154100x8000000000000000117807Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-21 16:21:36.830{F02F376E-B810-6442-753B-00000000D902}4936C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__16820 2>&1C:\windows\system32\ATTACKRANGE\reed_potts{F02F376E-A250-6440-8A21-D10000000000}0xd1218a2MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F02F376E-A252-6440-690C-00000000D902}3484C:\Windows\explorer.exeC:\Windows\Explorer.EXEATTACKRANGE\reed_potts 154100x8000000000000000117788Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-21 16:20:56.323{F02F376E-B7E8-6442-6E3B-00000000D902}2396C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /Q /c C:\Windows\rIIBPrqF.bat C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-166E-6440-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F02F376E-B7E8-6442-6D3B-00000000D902}4012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\rIIBPrqF.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\rIIBPrqF.bat & del C:\Windows\rIIBPrqF.batNT AUTHORITY\SYSTEM 154100x8000000000000000117786Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-21 16:20:56.311{F02F376E-B7E8-6442-6D3B-00000000D902}4012C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\rIIBPrqF.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\rIIBPrqF.bat & del C:\Windows\rIIBPrqF.batC:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-166E-6440-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F02F376E-166E-6440-0A00-00000000D902}588C:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\SYSTEM 13241300x8000000000000000117785Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1031,T1050SetValue2023-04-21 16:20:56.295{F02F376E-166E-6440-0A00-00000000D902}588C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\BTOBTO\ImagePath%%COMSPEC%% /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > %%SYSTEMROOT%%\rIIBPrqF.bat & %%COMSPEC%% /Q /c %%SYSTEMROOT%%\rIIBPrqF.bat & del %%SYSTEMROOT%%\rIIBPrqF.batNT AUTHORITY\SYSTEM 154100x8000000000000000117780Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-21 16:20:38.556{F02F376E-B7D6-6442-683B-00000000D902}4200C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1682094037.0726507 2>&1C:\ATTACKRANGE\Administrator{F02F376E-B7D5-6442-8067-380600000000}0x63867800HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F02F376E-1673-6440-3B00-00000000D902}2860C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -EmbeddingNT AUTHORITY\NETWORK SERVICE 154100x8000000000000000117779Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-21 16:20:37.488{F02F376E-B7D5-6442-663B-00000000D902}3132C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1682094037.0726507 2>&1C:\ATTACKRANGE\Administrator{F02F376E-B7D5-6442-8067-380600000000}0x63867800HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F02F376E-1673-6440-3B00-00000000D902}2860C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -EmbeddingNT AUTHORITY\NETWORK SERVICE 154100x8000000000000000117770Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-21 16:19:15.503{F02F376E-B783-6442-5C3B-00000000D902}5832C:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEcalc.exe C:\ATTACKRANGE\Administrator{F02F376E-B781-6442-438F-370600000000}0x6378f430HighMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EA,IMPHASH=3843C3D4A5A7D1045ABE9A4BFCFAAB28{F02F376E-B783-6442-5A3B-00000000D902}5432C:\Windows\System32\cmd.execmd.exe /Q /c calc.exe 1> \\127.0.0.1\ADMIN$\__1682093952.9918194 2>&1ATTACKRANGE\Administrator 154100x8000000000000000117769Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-21 16:19:15.473{F02F376E-B783-6442-5A3B-00000000D902}5432C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /Q /c calc.exe 1> \\127.0.0.1\ADMIN$\__1682093952.9918194 2>&1C:\ATTACKRANGE\Administrator{F02F376E-B781-6442-438F-370600000000}0x6378f430HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F02F376E-1673-6440-3B00-00000000D902}2860C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -EmbeddingNT AUTHORITY\NETWORK SERVICE 154100x8000000000000000117768Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-21 16:19:14.418{F02F376E-B782-6442-583B-00000000D902}1924C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1682093952.9918194 2>&1C:\ATTACKRANGE\Administrator{F02F376E-B781-6442-438F-370600000000}0x6378f430HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F02F376E-1673-6440-3B00-00000000D902}2860C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -EmbeddingNT AUTHORITY\NETWORK SERVICE 154100x8000000000000000117767Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-21 16:19:13.351{F02F376E-B781-6442-563B-00000000D902}4048C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1682093952.9918194 2>&1C:\ATTACKRANGE\Administrator{F02F376E-B781-6442-438F-370600000000}0x6378f430HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F02F376E-1673-6440-3B00-00000000D902}2860C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -EmbeddingNT AUTHORITY\NETWORK SERVICE