11241100x8000000000000000586116Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:18.536{51A89197-3B89-654E-1600-000000001D00}700C:\Windows\System32\svchost.exeC:\Windows\Prefetch\CMDRENAMED.EXE-7BF57504.pf2024-04-30 15:37:18.536NT AUTHORITY\SYSTEM 13241300x8000000000000000586088Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-SetValue2024-04-30 15:37:18.474{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exeHKLM\System\CurrentControlSet\Services\bam\UserSettings\S-1-5-21-1854396824-2342670854-3736740652-1000\\Device\HarddiskVolume1\Temp\cmdrenamed.exeBinary DataATTACKBOX-WIN10\attacker 534500x8000000000000000586087Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:18.474{51A89197-1026-6631-1406-000000001D00}5828C:\Temp\cmdrenamed.exeATTACKBOX-WIN10\attacker 824800x8000000000000000586086Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:18.474{51A89197-3B87-654E-0900-000000001D00}500C:\Windows\System32\csrss.exe{51A89197-1026-6631-1406-000000001D00}5828C:\Temp\cmdrenamed.exe25840x00007FFF52045660C:\Windows\System32\KERNELBASE.dllCtrlRoutineNT AUTHORITY\SYSTEMATTACKBOX-WIN10\attacker 10341000x8000000000000000586034Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:17.084{51A89197-3B96-654E-5D00-000000001D00}4372912C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\System32\TaskFlowDataEngine.dll+78e25|C:\Windows\System32\TaskFlowDataEngine.dll+785cb|C:\Windows\System32\TaskFlowDataEngine.dll+78129|C:\Windows\System32\TaskFlowDataEngine.dll+77c3d|C:\Windows\System32\TaskFlowDataEngine.dll+75eb3|C:\Windows\System32\TaskFlowDataEngine.dll+74f32|C:\Windows\System32\TaskFlowDataEngine.dll+7fbd1|C:\Windows\System32\TaskFlowDataEngine.dll+16ae5|C:\Windows\System32\TaskFlowDataEngine.dll+16d2d|C:\Windows\System32\TaskFlowDataEngine.dll+16d69|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000586032Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:17.052{51A89197-3B96-654E-5D00-000000001D00}43724944C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\System32\NPSMDesktopProvider.dll+1e84e|C:\Windows\System32\NPSMDesktopProvider.dll+14882|C:\Windows\System32\NPSMDesktopProvider.dll+15001|C:\Windows\System32\NPSMDesktopProvider.dll+8f45|C:\Windows\system32\twinui.pcshell.dll+70c31|C:\Windows\system32\twinui.pcshell.dll+15606|C:\Windows\System32\user32.dll+16d41|C:\Windows\System32\user32.dll+16713|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2e21b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d7a4|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d2c0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2c772|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000586031Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:17.052{51A89197-3B96-654E-5D00-000000001D00}43724944C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\system32\twinui.pcshell.dll+7bf9c|C:\Windows\system32\twinui.pcshell.dll+2f390|C:\Windows\system32\twinui.pcshell.dll+2f4aa|C:\Windows\system32\twinui.pcshell.dll+70c31|C:\Windows\system32\twinui.pcshell.dll+15606|C:\Windows\System32\user32.dll+16d41|C:\Windows\System32\user32.dll+16713|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2e21b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d7a4|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d2c0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2c772|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000586029Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:17.052{51A89197-3B96-654E-5D00-000000001D00}43724944C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\system32\twinui.dll+2721c|C:\Windows\system32\twinui.dll+26569|C:\Windows\System32\user32.dll+16d41|C:\Windows\System32\user32.dll+16713|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2e21b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d7a4|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d2c0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2c772|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000586028Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:17.052{51A89197-3B96-654E-5D00-000000001D00}43724944C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\SYSTEM32\TWINAPI.dll+5fd1|C:\Windows\system32\twinui.pcshell.dll+37a43|C:\Windows\system32\twinui.pcshell.dll+3c009|C:\Windows\system32\twinui.dll+26542|C:\Windows\System32\user32.dll+16d41|C:\Windows\System32\user32.dll+16713|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2e21b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d7a4|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d2c0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2c772|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000586021Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:17.005{51A89197-3B96-654E-5D00-000000001D00}43723968C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\System32\appresolver.dll+215b0|C:\Windows\System32\appresolver.dll+1e7c5|C:\Windows\System32\appresolver.dll+1e4cf|C:\Windows\Explorer.EXE+60515|C:\Windows\Explorer.EXE+60304|C:\Windows\Explorer.EXE+6028d|C:\Windows\System32\windows.storage.dll+13ebf4|C:\Windows\System32\windows.storage.dll+13d943|C:\Windows\System32\windows.storage.dll+13d64f|C:\Windows\System32\shcore.dll+37056|C:\Windows\SYSTEM32\ntdll.dll+46975|C:\Windows\SYSTEM32\ntdll.dll+26a60|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000586020Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:17.005{51A89197-3B96-654E-5D00-000000001D00}43723968C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\System32\appresolver.dll+1e70f|C:\Windows\System32\appresolver.dll+1e4cf|C:\Windows\Explorer.EXE+60515|C:\Windows\Explorer.EXE+60304|C:\Windows\Explorer.EXE+6028d|C:\Windows\System32\windows.storage.dll+13ebf4|C:\Windows\System32\windows.storage.dll+13d943|C:\Windows\System32\windows.storage.dll+13d64f|C:\Windows\System32\shcore.dll+37056|C:\Windows\SYSTEM32\ntdll.dll+46975|C:\Windows\SYSTEM32\ntdll.dll+26a60|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000586019Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:17.005{51A89197-3B96-654E-5D00-000000001D00}43723968C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\System32\appresolver.dll+218a2|C:\Windows\System32\appresolver.dll+1e5de|C:\Windows\System32\appresolver.dll+1e4cf|C:\Windows\Explorer.EXE+60515|C:\Windows\Explorer.EXE+60304|C:\Windows\Explorer.EXE+6028d|C:\Windows\System32\windows.storage.dll+13ebf4|C:\Windows\System32\windows.storage.dll+13d943|C:\Windows\System32\windows.storage.dll+13d64f|C:\Windows\System32\shcore.dll+37056|C:\Windows\SYSTEM32\ntdll.dll+46975|C:\Windows\SYSTEM32\ntdll.dll+26a60|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585974Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:16.224{51A89197-3B96-654E-5D00-000000001D00}43725108C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\system32\twinui.dll+27d39|C:\Windows\SYSTEM32\ntdll.dll+2a205|C:\Windows\SYSTEM32\ntdll.dll+26a3d|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585935Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:13.177{51A89197-3B96-654E-5D00-000000001D00}43724944C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\system32\twinui.pcshell.dll+7bf9c|C:\Windows\system32\twinui.pcshell.dll+2f390|C:\Windows\system32\twinui.pcshell.dll+2f615|C:\Windows\system32\twinui.pcshell.dll+70c31|C:\Windows\system32\twinui.pcshell.dll+15606|C:\Windows\System32\user32.dll+16d41|C:\Windows\System32\user32.dll+16713|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2e21b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d7a4|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d2c0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2c772|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585897Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.536{51A89197-3B96-654E-5D00-000000001D00}43724624C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\Explorer.EXE+5ce10|C:\Windows\Explorer.EXE+474ab|C:\Windows\Explorer.EXE+45c22|C:\Windows\System32\user32.dll+16d41|C:\Windows\System32\user32.dll+1690b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_fb43a2cb30647007\comctl32.dll+2d96b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_fb43a2cb30647007\comctl32.dll+2d737|C:\Program Files\Open-Shell\StartMenuDLL.dll+1b4ef|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_fb43a2cb30647007\comctl32.dll+2d9c7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_fb43a2cb30647007\comctl32.dll+2d802|C:\Windows\System32\user32.dll+16d41|C:\Windows\System32\user32.dll+16713|C:\Windows\Explorer.EXE+4a2d2|C:\Windows\Explorer.EXE+937a3|C:\Windows\System32\shcore.dll+33fb5|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 734700x8000000000000000585881Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.427{51A89197-1026-6631-1406-000000001D00}5828C:\Temp\cmdrenamed.exeC:\Windows\System32\advapi32.dll10.0.17134.471 (WinBuild.160101.0800)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllSHA1=86DE00DCF65B3AC656158B829053AFC368BD647F,MD5=C102A6FF0FE651242BE9A4BE3E579106,SHA256=EF117B762C2C680D181CF4119FF611C9DE46FCEA6B60775E746541F5DD8F1CD0,IMPHASH=0475FE4DD54AD7F28E679FF261C67BF3trueMicrosoft WindowsValidATTACKBOX-WIN10\attacker 734700x8000000000000000585880Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.427{51A89197-1026-6631-1406-000000001D00}5828C:\Temp\cmdrenamed.exeC:\Windows\System32\wintrust.dll10.0.17134.556 (WinBuild.160101.0800)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLSHA1=9CC7DA2B533952E7F4F6CC730871C5297326E2E9,MD5=642F9E6EBD059A9DE2E4C88DA02A2B33,SHA256=CCBDABCEDE143A2352B3FAB8A8E2A02B871CFFA826318E379B82ADD6C586D1C2,IMPHASH=A67EC84098A89C564A7957E55727E43FtrueMicrosoft WindowsValidATTACKBOX-WIN10\attacker 734700x8000000000000000585879Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.427{51A89197-1026-6631-1406-000000001D00}5828C:\Temp\cmdrenamed.exeC:\Windows\System32\msasn1.dll10.0.17134.1 (WinBuild.160101.0800)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllSHA1=45822B434605A4D1C60C814263F341C9D4D5A84C,MD5=31F9783D0EC7C6ED7E7C1A964C4E3614,SHA256=21AED93FAFDFDA3049D77EA8D4C14369A6157A9AAC6ABA86E9A56DAE500BD5DD,IMPHASH=BDACB2E2B23E3493547E6859F06D493FtrueMicrosoft WindowsValidATTACKBOX-WIN10\attacker 734700x8000000000000000585878Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.427{51A89197-1026-6631-1406-000000001D00}5828C:\Temp\cmdrenamed.exeC:\Windows\System32\crypt32.dll10.0.17134.1 (WinBuild.160101.0800)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLSHA1=42B8241C53758256244017D89752932C57581C80,MD5=04B1E9B60F8ABDF718135BD62D8E554D,SHA256=332B99071E6D8A0DD110C6C1F0A76898773E6661840FED804101DD7173B6C577,IMPHASH=D2996D954533896638CFB94FD38EEE56trueMicrosoft WindowsValidATTACKBOX-WIN10\attacker 734700x8000000000000000585877Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.427{51A89197-1026-6631-1406-000000001D00}5828C:\Temp\cmdrenamed.exeC:\Windows\System32\sechost.dll10.0.17134.319 (WinBuild.160101.0800)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllSHA1=136453020D3A1C3F87829F7BD83C7B36C0A27805,MD5=AB7AA9E1AE57362E4E78703E3A2D5A7D,SHA256=8198A73682BA00568EDAFD2091E4AFAC6F33C361CCBADC5BD23154B362911CA8,IMPHASH=1ABE74A44180732951AB6EDFA1AA0282trueMicrosoft WindowsValidATTACKBOX-WIN10\attacker 734700x8000000000000000585876Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.427{51A89197-1026-6631-1406-000000001D00}5828C:\Temp\cmdrenamed.exeC:\Windows\System32\bcryptprimitives.dll10.0.17134.1 (WinBuild.160101.0800)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllSHA1=77017C919E2B8BFF4624E7C91CB8E3360B64E963,MD5=211D98BDF8BB67866F169DC23ECABA5B,SHA256=60B16451000BF1DDC1E1CF1CE27526A259987E712D80D49C87A448E9FB70DE5C,IMPHASH=C7FCD14944F90184E7A61DBD9322926BtrueMicrosoft WindowsValidATTACKBOX-WIN10\attacker 734700x8000000000000000585875Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.427{51A89197-1026-6631-1406-000000001D00}5828C:\Temp\cmdrenamed.exeC:\Windows\System32\rpcrt4.dll10.0.17134.648 (WinBuild.160101.0800)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllSHA1=95466888B0062EE59588D02F897FEEB2D6AE5E7C,MD5=B76F8A048F5A0A05018D2413694D4DAA,SHA256=C5C37A2000626137DCDFF1D3D895C2CAE55C31925A787621783F2B750A05CE4C,IMPHASH=8D57648E6B44F7EEB8EC42A52C4DE444trueMicrosoft WindowsValidATTACKBOX-WIN10\attacker 734700x8000000000000000585874Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.427{51A89197-1026-6631-1406-000000001D00}5828C:\Temp\cmdrenamed.exeC:\Windows\System32\ucrtbase.dll10.0.17134.677 (WinBuild.160101.0800)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllSHA1=14205F96B616C35F66B36978C1868D13FB0D5598,MD5=1F7D0DEFBA3C793F018F7D10ECDEAB8D,SHA256=0797F4A5EAA5BA3C35287F0D75084A9E7805596D199B66EB00DED9D865E275B6,IMPHASH=EA4D5E085D5BBDBD19DCCE14D926B29EtrueMicrosoft WindowsValidATTACKBOX-WIN10\attacker 734700x8000000000000000585873Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.427{51A89197-1026-6631-1406-000000001D00}5828C:\Temp\cmdrenamed.exeC:\Windows\System32\combase.dll10.0.17134.619 (WinBuild.160101.0800)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLSHA1=77A271F5B8DECC7D668F833B3769AC3A7637874D,MD5=2471D4FEEFD93183284363E012C04C7C,SHA256=88BEE99EAE4A1A97E10D749D807DD03C7B092B4CAFFA78DDCAEB0FCFC5E3E661,IMPHASH=FE529835066894B316B2106B974FB01BtrueMicrosoft WindowsValidATTACKBOX-WIN10\attacker 734700x8000000000000000585872Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.412{51A89197-1026-6631-1406-000000001D00}5828C:\Temp\cmdrenamed.exeC:\Windows\System32\wldp.dll10.0.17134.556 (WinBuild.160101.0800)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllSHA1=79B0DE9E4E786D09F54E8700D31DD87D6341F30C,MD5=1342AF5B645A8BC05F6DFB8C8FA3EE42,SHA256=66930691B0C88337669DF46E90FED30C85141A3CB5C35C3D310CA6831CAD969D,IMPHASH=EE81985E2FFC06F215A4F96631CAEC8CtrueMicrosoft WindowsValidATTACKBOX-WIN10\attacker 734700x8000000000000000585871Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.412{51A89197-1026-6631-1406-000000001D00}5828C:\Temp\cmdrenamed.exeC:\Windows\System32\winbrand.dll10.0.17134.1 (WinBuild.160101.0800)Windows Branding ResourcesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinbrand.dllSHA1=6673C69B90E4B398C9997CB6AA0D73BD8E8E43C7,MD5=FB6DFED4E3B62D2AD496A779A997CE1B,SHA256=8008EB72EFE222EFFE3E6C0DDA810799D6D3C7B435F66562B6F51987A110E5EB,IMPHASH=42C25F6F081B2AC2B17D50AB1EB7388BtrueMicrosoft WindowsValidATTACKBOX-WIN10\attacker 10341000x8000000000000000585852Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.365{51A89197-3B96-654E-5D00-000000001D00}4372912C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\System32\TaskFlowDataEngine.dll+78e25|C:\Windows\System32\TaskFlowDataEngine.dll+78abe|C:\Windows\System32\TaskFlowDataEngine.dll+7b24d|C:\Windows\System32\TaskFlowDataEngine.dll+7b5c2|C:\Windows\System32\TaskFlowDataEngine.dll+77c69|C:\Windows\System32\TaskFlowDataEngine.dll+75eb3|C:\Windows\System32\TaskFlowDataEngine.dll+74f32|C:\Windows\System32\TaskFlowDataEngine.dll+7fbd1|C:\Windows\System32\TaskFlowDataEngine.dll+16ae5|C:\Windows\System32\TaskFlowDataEngine.dll+16d2d|C:\Windows\System32\TaskFlowDataEngine.dll+16d69|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585850Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.365{51A89197-3B96-654E-5D00-000000001D00}4372912C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\System32\TaskFlowDataEngine.dll+78e25|C:\Windows\System32\TaskFlowDataEngine.dll+785cb|C:\Windows\System32\TaskFlowDataEngine.dll+78129|C:\Windows\System32\TaskFlowDataEngine.dll+77c3d|C:\Windows\System32\TaskFlowDataEngine.dll+75eb3|C:\Windows\System32\TaskFlowDataEngine.dll+74f32|C:\Windows\System32\TaskFlowDataEngine.dll+7fbd1|C:\Windows\System32\TaskFlowDataEngine.dll+16ae5|C:\Windows\System32\TaskFlowDataEngine.dll+16d2d|C:\Windows\System32\TaskFlowDataEngine.dll+16d69|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 734700x8000000000000000585845Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.349{51A89197-1026-6631-1406-000000001D00}5828C:\Temp\cmdrenamed.exeC:\Windows\System32\msvcrt.dll7.0.17134.1 (WinBuild.160101.0800)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllSHA1=5BB0FC89E614BCD1903D702ECA6CF79DBC25D661,MD5=7FCD4654FC7F16FDA52848E2D0AAFA9D,SHA256=995F25E8380D924C98DBE44F68D6BF2B0A62244BFE817A22D91B9586E3B479F6,IMPHASH=4BA50461B0B5FF3404B4A5B55C6A08B4trueMicrosoft WindowsValidATTACKBOX-WIN10\attacker 10341000x8000000000000000585840Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.318{51A89197-3B96-654E-5D00-000000001D00}43724944C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\System32\NPSMDesktopProvider.dll+1e84e|C:\Windows\System32\NPSMDesktopProvider.dll+14882|C:\Windows\System32\NPSMDesktopProvider.dll+15001|C:\Windows\System32\NPSMDesktopProvider.dll+8f45|C:\Windows\system32\twinui.pcshell.dll+70c31|C:\Windows\system32\twinui.pcshell.dll+15606|C:\Windows\System32\user32.dll+16d41|C:\Windows\System32\user32.dll+16713|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2e21b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d7a4|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d2c0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2c772|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585839Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.318{51A89197-3B96-654E-5D00-000000001D00}43724944C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\system32\twinui.pcshell.dll+7bf9c|C:\Windows\system32\twinui.pcshell.dll+2f390|C:\Windows\system32\twinui.pcshell.dll+2f4aa|C:\Windows\system32\twinui.pcshell.dll+70c31|C:\Windows\system32\twinui.pcshell.dll+15606|C:\Windows\System32\user32.dll+16d41|C:\Windows\System32\user32.dll+16713|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2e21b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d7a4|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d2c0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2c772|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585837Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.318{51A89197-3B96-654E-5D00-000000001D00}4372912C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dd82|C:\Windows\SYSTEM32\twinapi.appcore.dll+20869|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d05f|C:\Windows\System32\TaskFlowDataEngine.dll+7ab79|C:\Windows\System32\TaskFlowDataEngine.dll+78db0|C:\Windows\System32\TaskFlowDataEngine.dll+76018|C:\Windows\System32\TaskFlowDataEngine.dll+74f32|C:\Windows\System32\TaskFlowDataEngine.dll+7fbd1|C:\Windows\System32\TaskFlowDataEngine.dll+16ae5|C:\Windows\System32\TaskFlowDataEngine.dll+16d2d|C:\Windows\System32\TaskFlowDataEngine.dll+16d69|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585836Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.318{51A89197-3B96-654E-5D00-000000001D00}4372912C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dd0f|C:\Windows\SYSTEM32\twinapi.appcore.dll+20869|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d05f|C:\Windows\System32\TaskFlowDataEngine.dll+7ab79|C:\Windows\System32\TaskFlowDataEngine.dll+78db0|C:\Windows\System32\TaskFlowDataEngine.dll+76018|C:\Windows\System32\TaskFlowDataEngine.dll+74f32|C:\Windows\System32\TaskFlowDataEngine.dll+7fbd1|C:\Windows\System32\TaskFlowDataEngine.dll+16ae5|C:\Windows\System32\TaskFlowDataEngine.dll+16d2d|C:\Windows\System32\TaskFlowDataEngine.dll+16d69|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585835Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.318{51A89197-3B96-654E-5D00-000000001D00}43724944C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\system32\twinui.pcshell.dll+7bf9c|C:\Windows\system32\twinui.pcshell.dll+2f390|C:\Windows\system32\twinui.pcshell.dll+2f5f3|C:\Windows\system32\twinui.pcshell.dll+70c31|C:\Windows\system32\twinui.pcshell.dll+15606|C:\Windows\System32\user32.dll+16d41|C:\Windows\System32\user32.dll+16713|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2e21b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d7a4|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d2c0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2c772|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585834Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.318{51A89197-3B96-654E-5D00-000000001D00}43727816C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\system32\twinui.dll+22d71|C:\Windows\system32\twinui.dll+219d9|C:\Windows\system32\twinui.dll+221de|C:\Windows\system32\twinui.dll+206c9|C:\Windows\system32\twinui.dll+20dbf|C:\Windows\system32\twinui.dll+3332d|C:\Windows\system32\twinui.dll+33cd1|C:\Windows\system32\twinui.dll+352f1|C:\Windows\system32\twinui.dll+37125|C:\Windows\system32\twinui.dll+3a5de|C:\Windows\SYSTEM32\ntdll.dll+77445|C:\Windows\SYSTEM32\ntdll.dll+26a58|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585833Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.318{51A89197-3B88-654E-0D00-000000001D00}7487124C:\Windows\system32\svchost.exe{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+9ee7|C:\Windows\SYSTEM32\resourcepolicyserver.dll+8fcd|C:\Windows\SYSTEM32\resourcepolicyserver.dll+44ad|C:\Windows\System32\RPCRT4.dll+74413|C:\Windows\System32\RPCRT4.dll+ddbdd|C:\Windows\System32\RPCRT4.dll+62a3c|C:\Windows\System32\RPCRT4.dll+2d4e4|C:\Windows\System32\RPCRT4.dll+2c648|C:\Windows\System32\RPCRT4.dll+2ce9b|C:\Windows\System32\RPCRT4.dll+360a6|C:\Windows\System32\RPCRT4.dll+36aac|C:\Windows\System32\RPCRT4.dll+3290d|C:\Windows\System32\RPCRT4.dll+3400d|C:\Windows\System32\RPCRT4.dll+1d0b8|C:\Windows\SYSTEM32\ntdll.dll+27c9e|C:\Windows\SYSTEM32\ntdll.dll+26588|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691NT AUTHORITY\SYSTEMATTACKBOX-WIN10\attacker 10341000x8000000000000000585832Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.318{51A89197-3B88-654E-0D00-000000001D00}7487124C:\Windows\system32\svchost.exe{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+5442|C:\Windows\SYSTEM32\resourcepolicyserver.dll+8098|C:\Windows\SYSTEM32\resourcepolicyserver.dll+99c6|C:\Windows\SYSTEM32\resourcepolicyserver.dll+8fbc|C:\Windows\SYSTEM32\resourcepolicyserver.dll+44ad|C:\Windows\System32\RPCRT4.dll+74413|C:\Windows\System32\RPCRT4.dll+ddbdd|C:\Windows\System32\RPCRT4.dll+62a3c|C:\Windows\System32\RPCRT4.dll+2d4e4|C:\Windows\System32\RPCRT4.dll+2c648|C:\Windows\System32\RPCRT4.dll+2ce9b|C:\Windows\System32\RPCRT4.dll+360a6|C:\Windows\System32\RPCRT4.dll+36aac|C:\Windows\System32\RPCRT4.dll+3290d|C:\Windows\System32\RPCRT4.dll+3400d|C:\Windows\System32\RPCRT4.dll+1d0b8|C:\Windows\SYSTEM32\ntdll.dll+27c9e|C:\Windows\SYSTEM32\ntdll.dll+26588|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691NT AUTHORITY\SYSTEMATTACKBOX-WIN10\attacker 10341000x8000000000000000585831Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.318{51A89197-3B96-654E-5D00-000000001D00}43727816C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\system32\twinui.dll+1fe40|C:\Windows\system32\twinui.dll+1ff8d|C:\Windows\system32\twinui.dll+1fd70|C:\Windows\system32\twinui.dll+20d35|C:\Windows\system32\twinui.dll+3332d|C:\Windows\system32\twinui.dll+33cd1|C:\Windows\system32\twinui.dll+352f1|C:\Windows\system32\twinui.dll+37125|C:\Windows\system32\twinui.dll+3a5de|C:\Windows\SYSTEM32\ntdll.dll+77445|C:\Windows\SYSTEM32\ntdll.dll+26a58|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585830Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.318{51A89197-3B96-654E-5D00-000000001D00}43727816C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\system32\twinui.dll+213d8|C:\Windows\system32\twinui.dll+332fb|C:\Windows\system32\twinui.dll+33cd1|C:\Windows\system32\twinui.dll+352f1|C:\Windows\system32\twinui.dll+37125|C:\Windows\system32\twinui.dll+3a5de|C:\Windows\SYSTEM32\ntdll.dll+77445|C:\Windows\SYSTEM32\ntdll.dll+26a58|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585825Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.318{51A89197-3B96-654E-5D00-000000001D00}43724944C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\SYSTEM32\TWINAPI.dll+5fd1|C:\Windows\system32\twinui.pcshell.dll+37a43|C:\Windows\system32\twinui.pcshell.dll+3c009|C:\Windows\system32\twinui.pcshell.dll+79e64|C:\Windows\system32\twinui.pcshell.dll+3c8f2|C:\Windows\system32\twinui.dll+26542|C:\Windows\System32\user32.dll+16d41|C:\Windows\System32\user32.dll+16713|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2e21b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d7a4|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d2c0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2c772|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 13241300x8000000000000000585823Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-SetValue2024-04-30 15:37:11.318{51A89197-3B81-654E-EB03-000000000000}4SystemHKLM\System\CurrentControlSet\Services\bam\UserSettings\S-1-5-21-1854396824-2342670854-3736740652-1000\\Device\HarddiskVolume1\Temp\cmdrenamed.exeBinary DataNT AUTHORITY\SYSTEM 10341000x8000000000000000585809Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.286{51A89197-3B96-654E-5D00-000000001D00}43723968C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\System32\appresolver.dll+215b0|C:\Windows\System32\appresolver.dll+1e7c5|C:\Windows\System32\appresolver.dll+1e4cf|C:\Windows\Explorer.EXE+60515|C:\Windows\Explorer.EXE+60304|C:\Windows\Explorer.EXE+6028d|C:\Windows\System32\windows.storage.dll+13ebf4|C:\Windows\System32\windows.storage.dll+13d943|C:\Windows\System32\windows.storage.dll+13d64f|C:\Windows\System32\shcore.dll+37056|C:\Windows\SYSTEM32\ntdll.dll+46975|C:\Windows\SYSTEM32\ntdll.dll+26a60|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585808Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.286{51A89197-3B96-654E-5D00-000000001D00}43723968C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\System32\appresolver.dll+1e70f|C:\Windows\System32\appresolver.dll+1e4cf|C:\Windows\Explorer.EXE+60515|C:\Windows\Explorer.EXE+60304|C:\Windows\Explorer.EXE+6028d|C:\Windows\System32\windows.storage.dll+13ebf4|C:\Windows\System32\windows.storage.dll+13d943|C:\Windows\System32\windows.storage.dll+13d64f|C:\Windows\System32\shcore.dll+37056|C:\Windows\SYSTEM32\ntdll.dll+46975|C:\Windows\SYSTEM32\ntdll.dll+26a60|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585807Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.286{51A89197-3B96-654E-5D00-000000001D00}43723968C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\System32\appresolver.dll+218a2|C:\Windows\System32\appresolver.dll+1e5de|C:\Windows\System32\appresolver.dll+1e4cf|C:\Windows\Explorer.EXE+60515|C:\Windows\Explorer.EXE+60304|C:\Windows\Explorer.EXE+6028d|C:\Windows\System32\windows.storage.dll+13ebf4|C:\Windows\System32\windows.storage.dll+13d943|C:\Windows\System32\windows.storage.dll+13d64f|C:\Windows\System32\shcore.dll+37056|C:\Windows\SYSTEM32\ntdll.dll+46975|C:\Windows\SYSTEM32\ntdll.dll+26a60|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585806Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.271{51A89197-3B96-654E-5D00-000000001D00}43723984C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\System32\appresolver.dll+215b0|C:\Windows\System32\appresolver.dll+1e7c5|C:\Windows\System32\appresolver.dll+1e4cf|C:\Windows\Explorer.EXE+5d0bd|C:\Windows\Explorer.EXE+5d2ed|C:\Windows\Explorer.EXE+5d239|C:\Windows\Explorer.EXE+602c3|C:\Windows\System32\windows.storage.dll+13ebf4|C:\Windows\System32\windows.storage.dll+13d943|C:\Windows\System32\windows.storage.dll+13d64f|C:\Windows\System32\shcore.dll+37056|C:\Windows\SYSTEM32\ntdll.dll+46975|C:\Windows\SYSTEM32\ntdll.dll+26a60|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585804Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.271{51A89197-3B96-654E-5D00-000000001D00}43723984C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\System32\appresolver.dll+1e70f|C:\Windows\System32\appresolver.dll+1e4cf|C:\Windows\Explorer.EXE+5d0bd|C:\Windows\Explorer.EXE+5d2ed|C:\Windows\Explorer.EXE+5d239|C:\Windows\Explorer.EXE+602c3|C:\Windows\System32\windows.storage.dll+13ebf4|C:\Windows\System32\windows.storage.dll+13d943|C:\Windows\System32\windows.storage.dll+13d64f|C:\Windows\System32\shcore.dll+37056|C:\Windows\SYSTEM32\ntdll.dll+46975|C:\Windows\SYSTEM32\ntdll.dll+26a60|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585803Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.271{51A89197-3B96-654E-5D00-000000001D00}43723984C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\System32\appresolver.dll+218a2|C:\Windows\System32\appresolver.dll+1e5de|C:\Windows\System32\appresolver.dll+1e4cf|C:\Windows\Explorer.EXE+5d0bd|C:\Windows\Explorer.EXE+5d2ed|C:\Windows\Explorer.EXE+5d239|C:\Windows\Explorer.EXE+602c3|C:\Windows\System32\windows.storage.dll+13ebf4|C:\Windows\System32\windows.storage.dll+13d943|C:\Windows\System32\windows.storage.dll+13d64f|C:\Windows\System32\shcore.dll+37056|C:\Windows\SYSTEM32\ntdll.dll+46975|C:\Windows\SYSTEM32\ntdll.dll+26a60|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585802Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.224{51A89197-3B96-654E-5D00-000000001D00}43723984C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\Explorer.EXE+5ce10|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5d06f|C:\Windows\Explorer.EXE+5d2ed|C:\Windows\Explorer.EXE+5d239|C:\Windows\Explorer.EXE+602c3|C:\Windows\System32\windows.storage.dll+13ebf4|C:\Windows\System32\windows.storage.dll+13d943|C:\Windows\System32\windows.storage.dll+13d64f|C:\Windows\System32\shcore.dll+37056|C:\Windows\SYSTEM32\ntdll.dll+46975|C:\Windows\SYSTEM32\ntdll.dll+26a60|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585799Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.209{51A89197-3B96-654E-5D00-000000001D00}43724944C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\system32\twinui.dll+2721c|C:\Windows\system32\twinui.dll+26569|C:\Windows\System32\user32.dll+16d41|C:\Windows\System32\user32.dll+16713|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2e21b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d7a4|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d2c0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2c772|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585798Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.209{51A89197-3B96-654E-5D00-000000001D00}43724944C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\SYSTEM32\TWINAPI.dll+5fd1|C:\Windows\system32\twinui.pcshell.dll+37a43|C:\Windows\system32\twinui.pcshell.dll+3c009|C:\Windows\system32\twinui.dll+26542|C:\Windows\System32\user32.dll+16d41|C:\Windows\System32\user32.dll+16713|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2e21b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d7a4|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d2c0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2c772|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585797Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.209{51A89197-3B96-654E-5D00-000000001D00}43724944C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\system32\twinui.dll+2721c|C:\Windows\system32\twinui.dll+26569|C:\Windows\System32\user32.dll+16d41|C:\Windows\System32\user32.dll+16713|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2e21b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d7a4|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d2c0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2c772|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585796Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.209{51A89197-3B96-654E-5D00-000000001D00}43724944C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\SYSTEM32\TWINAPI.dll+5fd1|C:\Windows\system32\twinui.pcshell.dll+37a43|C:\Windows\system32\twinui.pcshell.dll+3c009|C:\Windows\system32\twinui.dll+26542|C:\Windows\System32\user32.dll+16d41|C:\Windows\System32\user32.dll+16713|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2e21b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d7a4|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d2c0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2c772|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585795Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.209{51A89197-3B96-654E-5D00-000000001D00}43724624C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\Explorer.EXE+5ce10|C:\Windows\Explorer.EXE+474ab|C:\Windows\Explorer.EXE+45c22|C:\Windows\System32\user32.dll+16d41|C:\Windows\System32\user32.dll+1690b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_fb43a2cb30647007\comctl32.dll+2d96b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_fb43a2cb30647007\comctl32.dll+2d737|C:\Program Files\Open-Shell\StartMenuDLL.dll+1b4ef|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_fb43a2cb30647007\comctl32.dll+2d9c7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_fb43a2cb30647007\comctl32.dll+2d802|C:\Windows\System32\user32.dll+16d41|C:\Windows\System32\user32.dll+16713|C:\Windows\Explorer.EXE+4a2d2|C:\Windows\Explorer.EXE+937a3|C:\Windows\System32\shcore.dll+33fb5|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585785Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.177{51A89197-3B96-654E-5D00-000000001D00}43724944C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\SYSTEM32\TWINAPI.dll+5fd1|C:\Windows\system32\twinui.pcshell.dll+37a43|C:\Windows\system32\twinui.pcshell.dll+3c009|C:\Windows\system32\twinui.dll+26542|C:\Windows\System32\user32.dll+16d41|C:\Windows\System32\user32.dll+16713|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2e21b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d7a4|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d2c0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2c772|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585778Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.177{51A89197-3B96-654E-5D00-000000001D00}43724944C:\Windows\Explorer.EXE{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\SYSTEM32\TWINAPI.dll+5fd1|C:\Windows\system32\twinui.pcshell.dll+37a43|C:\Windows\system32\twinui.pcshell.dll+3c009|C:\Windows\system32\twinui.dll+26542|C:\Windows\System32\user32.dll+16d41|C:\Windows\System32\user32.dll+16713|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2e21b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d7a4|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d2c0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2c772|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 10341000x8000000000000000585725Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:11.083{51A89197-1026-6631-1606-000000001D00}57882632C:\Windows\system32\conhost.exe{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9ae64|C:\Windows\System32\KERNELBASE.dll+2fd5d|C:\Windows\system32\conhost.exe+6a5a|C:\Windows\system32\conhost.exe+63f7|C:\Windows\system32\conhost.exe+738e|C:\Windows\system32\conhost.exe+a73f|C:\Windows\System32\KERNEL32.DLL+14034|C:\Windows\SYSTEM32\ntdll.dll+73691ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 154100x8000000000000000585699Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:10.988{51A89197-1026-6631-1606-000000001D00}5788C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\attacker{51A89197-3B8D-654E-4B02-020000000000}0x2024b1MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-1026-6631-1406-000000001D00}5828C:\Temp\cmdrenamed.exe"C:\temp\cmdrenamed.exe" ATTACKBOX-WIN10\attacker 13241300x8000000000000000585698Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-SetValue2024-04-30 15:37:10.974{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exeHKLM\System\CurrentControlSet\Services\bam\UserSettings\S-1-5-21-1854396824-2342670854-3736740652-1000\\Device\HarddiskVolume1\Windows\System32\conhost.exeBinary DataATTACKBOX-WIN10\attacker 734700x8000000000000000585696Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:10.974{51A89197-1026-6631-1406-000000001D00}5828C:\Temp\cmdrenamed.exeC:\Windows\System32\KernelBase.dll10.0.17134.556 (WinBuild.160101.0800)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllSHA1=13BC46DE564D0A715E88A9BF7F7F640211D0350E,MD5=60D1EB0BE090FFA6163D6540673B925C,SHA256=576ABFB3327A3B66A1C9779FD8E159ED17D227F8F9DE34C22035FB75B0A31BA3,IMPHASH=B6A56E7F6E9B3018B2475EE0547F0EFAtrueMicrosoft WindowsValidATTACKBOX-WIN10\attacker 734700x8000000000000000585688Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:10.943{51A89197-1026-6631-1406-000000001D00}5828C:\Temp\cmdrenamed.exeC:\Windows\System32\kernel32.dll10.0.17134.706 (WinBuild.160101.0800)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32SHA1=E6E99A68E4ADC88A19AE5B2A734BA50195D242CC,MD5=E1B62AD97016F328E6A843F690A6CD5F,SHA256=1B4AFDB38C6955F9DD375F376EA3ECD9222986EBCDABBEFBA28D9CC4A14A26F8,IMPHASH=100F313C3EEB0E6BB4BCD10918D650F0trueMicrosoft WindowsValidATTACKBOX-WIN10\attacker 734700x8000000000000000585687Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:10.943{51A89197-1026-6631-1406-000000001D00}5828C:\Temp\cmdrenamed.exeC:\Windows\System32\ntdll.dll10.0.17134.556 (WinBuild.160101.0800)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllSHA1=2CAAE2BEFD373926331F5FC806B62D3BED6DD5C9,MD5=61E6720247E029EE0100D287EF9543D5,SHA256=C5C078AFC3EA674F5F1E0915A33F579D2C931C36ABAF68804A1D78838ADD54AB,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValidATTACKBOX-WIN10\attacker 734700x8000000000000000585686Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:10.943{51A89197-1026-6631-1406-000000001D00}5828C:\Temp\cmdrenamed.exeC:\Temp\cmdrenamed.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FEtrueMicrosoft WindowsValidATTACKBOX-WIN10\attacker 10341000x8000000000000000585685Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:10.943{51A89197-1023-6631-1206-000000001D00}47247448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{51A89197-1026-6631-1406-000000001D00}5828C:\temp\cmdrenamed.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+9c1d4|C:\Windows\System32\KERNELBASE.dll+3b602|C:\Windows\System32\KERNELBASE.dll+69156|C:\Windows\System32\KERNEL32.DLL+1b9e3|C:\Windows\System32\windows.storage.dll+138f8a|C:\Windows\System32\windows.storage.dll+138c46|C:\Windows\System32\windows.storage.dll+13896c|C:\Windows\System32\windows.storage.dll+139e6f|C:\Windows\System32\windows.storage.dll+13869e|C:\Windows\System32\windows.storage.dll+13b1af|C:\Windows\System32\windows.storage.dll+13b744|C:\Windows\System32\windows.storage.dll+13b3b4|C:\Windows\System32\shell32.dll+2d1a6|C:\Windows\System32\shell32.dll+2d01e|C:\Windows\System32\shell32.dll+2ccb8|C:\Windows\System32\shell32.dll+92c37|C:\Windows\System32\shell32.dll+92ba5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\390ce15833384db335593dfa637bf5e9\System.ni.dll+33833a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\390ce15833384db335593dfa637bf5e9\System.ni.dll+2757f1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\390ce15833384db335593dfa637bf5e9\System.ni.dll+acac28|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\390ce15833384db335593dfa637bf5e9\System.ni.dll+270e3f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\390ce15833384db335593dfa637bf5e9\System.ni.dll+2b460c|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\fdd76904665c37dd7afe5b363c2395ca\Microsoft.PowerShell.Commands.Management.ni.dll+142163|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\fdd76904665c37dd7afe5b363c2395ca\Microsoft.PowerShell.Commands.Management.ni.dll+142230ATTACKBOX-WIN10\attackerATTACKBOX-WIN10\attacker 154100x8000000000000000585684Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:10.941{51A89197-1026-6631-1406-000000001D00}5828C:\Temp\cmdrenamed.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\temp\cmdrenamed.exe" C:\DetectionTesting\ATTACKBOX-WIN10\attacker{51A89197-3B8D-654E-4B02-020000000000}0x2024b1MediumSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-1023-6631-1206-000000001D00}4724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "copy C:\Windows\system32\cmd.exe C:\temp\cmd.exe; copy C:\Windows\system32\cmd.exe C:\temp\cmdrenamed.exe; start-process C:\temp\cmd.exe; start-process C:\temp\cmdrenamed.exe"ATTACKBOX-WIN10\attacker 154100x8000000000000000585679Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:10.918{51A89197-1026-6631-1306-000000001D00}4832C:\Temp\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\temp\cmd.exe" C:\DetectionTesting\ATTACKBOX-WIN10\attacker{51A89197-3B8D-654E-4B02-020000000000}0x2024b1MediumSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-1023-6631-1206-000000001D00}4724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "copy C:\Windows\system32\cmd.exe C:\temp\cmd.exe; copy C:\Windows\system32\cmd.exe C:\temp\cmdrenamed.exe; start-process C:\temp\cmd.exe; start-process C:\temp\cmdrenamed.exe"ATTACKBOX-WIN10\attacker 29542900x8000000000000000585673Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:10.849{51A89197-1023-6631-1206-000000001D00}4724ATTACKBOX-WIN10\attackerC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\cmdrenamed.exeSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE 11241100x8000000000000000585672Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:10.849{51A89197-1023-6631-1206-000000001D00}4724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\cmdrenamed.exe2024-04-30 15:37:10.849ATTACKBOX-WIN10\attacker 4688201331200x802000000000000015426SecurityAttackBox-Win10ATTACKBOX-WIN10\attackerattackerATTACKBOX-WIN100x2024b0x169cC:\Windows\System32\conhost.exe%%19380x16c4\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1NULL SID--0x0C:\Temp\cmdrenamed.exeMandatory Label\Medium Mandatory Level 4688201331200x802000000000000015424SecurityAttackBox-Win10ATTACKBOX-WIN10\attackerattackerATTACKBOX-WIN100x2024b0x16c4C:\Temp\cmdrenamed.exe%%19380x1274"C:\temp\cmdrenamed.exe" NULL SID--0x0C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMandatory Label\Medium Mandatory Level 4104152150x01352Microsoft-Windows-PowerShell/OperationalAttackBox-Win1011copy C:\Windows\system32\cmd.exe C:\temp\cmd.exe; copy C:\Windows\system32\cmd.exe C:\temp\cmdrenamed.exe; start-process C:\temp\cmd.exe; start-process C:\temp\cmdrenamed.exe6ac4817a-a818-484f-8cb8-fb462b254efe 154100x8000000000000000584863Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2024-04-30 15:37:07.047{51A89197-1023-6631-1206-000000001D00}4724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17134.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "copy C:\Windows\system32\cmd.exe C:\temp\cmd.exe; copy C:\Windows\system32\cmd.exe C:\temp\cmdrenamed.exe; start-process C:\temp\cmd.exe; start-process C:\temp\cmdrenamed.exe"C:\Windows\system32\ATTACKBOX-WIN10\attacker{51A89197-3B8D-654E-4B02-020000000000}0x2024b1MediumSHA1=1B3B40FBC889FD4C645CC12C85D0805AC36BA254,MD5=95000560239032BC68B4C2FDFCDEF913,SHA256=D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F{51A89197-1017-6631-FE05-000000001D00}7880C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKBOX-WIN10\attacker 4688201331200x802000000000000015422SecurityAttackBox-Win10ATTACKBOX-WIN10\attackerattackerATTACKBOX-WIN100x2024b0x1274C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe%%19380x1ec8powershell "copy C:\Windows\system32\cmd.exe C:\temp\cmd.exe; copy C:\Windows\system32\cmd.exe C:\temp\cmdrenamed.exe; start-process C:\temp\cmd.exe; start-process C:\temp\cmdrenamed.exe"NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\Medium Mandatory Level