PsExec and PWDumpX staging in Windows Temp directory

Suspicious executable p.exe staged in temp directory and executed

PowerShell spawning cmd.exe to execute suspicious temp binary

Multiple rundll32.exe instances with null command lines spawned from PowerShell child

Subject_srv.exe persistent listener on port 3262 with remote connection

PowerShell spawning cmd.exe spawning staging executable (attack chain)

PowerShell process with multiple RWX memory regions indicating code injection

OUTLOOK.EXE process with RWX memory injection

UpdaterUI.exe process with RWX memory region

Multiple rundll32.exe instances with null command lines spawned from PowerShell child

Multiple rundll32.exe instances with null command lines spawned from PowerShell child

Multiple rundll32.exe instances with null command lines spawned from PowerShell child

Multiple rundll32.exe instances with null command lines spawned from PowerShell child

Multiple rundll32.exe instances with null command lines spawned from PowerShell child

PsExec service infrastructure detected in registry and amcache

PowerShell reflection-based code loading detected in event logs

Multiple unowned TCP connections to 172.16.4.10 port 8080 in CLOSE_WAIT state

RDP lateral movement attempt to 172.16.4.5 port 3389

SMB connection to external host 172.16.7.15 port 445

SMB connection to internal host 172.16.6.14 port 445

DNS query to external IP 172.16.4.4 port 389 (LDAP)

Dashlane.exe listening on localhost high port 49784

PsExec service registered in registry (PSEXESVC)

Reflection-based PowerShell code injection detected in event logs

Network connections to external IPs from unnamed/orphaned processes

SMB connections to internal network shares (lateral movement indicator)

NCPA (Nagios) monitoring agent executed from staging directory

RDP connections to multiple internal hosts from compromised system

PowerShell reflection-based code loading detected in event logs

PsExecSvc service persistence with local system privilege

Explicit credential logon (Event 4648) from SYSTEM context to external accounts

SafeBoot registry modification for persistence

Conhost.exe with sensitive privileges and null command line

Established connections to external IPs (13.89.220.65, 52.16.55.11) with CLOSED state

Credential dumping tool deployment (PWDumpX.exe, SysInternal tools)

PsExec service artifact in registry and amcache (Lateral Movement / Admin Tooling)

Suspicious PowerShell command with reflection load TTP (Code Evasion)

Safe boot registry alternate shell persistence (Privilege Escalation / Persistence)

Multiple DISMHOST.exe executions from temporary directories (Lateral Movement / Living off the Land)

WMIPrvSE.exe with SeImpersonatePrivilege enabled (Privilege Escalation / WMI Exploitation)

Conhost.exe with SeDebugPrivilege and SeImpersonatePrivilege (Privilege Escalation Context)

Multiple established connections to 172.16.4.10:8080 in CLOSE_WAIT state (Lateral Movement / C2 Staging)

Established connection to 172.16.6.14:445 (SMB lateral movement)

RDP connections to 172.16.4.5:3389 in CLOSED state (Lateral movement attempt)

Event log evidence of credential logon with SYSTEM context (Lateral Movement / Credential Theft)

Multiple suspicious lolbin executions via AppCompatCache (Living off the Land / Defense Evasion)

NCPA listener execution from temp directory (Lateral Movement / Living off the Land)

Setup completion script execution artifact (Persistence / Execution via Boot Scripts)

Jump List evidence of administrative tool access (Application Access History)

Event log file clearance evidence (Anti-forensics / Defense Evasion)

Summary: Multi-stage attack chain with code injection, credential theft, and lateral movement

lateral movement admin share: ip:172.16.5.26

lateral movement admin share: ip:172.16.10.12

defense evasion anti forensics: event:1102 (audit log cleared) · microsoft-windows-eventlog