PowerShell process with multiple RWX memory regions indicating code injection

OUTLOOK.EXE process with RWX memory injection

UpdaterUI.exe process with RWX memory region

PsExec service infrastructure detected in registry and amcache

PowerShell reflection-based code loading detected in event logs

Multiple unowned TCP connections to 172.16.4.10 port 8080 in CLOSE_WAIT state

RDP lateral movement attempt to 172.16.4.5 port 3389

SMB connection to external host 172.16.7.15 port 445

SMB connection to internal host 172.16.6.14 port 445

DNS query to external IP 172.16.4.4 port 389 (LDAP)

PsExec service registered in registry (PSEXESVC)

Reflection-based PowerShell code injection detected in event logs

Network connections to external IPs from unnamed/orphaned processes

SMB connections to internal network shares (lateral movement indicator)

NCPA (Nagios) monitoring agent executed from staging directory

PowerShell reflection-based code loading detected in event logs

PsExecSvc service persistence with local system privilege

Explicit credential logon (Event 4648) from SYSTEM context to external accounts

SafeBoot registry modification for persistence

Conhost.exe with sensitive privileges and null command line

Credential dumping tool deployment (PWDumpX.exe, SysInternal tools)

PsExec service artifact in registry and amcache (Lateral Movement / Admin Tooling)

Suspicious PowerShell command with reflection load TTP (Code Evasion)

Safe boot registry alternate shell persistence (Privilege Escalation / Persistence)

Multiple DISMHOST.exe executions from temporary directories (Lateral Movement / Living off the Land)

WMIPrvSE.exe with SeImpersonatePrivilege enabled (Privilege Escalation / WMI Exploitation)

Multiple established connections to 172.16.4.10:8080 in CLOSE_WAIT state (Lateral Movement / C2 Staging)

Established connection to 172.16.6.14:445 (SMB lateral movement)

RDP connections to 172.16.4.5:3389 in CLOSED state (Lateral movement attempt)

Event log evidence of credential logon with SYSTEM context (Lateral Movement / Credential Theft)

NCPA listener execution from temp directory (Lateral Movement / Living off the Land)

Setup completion script execution artifact (Persistence / Execution via Boot Scripts)

Event log file clearance evidence (Anti-forensics / Defense Evasion)

Summary: Multi-stage attack chain with code injection, credential theft, and lateral movement