F001MEDIUM
PowerShell process with multiple RWX memory regions indicating code injection
vol_handlesvol_malfindvol_psscanvol_pstree
Benign / FP50 proofs
F008LOW
Subject_srv.exe listening on non-standard port 3262 with F-Response fingerprint
vol_netscanvol_psscanvol_pstree
Benign / FP50 proofs
F014LOW
PowerShell 64-bit spawning 32-bit PowerShell child process
vol_cmdlinevol_handlesvol_pstree
Benign / FP50 proofs
F015LOW
Multiple rundll32.exe processes spawned from child PowerShell with null command lines
vol_cmdlinevol_pstree
Benign / FP50 proofs
F016MEDIUM
Multiple rundll32.exe processes spawned from child PowerShell with null command lines
vol_cmdlinevol_pstree
Benign / FP50 proofs
F017LOW
Multiple privileged network services listening on non-standard ports
vol_netscanvol_pstree
Benign / FP50 proofs
F018LOW
Multiple privileged network services listening on non-standard ports
vol_netscanvol_pstree
Benign / FP50 proofs
F029MEDIUM
OUTLOOK.EXE with RWX memory regions and localhost socket listener
vol_cmdlinevol_handlesvol_malfindvol_netscan+1
Benign / FP57 proofs
F032LOW
WmiPrvSE elevated privilege context with SeImpersonate and SeDebug enabled (TA0004: Privilege Escalation, TA0005: Defense Evasion)
vol_privileges
Benign / FP50 proofs
F035MEDIUM
Multiple outbound TCP connections to remote IP 172.16.4.10:8080 with CLOSE_WAIT state (TA0010: Exfiltration, TA0011: Command and Control)
vol_netscan
Benign / FP39 proofs