This need sounds very similar to the Solarwinds detections I published to BigFix.me.
Have a look at Method 2 from the thread at DHS Emergency Directive 21-01 - Sunburst - SolarWinds thread and I think you could adapt it to search & report on the two PSExec files.
You could also build a remediation based on reading the probe file to find all the paths where psexec was found and replacing them.