F005HIGH
Staged p.exe execution from temp perfmon directory
extract_mft_timelineget_amcacherun_stringsvol_cmdline+8
Confirmed malicious51 proofs
F008CRITICAL
PsExec and PWDumpX staged in Windows Temp (Credential Access / Lateral Movement)
extract_mft_timelineget_amcacheparse_event_logsparse_userassist+1
Confirmed malicious4 proofs