Investigation Agent

ActiveTriage · Evidence collection · Timeline analysis ·

3 Active Cases
Active Cases3 open
CASE-089criticalRisk 97/100

Suspected ransomware staging — Emotet C2

WKSTN-042Today 09:41AI Agent
ALT-2841ALT-2835
MITRE:T1059.001T1071T1562
Triage
Evidence
Analysis
Containment
Closed
Filter:
9 events

Event Timeline

ALERTSuspicious PowerShell execution detected
09:41:02+0s

powershell.exe spawned by winword.exe with encoded command — Wazuh rule 5710 fired

WKSTN-042
powershell -enc JAB...
AGENTSIEM agent auto-triggered CASE-089
09:41:05+3s

Triage started · risk score 97/100 · assigned to Investigation agent

EVIDENCEProcess tree collected
09:41:12+10s

Full execution chain captured: WINWORD.EXE → powershell.exe → cmd.exe → regsvr32.exe

NETWORKMalicious outbound connection established
09:41:28+26s

HTTPS beacon to 185.220.101.47:443 — 4 packets, 2.1 KB exfiltrated

IOC MATCHIOC matched — Emotet C2 infrastructure
09:42:00+58s

IP 185.220.101.47 confirmed in MISP Emotet campaign feed (confidence 95%)

AGENTGuardian agent notified — isolation candidate
09:42:15+1m 13s

WKSTN-042 flagged for network isolation pending analyst approval

ACTIONMemory dump requested on WKSTN-042
09:43:10+2m 08s

Live forensic acquisition initiated · 16 GB dump · ETA 8 minutes

EVIDENCEMalicious DLL extracted from memory
09:47:55+6m 53s

Unpacked payload identified: TrickBot loader variant — SHA256: e3b0c44298fc...

IOC MATCHLateral movement attempt detected — blocked
09:51:30+10m 28s

WKSTN-042 attempted SMB connection to SRV-DC01 · Guardian blocked at firewall

Risk Score — Live

97/100 · Critical

Network Indicators

Block all
185.220.101.47
Emotet C2DE4 hits
Blocked
194.165.16.72
Loader dist.NL2 hits
Blocked
10.0.0.5
Internal DC1 hits

Evidence Vault

forensic-042-09431000.dmp
Memory dump16.2 GB
process-tree-042.json
Process tree48 KB
network-pcap-042.pcap
Network capture2.1 MB
registry-hives-042.zip
Registry dump820 KB
browser-artifacts-042.zip
Browser data