parent process ID spoofing detector — free browser tool | fatcousin

drop 4688 evtx csv or sysmon csv · detect impossible parent-child timing · ppid reuse · suspicious spawn rules · process tree · runs locally

evtx csvs

drop security evtx csv (4688 + 4689)

or click

Select file

drop sysmon evtx csv (event id 1)

or click

Select file

merge security + sysmon exports · correlates parent exit (4689) vs child create (4688/1)

drop security 4688/4689 evtx csv and/or sysmon csv

ready