Investigation Agent
ActiveTriage · Evidence collection · Timeline analysis ·
3 Active Cases
Active Cases3 open
CASE-089criticalRisk 97/100
Suspected ransomware staging — Emotet C2
WKSTN-042Today 09:41AI Agent
ALT-2841ALT-2835
MITRE:T1059.001T1071T1562
Triage
Evidence
Analysis
Containment
Closed
Filter:9 events
Event Timeline
ALERTSuspicious PowerShell execution detected
09:41:02+0s
powershell.exe spawned by winword.exe with encoded command — Wazuh rule 5710 fired
WKSTN-042
powershell -enc JAB...
AGENTSIEM agent auto-triggered CASE-089
09:41:05+3s
Triage started · risk score 97/100 · assigned to Investigation agent
EVIDENCEProcess tree collected
09:41:12+10s
Full execution chain captured: WINWORD.EXE → powershell.exe → cmd.exe → regsvr32.exe
NETWORKMalicious outbound connection established
09:41:28+26s
HTTPS beacon to 185.220.101.47:443 — 4 packets, 2.1 KB exfiltrated
IOC MATCHIOC matched — Emotet C2 infrastructure
09:42:00+58s
IP 185.220.101.47 confirmed in MISP Emotet campaign feed (confidence 95%)
AGENTGuardian agent notified — isolation candidate
09:42:15+1m 13s
WKSTN-042 flagged for network isolation pending analyst approval
ACTIONMemory dump requested on WKSTN-042
09:43:10+2m 08s
Live forensic acquisition initiated · 16 GB dump · ETA 8 minutes
EVIDENCEMalicious DLL extracted from memory
09:47:55+6m 53s
Unpacked payload identified: TrickBot loader variant — SHA256: e3b0c44298fc...
IOC MATCHLateral movement attempt detected — blocked
09:51:30+10m 28s
WKSTN-042 attempted SMB connection to SRV-DC01 · Guardian blocked at firewall
Risk Score — Live
97/100 · Critical
Network Indicators
185.220.101.47
Emotet C2DE4 hits
194.165.16.72
Loader dist.NL2 hits
10.0.0.5
Internal DC—1 hits
Evidence Vault
forensic-042-09431000.dmp
Memory dump16.2 GB
process-tree-042.json
Process tree48 KB
network-pcap-042.pcap
Network capture2.1 MB
registry-hives-042.zip
Registry dump820 KB
browser-artifacts-042.zip
Browser data—