From the logs, PC3 showsoutlook.exe spawning excel.exe at 1:15 PM, and laterexcel.exe spawning procdump.exe at 1:16 PM. This is highly suspicious becauseoutlook.exe should not normally launch Excel, andprocdump.exe is often used by attackers to dump process memory, which is a common technique in credential theft.
PC1:Running expected Windows processes (wininit.exe spawning services.exe and lsass.exe).
PC2:Running a browser process (chrome.exe) from explorer.exe, which is normal.
PC4:Running mstsc.exe (Remote Desktop) from explorer.exe, which is expected.
PC5:Running Firefox from explorer.exe, which is normal.
Thus,PC3 should be prioritized for investigationdue to its potential involvement in credential theft.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit