F004HIGH⚖ AI overruled
Suspicious executable p.exe staged in temp directory and executed
get_amcachevol_cmdlinevol_malfindvol_pstree
Suspicious50 proofs
F005MEDIUM⚖ AI overruled
PowerShell spawning cmd.exe to execute suspicious temp binary
vol_cmdlinevol_pstree
Suspicious50 proofs
F009MEDIUM⚖ AI overruled
Multiple rundll32.exe instances with null command lines spawned from PowerShell child
vol_cmdlinevol_pstreevol_psxview
Suspicious50 proofs
F015MEDIUM⚖ AI overruled
Subject_srv.exe persistent listener on port 3262 with remote connection
vol_cmdlinevol_netscanvol_pstree
Suspicious50 proofs
F027HIGH⚖ AI overruled
PowerShell spawning cmd.exe spawning staging executable (attack chain)
parse_event_logsvol_handlesvol_pstree
Suspicious50 proofs
F006MEDIUM
Multiple rundll32.exe instances with null command lines spawned from PowerShell child
vol_cmdlinevol_pstreevol_psxview
Suspicious50 proofs
F007MEDIUM
Multiple rundll32.exe instances with null command lines spawned from PowerShell child
vol_cmdlinevol_pstreevol_psxview
Suspicious50 proofs
F008MEDIUM
Multiple rundll32.exe instances with null command lines spawned from PowerShell child
vol_cmdlinevol_pstreevol_psxview
Suspicious50 proofs
F010MEDIUM
Multiple rundll32.exe instances with null command lines spawned from PowerShell child
vol_cmdlinevol_pstreevol_psxview
Suspicious50 proofs
F011MEDIUM
Multiple rundll32.exe instances with null command lines spawned from PowerShell child
vol_cmdlinevol_pstreevol_psxview
Suspicious50 proofs
F053MEDIUM
lateral movement admin share: ip:172.16.5.26
extract_network_iocsparse_event_logs
Suspicious19 proofs
F054MEDIUM
lateral movement admin share: ip:172.16.10.12
extract_network_iocsparse_event_logs
Suspicious19 proofs
F055MEDIUM
defense evasion anti forensics: event:1102 (audit log cleared) · microsoft-windows-eventlog
parse_event_logs
Suspicious1 proofs