154100x8000000000000000117788Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-21 16:20:56.323{F02F376E-B7E8-6442-6E3B-00000000D902}2396C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /Q /c C:\Windows\rIIBPrqF.bat C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-166E-6440-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F02F376E-B7E8-6442-6D3B-00000000D902}4012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\rIIBPrqF.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\rIIBPrqF.bat & del C:\Windows\rIIBPrqF.batNT AUTHORITY\SYSTEM 154100x8000000000000000117786Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-21 16:20:56.311{F02F376E-B7E8-6442-6D3B-00000000D902}4012C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\rIIBPrqF.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\rIIBPrqF.bat & del C:\Windows\rIIBPrqF.batC:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-166E-6440-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F02F376E-166E-6440-0A00-00000000D902}588C:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\SYSTEM 13241300x8000000000000000117785Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1031,T1050SetValue2023-04-21 16:20:56.295{F02F376E-166E-6440-0A00-00000000D902}588C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\BTOBTO\ImagePath%%COMSPEC%% /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > %%SYSTEMROOT%%\rIIBPrqF.bat & %%COMSPEC%% /Q /c %%SYSTEMROOT%%\rIIBPrqF.bat & del %%SYSTEMROOT%%\rIIBPrqF.batNT AUTHORITY\SYSTEM