd_Output.csv	EvtxECmd
MFT	MFTECmd_Output.csv	MFTECmd
Prefetch	PECmd_Output.csv	PECmd
Amcache	AmcacheParser_Output.csv	AmcacheParser

IRFlow Timeline auto-detects each KAPE profile and applies optimized column layouts.

TIP

Use Merge Tabs if you want a unified super-timeline view across all artifact types. Otherwise, keeping them in separate tabs makes it easier to focus on one artifact class at a time.

2. Set Up Color Rules for Suspicious Indicators

Before diving into analysis, configure Color Rules to make malicious activity visually obvious. Open View > Color Rules and add the following:

Column	Condition	Value	Background	Purpose
Any Column	Contains	powershell	Red	Script interpreter execution
Any Column	Contains	cmd.exe	Orange	Command shell usage
Any Column	Contains	\Downloads\	Yellow	Downloaded file execution
Any Column	Contains	\ProgramData\	Yellow	Unusual execution path
Any Column	Contains	\Temp\	Yellow	Temp directory activity
Any Column	Regex	(?i)certutil|bitsadmin|mshta|rundll32|regsvr32	Orange	LOLBin abuse

These rules apply across all tabs and immediately surface rows that warrant closer inspection.

3. Identify the Initial Download via MFT

Switch to the MFT tab. Use Search and Filtering to locate newly created files in the user's Downloads folder:

• Filter the ParentPath column: Contains \Users\jsmith\Downloads
• Sort by the Created0x10 column (descending) to see the most recent files first

Look for executables or scripts that do not belong:

FileName	ParentPath	Created0x10	FileSize
invoice.exe	.\Users\jsmith\Downloads	2026-02-24 14:32:07	487,424
readme.pdf.lnk	.\Users\jsmith\Downloads	2026-02-24 14:32:09	2,048

Bookmark these rows and tag them as Initial Download.

TIP

A double extension like readme.pdf.lnk is a classic social engineering trick. The MFT Created0x10 timestamp tells you exactly when the file landed on disk -- this becomes your anchor timestamp for the rest of the investigation.

4. Confirm Execution with Prefetch

Switch to the Prefetch tab. Filter the ExecutableName column for invoice.exe:

ExecutableName	RunCount	LastRun	Volume
INVOICE.EXE	1	2026-02-24 14:32:41	\VOLUME{01da2b3f}

Key observations:

• RunCount of 1 confirms this was executed exactly once
• LastRun timestamp is 34 seconds after the MFT creation time, indicating rapid user interaction
• Prefetch also records up to 8 previous run times (in PreviousRun0-PreviousRun7 columns) -- a single entry confirms first-time execution

5. Correlate with Amcache for Hash and Metadata

Switch to the Amcache tab. Filter the FullPath column for invoice.exe:

FullPath	SHA1	FileSize	CompileTime
C:\Users\jsmith\Downloads\invoice.exe	a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2	487,424	2026-02-20 03:14:00

The Amcache SHA1 hash is critical evidence. Copy it for IOC matching and external lookups. The CompileTime predating the download confirms the binary was pre-built, not compiled on the host.

6. Build the Process Execution Chain with Sysmon

Switch to the Sysmon tab. This is where you reconstruct the full execution chain. The key Sysmon Event IDs for malware analysis are:

Event ID	Description	What to Look For
1	Process Create	Parent-child relationships, command lines, execution paths
3	Network Connection	C2 callbacks, data exfiltration destinations
7	Image Loaded	DLL sideloading, injected modules
11	File Create	Dropped payloads, persistence scripts
13	Registry Value Set	Run key persistence, service installation
15	File Create Stream Hash	Alternate data streams, Zone.Identifier

Filter to Event ID 1 and search for invoice.exe in the Image or ParentImage columns. You should see a chain like:

explorer.exe (PID 4812)
  -> chrome.exe (PID 9204)          [browser download]
    -> invoice.exe (PID 6148)       [malware execution]
      -> cmd.exe (PID 7320)         [spawned shell]
        -> powershell.exe (PID 2956) [payload staging]

7. Visualize with Process Inspector

Open Tools > Process Inspector to see the full hierarchy. The Process Inspector automatically flags this chain with color-coded indicators:

• Red -- invoice.exe spawning cmd.exe (non-standard parent for shell)
• Orange -- powershell.exe and cmd.exe as LOLBins
• Yellow -- execution from \Downloads\ path

Click on invoice.exe in the tree to highlight its full ancestor chain. This confirms the execution path: the user's browser downloaded the file, the user executed it from Explorer, and it spawned a command shell.

Use the Filter to Process button on powershell.exe (PID 2956) to see all Sysmon events associated with that process in the main grid. Look for:

• Event ID 3 (Network Connection) -- outbound connections to C2 infrastructure
• Event ID 11 (File Create) -- secondary payloads dropped to disk
• Event ID 13 (Registry Value Set) -- persistence mechanisms

8. Trace Dropped Files and Persistence

With PowerShell's PID filtered, look for Event ID 11 entries showing file creation:

EventID	Image	TargetFilename	UtcTime
11	powershell.exe	C:\ProgramData\svchost.exe	2026-02-24 14:33:12
11	powershell.exe	C:\ProgramData\config.dat	2026-02-24 14:33:14

And Event ID 13 entries showing registry persistence:

EventID	TargetObject	Details
13	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate	C:\ProgramData\svchost.exe

The malware dropped a second-stage payload masquerading as svchost.exe in C:\ProgramData\ and established Run key persistence. Bookmark and tag these rows as Persistence.

TIP

Legitimate svchost.exe lives in C:\Windows\System32\. Any instance running from another path -- especially C:\ProgramData\, C:\Temp\, or a user profile folder -- is almost certainly malicious. Use Stacking on the Image column to quickly find all unique executable paths and spot imposters.

9. Identify Network Callbacks

Still in the Sysmon tab, filter for Event ID 3 associated with the malicious process IDs. Use the Histogram to see when network connections occurred:

EventID	Image	DestinationIp	DestinationPort	UtcTime
3	C:\ProgramData\svchost.exe	185.220.101.34	443	2026-02-24 14:33:28
3	C:\ProgramData\svchost.exe	185.220.101.34	443	2026-02-24 14:38:28
3	C:\ProgramData\svchost.exe	185.220.101.34	443	2026-02-24 14:43:28

The 5-minute beacon interval is a classic C2 pattern. Bookmark the destination IP and tag these rows as C2 Communication.

10. Run IOC Matching Against Threat Intel

Open Actions > IOC Matching and paste your collected indicators:

a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2
185.220.101.34
C:\ProgramData\svchost.exe
invoice.exe

The IOC Matcher scans all loaded data across every tab and returns all matching rows with full context. Use Tag all matches to apply an IOC Hit tag, then use Export matches to produce a focused evidence file.

TIP

If your threat intel team provides a hash list (CSV of SHA1 or SHA256 values), paste them all at once. The IOC matcher handles bulk lists efficiently and reports per-indicator match counts so you can prioritize the most prevalent indicators.

11. Review Log Source Coverage

Before finalizing your analysis, open Log Source Coverage to verify you are not missing critical artifact types. Gaps in coverage (e.g., missing Sysmon Event ID 3 for network connections, or no PowerShell ScriptBlock logging) should be noted as limitations in your report.

12. Export Your Findings

Use Export Reports to generate your deliverables:

• Export bookmarked rows to a focused evidence spreadsheet
• Save the full Session so your filters, color rules, bookmarks, and tags are preserved for peer review or court presentation

Key Artifact Correlation Summary

Artifact	What It Proves	Key Field
MFT	File landed on disk at specific time	Created0x10
Prefetch	Binary was executed, how many times, and when	RunCount, LastRun
Amcache	First execution time and SHA1 hash of binary	SHA1, FullPath
Sysmon EID 1	Process creation chain and command line args	Image, ParentImage, CommandLine
Sysmon EID 3	Network connections to C2	DestinationIp, DestinationPort
Sysmon EID 11	Dropped files on disk	TargetFilename
Sysmon EID 13	Registry persistence	TargetObject, Details

Next Steps

• Persistence Hunting -- deep-dive into Run keys, services, scheduled tasks, and other persistence mechanisms
• Lateral Movement Tracing -- determine if the attacker moved to other systems after initial compromise
• Threat Intel IOC Sweeps -- scale your IOC matching across the full enterprise collection
• Building a Final Report -- compile your bookmarked evidence into a formal incident report
• Ransomware Investigation -- if the malware turns out to be a ransomware precursor, follow this specialized workflow