F003MEDIUM⚖ AI overruled
Suspicious executable p.exe staged in Windows temp directory executed via cmd.exe
vol_malfindvol_psscanvol_pstree
Suspicious50 proofs
F013MEDIUM⚖ AI overruled
cmd.exe spawning suspicious p.exe from temporary directory
vol_cmdlinevol_pstree
Suspicious50 proofs
F002MEDIUM
OUTLOOK.EXE with RWX memory regions and localhost high-port network listener
vol_cmdlinevol_handlesvol_malfindvol_netscan+2
Suspicious50 proofs
F004MEDIUM
UpdaterUI.exe with RWX memory region injected code
vol_cmdlinevol_handlesvol_malfindvol_psscan+1
Suspicious50 proofs
F006MEDIUM
PowerShell reflection-based code loading detected in event logs
parse_event_logs
Suspicious0 proofs
F007
Staged execution artifacts detected in AppCompatCache: PWDumpX, PsExec, DismHost
get_amcacherun_appcompatcacheparser
Suspicious0 proofs
F009
Multiple rundll32.exe processes with elevated privileges (SeDebug, SeImpersonate, SeLoadDriver)
vol_privileges
Suspicious0 proofs
F010
Conhost.exe with elevated sensitive privileges (SeDebug, SeImpersonate, SeLoadDriver)
vol_privileges
Suspicious0 proofs
F011MEDIUM
Suspicious PowerShell command with reflection-based assembly loading detected
parse_event_logs
Suspicious0 proofs
F012
PsExec service persistence detected in registry
parse_registry_persistence
Suspicious0 proofs
F019MEDIUM
Network connections to external IP 172.16.4.10:8080 in ESTABLISHED and CLOSE_WAIT states
vol_netscan
Suspicious39 proofs
F020LOW
Network connections to internal targets on RDP port 3389 in CLOSED state
vol_netscan
Suspicious43 proofs
F021MEDIUM
Network connection to SMB port from internal system to 172.16.7.15 in ESTABLISHED state
vol_netscan
Suspicious41 proofs
F022
Suspicious SMB connection from internal system to 172.16.6.14:445 in ESTABLISHED state
vol_netscan
Suspicious0 proofs
F025MEDIUM
PowerShell reflection-based code loading (TA0005: Defense Evasion)
parse_event_logs
Suspicious0 proofs
F026MEDIUM
Explicit credential usage by SYSTEM account (TA0008: Lateral Movement)
parse_event_logs
Suspicious0 proofs
F027
Persistence via SafeBoot alternate shell registry modification
parse_registry_persistence
Suspicious0 proofs
F028
Network connections to external C2 infrastructure
vol_netscan
Suspicious0 proofs
F030MEDIUM
Reflection-based PowerShell command with code injection pattern (TA0002: Execution)
parse_event_logs
Suspicious0 proofs
F031MEDIUM
PWDumpX credential dumping tool staged in temp directory (TA0006: Credential Access)
get_amcacherun_appcompatcacheparser
Suspicious3 proofs
F033
rundll32.exe with sensitive privilege escalation flags (TA0004: Privilege Escalation)
vol_privileges
Suspicious0 proofs
F034
Conhost.exe with SeImpersonate and SeDebug privileges (TA0004: Privilege Escalation)
vol_privileges
Suspicious0 proofs
F036MEDIUM
Additional outbound RDP and SMB reconnaissance connections (TA0007: Discovery, TA0008: Lateral Movement)
vol_netscan
Suspicious19 proofs
F038MEDIUM
NCPA monitoring agent staged in temp directory with execution (TA0002: Execution, TA0009: Collection)
get_amcacherun_appcompatcacheparser
Suspicious3 proofs
F039
DismHost lateral movement artifacts in temp directories (TA0008: Lateral Movement, TA0002: Execution)
run_appcompatcacheparser
Suspicious0 proofs
F040MEDIUM
Adobe ARM helper staging with execution in temp (TA0002: Execution, TA0009: Collection)
run_appcompatcacheparser
Suspicious0 proofs
F041MEDIUM
PowerShell and Windows command-line lolbin execution batch (TA0002: Execution)
run_appcompatcacheparser
Suspicious3 proofs
F042MEDIUM
lateral movement admin share: ip:172.16.5.26
extract_network_iocsparse_event_logs
Suspicious19 proofs
F043MEDIUM
lateral movement admin share: ip:172.16.10.12
extract_network_iocsparse_event_logs
Suspicious19 proofs